Active Directory Password Health Analysis – Part 2
By Ben Goodman
In Active Directory Password Health Analysis – Part 1, Russel Van Tuyl provided a background on Active Directory (AD) and its limitations in determining an organization’s password health. Russel also gave a high-level overview on the ADPasswordHealth python script, and its benefits in password health analysis.
In this post we’ll take a deeper dive into what the ADPasswordHealth script can do.
First, let’s do a quick recap of the script and its ability to automate the analysis of cracked passwords.
In order for the script to function, it needs two required files such as:
- Extracted User Account Information from the ntds.dit database file
- A list of cracked passwords in JohnTheRipper output format
There are optional files you can provide. Some new functionality has been added to the script since the writing of Part 1. The following arguments are optional when running the script:
- – R RULES, –rules RULES
- -A ADUSERINFO, –aduserinfo ADUSERINFO
- -N NUMBER, –number NUMBER
- -M, –metrics
- -E, –exclude
The –-pwned option is a new feature added after the release of Part 1. More details on this option will be available in Part 3.
ADPasswordHealth Python Script Requirements
When running the ADPasswordHealth python script using the required files, we can run the script as follows:
./ADPasswordHealth.py -J /root/Desktop/cracked_ntlm.txt -S /root/Desktop/secretsdump.ntds -O /root/Desktop
This script will, by default, output two CSV files; one with the “data” and the other with “metrics”. For more detail on what each CSV file contains, please refer to Part 1. In Part 2 we will discuss the optional flags of the ADPassword health script.
Now that we have recapped, let’s explain the useful options and features included in the script.
In Part 1, Russel covered the -A argument, also known as –aduserinfo, but it’s worth noting again.
In order to run this command, run the Get-ADUser Powershell cmdlet against all users in Active Directory, and export it in CSV format. Make sure the AD Powershell module is installed on your workstation (see here for installation instructions). An example command to run in Powershell is:
‘Get-ADUser -Filter * -Server acme.com -Properties SamAccountName,City, Department|Select-Object -Property SamAccountName,City,Department| Export-Csv -NoTypeInformation -Path C:\Get-ADUser.csv’
More details on Get-ADUser can be found at Microsoft here.
The ADPasswordHealth folder from Github uses a default list of weak passwords, but you may run into an instance in which you need to provide custom words specific to your organization. The -R, –rules option is meant for a custom list of words the script will use to flag weak passwords (i.e ‘Password123’ or ‘changeme’).
For example, let’s say you are a large medical firm, and as part of the password analysis you want to provide a list of common passwords they know their users may have, such as a company or industry name. You can take that list and run it as part of the python script to aid in determining who is using the “weak passwords”.
Once the script is run with the -R or –rules option, a column labeled “Password Health” has the word “weak” followed by the word you listed in the rules file. This aids with metrics, and the ability to pinpoint which users are using weak passwords based on a provided wordlist. In the below example, we are able to tell the specific number of users with the word “summer” in their password.
This option is for the password length you want the script to use to flag weak passwords. By default, the script will flag passwords less than 8 characters, but like the Rules option, your organization may have specific requirements for password length.
Once the script is executed, the data CSV file will output “Weak – Less than X” in the “Password Health” column. This essentially shows all passwords that were cracked that are less than 12 characters.
If the script is being used for reporting purposes for other departments or C-levels, this option removes the password hashes and cracked passwords from the output files.
Data Manipulation Using ADPasswordHealth
Finally, we will go over the ability to manipulate the data from the output files such as creating a pivot table or chart.
Depending on the number of users on your network, this may be beneficial to have a visual representation of the data in addition to the metrics that are generated from the script. We will use the ADPassHealth_20170910-135811-Data.csv, which can be found in the Examples directory, as an example.
Let’s say we have a scenario where a client wants to know the overall password health of their environment based on specific information, such as the number of accounts that are in a disabled and enabled status. This can be accomplished by going to the insert tab, and selecting the PivotTable icon. Next, make sure the Table/Range field is filled out with the Data.csv sheet. Finally, open the results in a new worksheet and select “OK”.
In the new worksheet a section named PivotTable Fields will appear to the right of the spreadsheet. To sort the data as decribed for our example scenario you will check the boxes then drag and drop the values in their respective areas as shown below:
Once the boxes have been selected and the values dragged to the required fields, the table will look like the example below:
It should be noted this is just one way to sort the data. Feel free to try other ways to find what best fits your organization’s needs.
One of the values we as consultants deliver is providing our clients with data sets and information they can use to improve the overall security posture of their organization. As mentioned in Part 1, Active Directory holds valuable information that can aid an attacker in accessing your business systems. The ADPasswordHealth script provides valuable assistance in improving the health of your Windows domain passwords.
Stay tuned for Part 3 of this blog that will go into details of the new –-pwned option
Ben Goodman is a Security Analyst at Sword & Shield Enterprise Security where he provides security consulting services to our clients. His duties include performing security assessments to include network vulnerability, penetration testing, web application, wireless testing, physical security, and social engineering for a diverse group of commercial and government clients.
Ben has more than eight years of diversified experience as a security consultant, systems administrator, and IT support technician working with companies in the retail, energy, and health care sectors.