AD Password Auditing Workflow

I'll come back in the future and add more detail on some of the below steps and useful powershell and bash scripts that can help to reduce effort, and password dictionary resources. I like to use docker for the linux work as it provides a means to access a known state environment in seconds with all the correct tools installed.

For now, this is a high level overview:

1. Acquire your AD backup NTDS.dit, and SYSTEM file.
2. Remember to tidy up files as you go, leave no trail.
3. Extract the hashes using 2014 version of libesedb and latest esedbextract.py.
4. Filter the accounts and hashes to only show active user accounts that have not expired.

Once you have the list of accounts you want to crack, use John the Ripper:

1. For the worst offenders, just use the worst password lists freely downloadable from the net, in NT format, and no rules.
2. For slightly less bad offenders, use more wordlists such as rockyou from previous breaches.
3. For more offenders, use a dictionary containing company names and usernames, etc. and start adding rules.
4. For users who do at least make some effort to choose their own password, use a dictionary containing months, days, seasons, town names, countries, etc. with rules.

This should be as far as you need to go for a typical password audit. If you want to go further for companies with higher risk profiles or smaller risk appetites, then consider using one or more of the following methods:

1. Crack in LM mode and use the output passwords to create a new dictionary for NT mode
2. Larger dictionaries with harder rules
3. Incremental mode
4. Another tool such as rainbow tables.

A future post will go into the elegance of rainbow tables and try to explain in simple terms how neat this solution is, plus describe the pros and cons. Watch this space.

When your audit is over, run the list of passwords through pipal to report on password usage and trends in the organisation.