• Stars
    star
    149
  • Rank 248,619 (Top 5 %)
  • Language
    PowerShell
  • License
    BSD 3-Clause "New...
  • Created almost 6 years ago
  • Updated 5 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Get insights into the actual strength and quality of passwords in Active Directory.

Get-bADpasswords

License PowerShell 3 | 4 | 5 Windows Server 2008 R2 | 2012 R2 | 2016 .NET Framework 4.5.1+ Visual Studio 2017

Get insights into the actual strength and quality of passwords in Active Directory.

Introduction

This module is able to compare password hashes of enabled Active Directory users against bad/weak/non-compliant passwords (e.g. hackers first guess in brute-force attacks).

  • Performs comparison against one or multiple wordlist(s).
    • This script does not transform input from the wordlists (such as transforming between upper/lower case). Each input from the wordlist is used as-is. Use other tools to generate more specialized wordlists if necessary. A PoC-script has been included (New-bADpasswordLists_EN.ps1) for basic wordlist generation.
  • Performs additional comparison against publicly leaked passwords, see acknowledgements below.
  • Performs password comparison against 'null' in the Active Directory (i.e. finds empty/null passwords).
  • Performs password comparison between users in the Active Directory (i.e. finds shared passwords).
  • Requires 'Domain Admin' privileges or similar, e.g. 'Domain Controller' or delegated Domain-level permissions for both "Replicating Directory Changes" and "Replicating Directory Changes All", to succesfully fetch passwords from the Active Directory database.
  • Choose a Domain Controller or a member server (will become a Tier 0 system) for executing the script, e.g. as a Scheduled Task.

picture

Dependencies

Microsoft Visual C++ Redistributable Package

Microsoft Visual C++ Redistributable Package is required by our PSI DLL. This DLL is reponsible for parsing the leaked-password binary file and performing comparisons against it. The source code for the DLL can be found here.

Installation step-by-step
  • Go to Microsoft Latest Supported Visual C++ Download.
  • Download and install the Visual Studio 2017 version of the Visual C++ Redistributable Package for your target platform:
    • For 32-bit systems: vc_redist.x86.exe
    • For 64-bit systems: vc_redist.x64.exe (recommended)
  • No restart required.

Microsoft .NET Framework 4.5.1+

Microsoft .NET Framework 4.5.1+ is required by the DSInternals 3.0 PowerShell module by Michael Grafnetter.

Installation step-by-step

Prerequisites

DSInternals 3.0 PowerShell Module

This module is used to query the Active Directory and fetch user information (SAM Account Name, E-mail, Password Hash, etc.). The source code for this module can be found here.

Installation step-by-step

Alternatively, you can install DSInternals 3.0 through PowerShellGet by running the following PowerShell command:

PS> Install-Module -Name DSInternals -Scope AllUsers

Leaked password list

This file contains a binary packed list of leaked password hashes from the PwnedPasswords list published by Troy Hunt. The file is too big (13.5 GB) for GitHub (max 25 MB), so we host it on our SharePoint instead.

Installation step-by-step
  • Go to Improsec Leaked Password List.
  • Download the leaked-passwords-v8.bin file:
    • SHA1: f4fe0b1cbbfd11bd6cd8fd4a28000cd61390104b.
  • Place the file in the ./Accessible/PasswordLists/ folder.

Installation

Installing this framework is as simple as downloading the entire respository. However, you have to manually configure the following:

  • Open 'Get-bADpasswords.ps1':
    • Navigate to the configuration-section and modify the variables to fit your needs, at least:
      • $domain_name
      • $naming_context
      • $mail_smtp
      • $mail_recipient
  • (Optional) Modify the wordlists at ./Accessible/PasswordLists/*.txt to your own liking.

Usage

Since the desired options has already been selected during the configuration part of the install-section, you can go ahead and run the script:

PS> ./Get-bADpassword.ps1

Authors

License

This project is licensed under the BSD 3-Clause License - see the LICENSE.md file for details

Acknowledgments