Hi All,
A chap called Michael Grafnetter has created a brilliant PowerShell script to check password hashes in Active Directory against a list of simple or common passwords.
This is great to encourage users not to use obvious passwords, for example if a company is called Contoso then you’d want to encourage users not to use Contoso1 etc.
Here’s how:
Download the software:
https://github.com/MichaelGrafnetter/DSInternals/releases/tag/v2.22
Copy the DSInternals directory to your PowerShell modules directory, e.g.
1 |
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DSInternals |
1 |
C:\Users\John\Documents\WindowsPowerShell\Modules\DSInternals. |
Launch Windows PowerShell.
(Optional) If you copied the module to a different directory than advised in step 4, you have to manually import it using the Import-Module .\DSInternals\DSInternals.psd1 command.
Next create a text file called passwords.txt and fill it with passwords you’d like to scan for, example:
1 2 3 |
Password Password1 Contoso1 |
Then here’s an example script:
First set the password txt file.
Then set the Domain Contoller, in this case DC1
Then set the distinguished name of the OU and sub OUs you can to scan:
Note ” and ‘ are not showing up properly,
$dictionary = Get-Content passwords.txt | ConvertTo-NTHashDictionary Get-ADReplAccount -All -Server DC1 -NamingContext ‘dc=adatum,dc=com’ | Test-PasswordQuality -WeakPasswordHashes $dictionary -ShowPlainTextPasswords -IncludeDisabledAccounts
1 2 3 |
$dictionary = Get-Content passwords.txt | ConvertTo-NTHashDictionary Get-ADReplAccount -All -Server DC1 -NamingContext 'dc=adatum,dc=com' | Test-PasswordQuality -WeakPasswordHashes $dictionary -ShowPlainTextPasswords -IncludeDisabledAccounts |
Here’s an output:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 |
Active Directory Password Quality Report ---------------------------------------- Passwords of these accounts are stored using reversible encryption: April Brad Don LM hashes of passwords of these accounts are present: These accounts have no password set: Guest nolan test Passwords of these accounts have been found in the dictionary: adam Pa$$w0rd peter July2016 Historical passwords of these accounts have been found in the dictionary: april Pa$$w0rd brad Pa$$w0rd These groups of accounts have the same passwords: Group 1: Aidan John Group 2: Joe JoeAdmin JoeVPN These computer accounts have default passwords: LON-CL2$ Kerberos AES keys are missing from these accounts: Julian Kerberos pre-authentication is not required for these accounts: Holly Chad Only DES encryption is allowed to be used with these accounts: Holly Jorgen These administrative accounts are allowed to be delegated to a service: Administrator April krbtgt Passwords of these accounts will never expire: Administrator Guest These accounts are not required to have a password: Guest Magnus Maria |