password

Auditing Active Directory Password Quality

Posted by robd on April 24, 2018
Active Directory, powershell / No Comments

Hi All,

A chap called Michael Grafnetter has created a brilliant PowerShell script to check password hashes in Active Directory against a list of simple or common passwords.

This is great to encourage users not to use obvious passwords, for example if a company is called Contoso then you’d want to encourage users not to use Contoso1 etc.

Here’s how:

Download the software:

https://github.com/MichaelGrafnetter/DSInternals/releases/tag/v2.22

Copy the DSInternals directory to your PowerShell modules directory, e.g.

C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DSInternals
C:\Users\John\Documents\WindowsPowerShell\Modules\DSInternals.

Launch Windows PowerShell.
(Optional) If you copied the module to a different directory than advised in step 4, you have to manually import it using the Import-Module .\DSInternals\DSInternals.psd1 command.

Next create a text file called passwords.txt and fill it with passwords you’d like to scan for, example:

Password
Password1
Contoso1

Then here’s an example script:

First set the password txt file.

Then set the Domain Contoller, in this case DC1

Then set the distinguished name of the OU and sub OUs you can to scan:

Note ” and ‘ are not showing up properly,

$dictionary = Get-Content passwords.txt | ConvertTo-NTHashDictionary Get-ADReplAccount -All -Server DC1 -NamingContext ‘dc=adatum,dc=com’ | Test-PasswordQuality -WeakPasswordHashes $dictionary -ShowPlainTextPasswords -IncludeDisabledAccounts

$dictionary = Get-Content passwords.txt | ConvertTo-NTHashDictionary
Get-ADReplAccount -All -Server DC1 -NamingContext 'dc=adatum,dc=com' |
Test-PasswordQuality -WeakPasswordHashes $dictionary -ShowPlainTextPasswords -IncludeDisabledAccounts

Here’s an output:

Active Directory Password Quality Report
----------------------------------------
 
Passwords of these accounts are stored using reversible encryption:
  April
  Brad
  Don
 
LM hashes of passwords of these accounts are present:
 
These accounts have no password set:
  Guest
  nolan
  test
 
Passwords of these accounts have been found in the dictionary:
  adam                Pa$$w0rd
  peter               July2016
 
Historical passwords of these accounts have been found in the dictionary:
  april               Pa$$w0rd
  brad                Pa$$w0rd
 
These groups of accounts have the same passwords:
  Group 1:
    Aidan
    John
  Group 2:
    Joe
    JoeAdmin
    JoeVPN
 
These computer accounts have default passwords:
  LON-CL2$
 
Kerberos AES keys are missing from these accounts:
  Julian
 
Kerberos pre-authentication is not required for these accounts:
  Holly
  Chad
 
Only DES encryption is allowed to be used with these accounts:
  Holly
  Jorgen
 
These administrative accounts are allowed to be delegated to a service:
  Administrator
  April
  krbtgt
 
Passwords of these accounts will never expire:
  Administrator
  Guest
 
These accounts are not required to have a password:
  Guest
  Magnus
  Maria

Tags: , ,