Is there a way to audit AD for a particular password?

Question

Is there a way I can audit AD to check for a particular password?

We used to use a "standard" password for all new users (e.g. MyPa55word). I want to make sure this is no longer in use anywhere on our estate.

The only way I could think how to do this would be to either a) audit the directory somehow for any users with this password or b) set up a GP that specifically disallowed this password (ideally this would then prompt users to reset their password.)

Anyone have any tips on how I can approach this?

Ta,

Ben

Answer 1

There's no official way to view user passwords (it's possible, but you have to delve into ... security utilities). It's probably best to approach this from a password-age angle. It sounds as if you could compare the user creation date to the date the password was last changed, and if there's a match, toggle the 'password change on next login' field.

Answer 2

create a share where you are being asked for a password when doing net use. then write a script that tries to map the share with all the usernames and the default pw. this way no logon is nessecary and you will not break the policy

Answer 3

You should look at John the Ripper - its a password cracking utility. You can run it in dictionary attack mode which takes a list of passwords from a text file. Your word list could consist of just your default password.

Should be quite fast, probably faster than the share + connect via password script proposed.

Answer 4

Here are a couple of ideas-- neither of them really very good (from the perspetive that they might set off anti-virus or intrusion detection alarms):

• You can dump the password hashes out of Active Directory and run a password cracker on them. Cain and Abel can do the cracking for you. You can get the hashes out with fgdump. Beware-- both of these utilities will probably set off alarm bells in your antivirus software.

• You could write a simple script to iterate over the output of a user list, checking for valid passwords using the "NET USE" command. Use something like this:

    @echo off

    rem Destination path to "map" a "drive" to for password test
    set DESTPATH=\\SERVER\Share
    rem Drive letter used to "map" a "drive" to for password test
    SET DRIVE_LETTER=Q:

    rem NetBIOS domain name to test against
    set DOMAIN=DOMAIN

    rem File containing list of usernames, one per line
    SET USERLIST=userlist.txt

    rem Password to test
    SET PASSWORD=MyPa55word

    rem Output file
    SET OUTPUT=output.txt

    if exist "%DRIVE_LETTER%\." goto _letter_used

    for /f %%i in (%USERLIST%) do (
        net use %DRIVE_LETTER% %DESTPATH% /USER:%DOMAIN%\%%i %PASSWORD%

        if exist "%DRIVE_LETTER%\." echo %%i password is %PASSWORD%>>%OUTPUT%

        net use %DRIVE_LETTER% /d /y
    )

    goto end

    :_letter_used
    echo %DRIVE_LETTER% is already in use. Change it to a free drive letter and re-run.

    :end

Put the userlist into "userlist.txt" (one username per line), set the variables at the top of the script to refer to a path the user should be able to "map" a "drive" to, and make sure that the PC you're running it on doesn't have any other "drives" "mapped" to the destination server (since a Windows PC only allows one set of credentials to be used for SMB client connections to a given server at a time).

Like I said-- either method is probably not a great idea. >smile<

Answer 5

You could try finding a way to script a logon attempt to a share or resource that will try that "standard" password for each user in a list, like a batch file approach, then log which ones were successful. But this would be a lot of work for a single audit if you're not a large business with a large number of accounts. There may be some gray hat security utilities out there, but I don't know how much you'd trust them.

You might be able to get a password auditing utility with a dictionary-based attack (l0phtcrack?) and use just your default password as a custom dictionary. That may make things faster and easier.

This gets dicey as these utilities are tools that help as much as hurt. Some malware scanners will flag them even if you're using them for legitimate purposes. Windows doesn't have much in the way of built-in password checking utilities for administrators, as it was set up specifically so that administrators can reset or blank passwords but not know what the "lost" or "forgotten" passwords were.

Answer 6

I would set Enforce password history to a high number (say 10) and either decrease my password age to 30 or script an expire password for all users. The next thing to do is look at service accounts and reset their passwords. If you have a large environment this will be painful (thus the new managed service accounts in 2008). I agree with Bart in that the utilities that can retrieve the password are often more trouble than they are worth. Hopefully you are in an environment where they will let you expire passwords at regular intervals in which case this password will certainly go away in time, as long as you have the password history set.

Answer 7

I have used pwdump 6 in the past to dump password hashes.

Create an account ahead of time with the password. If users have use that same password the password hash dumped out for the users should be the same. Just make sure you have permissions as password hashes are sensitive as there are tools like rainbow tables which are several gb in size and allow people to find the user's password from the hash.

Linux and unix systems prevent rainbow tables as they often add salt to ensure the hash tables for one system cannot be used for a second system.

I worked at a company audited by a large firm they suggested we stop providing common passwords when setting up users as they often also get group assignments - meaning someone knowing john smith was starting could attempt to logon with the standard username for john smith along with the standard password.

Mark