For now, this is a high level overview:
- Acquire your AD backup NTDS.dit, and SYSTEM file.
- Remember to tidy up files as you go, leave no trail.
- Extract the hashes using 2014 version of libesedb and latest esedbextract.py.
- Filter the accounts and hashes to only show active user accounts that have not expired.
Once you have the list of accounts you want to crack, use John the Ripper:
- For the worst offenders, just use the worst password lists freely downloadable from the net, in NT format, and no rules.
- For slightly less bad offenders, use more wordlists such as rockyou from previous breaches.
- For more offenders, use a dictionary containing company names and usernames, etc. and start adding rules.
- For users who do at least make some effort to choose their own password, use a dictionary containing months, days, seasons, town names, countries, etc. with rules.
This should be as far as you need to go for a typical password audit. If you want to go further for companies with higher risk profiles or smaller risk appetites, then consider using one or more of the following methods:
- Crack in LM mode and use the output passwords to create a new dictionary for NT mode
- Larger dictionaries with harder rules
- Incremental mode
- Another tool such as rainbow tables.
When your audit is over, run the list of passwords through pipal to report on password usage and trends in the organisation.