Active Directory Password Health Analysis – Part 1

Active Directory password healthBy Russel Van Tuyl

Active Directory (AD) is an essential part of a Microsoft domain. A prominent function AD performs is to keep a record of all domain user accounts and their associated password stored as an encrypted one-way hash value.

One of the many objectives during a penetration test is to gain access to the AD ntds.dit database file, which contains the user account information and password hashes. We have previously written about downloading the ntds.dit file and subsequently extracting the password hashes from the recovered file.

Password Spraying

Having performed a multitude of penetration tests and social engineering engagements (i.e. phishing), we have recovered a plethora of user account passwords. It is common to see passwords such as Password123 or Summer2017.

This is so well known by attackers that an attack technique known as password spraying is often used to gain access to an account. Instead of trying to log in to one account with a list of 100 potential passwords, a password spraying attack instead attempts to log in a list of 100 user account names with just one password.

This is affective because one failed login attempt against one user account won’t impact the user in a negative way, and won’t raise any alarm bells.

One caveat is failed login attempts across a large number of accounts could be correlated to trigger an alert. Using this attack, there is a high probability that at least one user account will be using a password of Summer2017.

The Risk of Giving Access

One of the many challenges businesses face today is that they are assuming an unknown amount of significant risk with user accounts and their passwords. These very user accounts are used to access business critical systems. To compound the risk, many businesses leverage multiple cloud based applications that provide an attacker with a doorway into your network or data.

Password requirements can be set in a Windows domain to ensure a user’s password meets minimum requirements. The most common configuration we see is that requiring the password be a minimum of eight characters long and mandating three of the following: uppercase, lowercase, number, or special characters.

Active Directory Limitation

The one capability that AD doesn’t have is to evaluate the submitted password to determine if it is using common words or passwords that are obviously weak. For instance, both Password123 and Summer2017 meet both the length and complexity requirements commonly seen. An alternative could be to increase the password length to 12 characters, but then again Password1234 is 12 characters long.

Active Directory Password Health Analysis

One way to combat this problem is to proactively perform an Active Directory password health analysis.

This requires an administrator to first extract the AD ntds.dit database and then the user account password hashes. After the password hashes are extracted, password cracking should be performed using tools such as Hashcat or John the Ripper.

In part 2 of this post, we will take a deeper technical dive into performing all the actions necessary. One thing to note here is that we aren’t trying to crack all the passwords, we are trying to remove the low hanging fruit. This information can then be evaluated to identify users that have a weak password.

A Deeper Look

ADPasswordHealth, a python script, was created to automate analysis of the cracked password. The  README file has an extensive explanation of the tool and how to use it, complete with sample test data.

The following files are needed to use the ADPasswordHealth tool:

  • Extracted user account information from ntds.dit (i.e. secretsdump_example.ntds)
  • A list of cracked passwords (i.e. cracked_ntlm.txt)
  • [Optional] A list of words that are used to determine if a password is weak (i.e. password_rules.txt)
  • [Optional] A CSV file containing additional user account information (i.e. Get-ADUser.csv)

An example execution of the script looks like this:

python -J Examples/cracked_ntlm.txt -S Examples/secretsdump_example.ntds -A Examples/Get-ADUser.csv -O ./Examples/

The script will check the cracked passwords to determine if they are week by looking to see if the recovered password is using a common word or if the password is less than eight characters. Two files will be produced when the Python script is run with the -O flag and an output directory is provided. The “-Data” file will contain all data correlated into a single CSV that can be used for subsequent data manipulation operations such as creating pivot charts.

active directory password health analysis -data

The second file, “-Metrics”, contains the metric data from the analysis. This metric data is commonly used to quickly generate pie charts for reports on the results of the password cracking and analysis.

active directory password health analysis -metrics

Why Perform an Active Directory Password Health Analysis

Businesses can significantly reduce risk by proactively evaluating the health of the passwords users have configured their account with. This is a great opportunity to provide additional user education. Administrators should verbally communicate with users who’s cracked password was found to be using a weak password and discuss what makes a good password.

Please ensure this is done with a good attitude to provide positive reinforcement and to promote a good security culture.

Pro Tip: You might not want to tell the end user you know their entire password. This could freak them out. You might just say that a tool found part of their password to be weak.

Multi-Factor Authentication

Another strong recommendation is to configure all business applications that are accessible via the Internet to require multi-factor authentication. Additionally, internal business critical systems should also require multi-factor authentication. This will reduce the risk so that if a user’s password is compromised, the impact could be negligible as an attacker should not be able to access the system and its data.

Available Tools

There is a commercial tool that can evaluate passwords prior to being changed by the user. This program is used to determine if the submitted passwords are weak using a multitude of capabilities such as dictionary checking and passphrase enforcement.

In Closing

Active Directory holds very valuable information that can aid an attacker, such as the credentials used to access your business systems. User’s commonly use very weak passwords. Spend some time with the ADPasswordHealth tool to evaluate the health of your Windows domain and remove some of the low hanging fruit. The output files can be used to communicate with both technical and executive staff on the health of the organization’s user account passwords. Evaluating the domain’s password health monthly can be used for functions like trend analysis.

Stay tuned for part 2 as we take a deeper, more technical, dive into using ADPasswordHealth.

Download our white paper on the new NIST password guidelines.

Russel Van TuylRussel Van Tuyl is the managing consultant for security assessments at Sword & Shield Enterprise Security. His primary role is conducting network vulnerability assessments and penetration tests but also performs web application assessments, firewall configuration audits, wireless assessments, and social engineering.

He has more than 11 years of experience in the technical field in roles such as database design, field device support, help desk, IT asset management, programming, and information security.


edge security conferenceEDGE Security Conference is an annual event presented by Sword & Shield Enterprise Security, Inc. EDGE2017 is focused on exploring real-world solutions to today’s toughest cybersecurity challenges. To learn more about EDGE2017, visit


Comments are closed.