Overview
The latest version of the DSInternals PowerShell Module contains a new cmdlet called Test-PasswordQuality, which is a powerful yet easy to use tool for Active Directory password auditing. It can detect weak, duplicate, default, non-expiring or empty passwords and find accounts that are violating security best practices. All domain administrators can now audit Active Directory passwords on a regular basis, without any special knowledge.
Usage
The Test-PasswordQuality cmdlet accepts output of the Get-ADDBAccount and Get-ADReplAccount cmdlets, so both offline (ntds.dit) and online (DCSync) analysis can be done:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 |
Get-ADReplAccount -All -Server LON-DC1 -NamingContext "dc=adatum,dc=com" | Test-PasswordQuality -WeakPasswordHashesFile .\pwned-passwords-ntlm-ordered-by-count.txt -IncludeDisabledAccounts <# Sample output: Active Directory Password Quality Report ---------------------------------------- Passwords of these accounts are stored using reversible encryption: April Brad Don LM hashes of passwords of these accounts are present: These accounts have no password set: Guest nolan test Passwords of these accounts have been found in the dictionary: adam peter Historical passwords of these accounts have been found in the dictionary: april brad These groups of accounts have the same passwords: Group 1: Aidan John Group 2: Joe JoeAdmin JoeVPN These computer accounts have default passwords: LON-CL2$ Kerberos AES keys are missing from these accounts: Julian Kerberos pre-authentication is not required for these accounts: Holly Chad Only DES encryption is allowed to be used with these accounts: Holly Jorgen These administrative accounts are allowed to be delegated to a service: Administrator April krbtgt Passwords of these accounts will never expire: Administrator Guest These accounts are not required to have a password: Guest Magnus Maria #> |
Although the cmdlet output is formatted in a human readable fashion, it is still an object, whose properties can be accessed separately (e.g. $result.WeakPassword) to produce a desired output.
Credits
I would like to thank Jakob Heidelberg for his idea to use the DSInternals module for password auditing. A big thank you also goes to Ondrej Sevecek for sharing his comprehensive auditing tool called SAPHA, from which I borrowed ideas for a few tests.
Tags: Active Directory, PowerShell, Security
Get-ADReplAccount : Cannot set percent because PercentComplete cannot be greater than 100.
Parameter name: value
Actual value was 101.
At line:1 char:1
+ Get-ADReplAccount -All -Server dc-01 -NamingContext ” …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Get-ADReplAccount], PSArgumentOutOfRangeException
+ FullyQualifiedErrorId : ArgumentOutOfRange,DSInternals.PowerShell.Commands.GetADReplAccountCommand
Thank you for reporting this, Denis. See the progress at GitHub.
Hello Michael
thank you very much for sharing your great tools and informations! It’s really strange that Microsoft does not provide such tools by itself.
I’ve testet our password quality and we have a problem: for some tests, it’s very hard to guess which concrete problem the test is addressing. For example: “These administrative accounts are allowed to be delegated to a service”. Until today, I thought every Account can be delegated to a service – which is probably wrong.
It would be great if you could add some keywords or links to the different tests, so that we can study the background and plan the next steps.
Thanks a lot in advance,
kind regards,
Thomas
Hi Thomas, I admit that some some of those tests can only be understood by people with very deep AD knowledge. There is a good blog post about delegation written by a Microsoft employee. Also check out the Thycotic Weak Password Finder, which I have also programmed. It does the same tests as the Test-PasswordQuality cmdlet, is bundled with a nice list of common passwords and its reports contain simple explanations of the checks. Is there any other test you would like to know more about?
Hi Michael,
How large can the password list be for this, and would we be able to calculate a password list once to NT Hashes and then save the hashes for quicker future audits on the same server?
I’ve copied over the password list from your Weak Password Finder tool (which is very quick) and I’ve had the Test-PasswordQuality cmdlet running for around 20 mins without returning anything yet.
Thanks!
Craig
I haven’t implemented a way of serializing the hash table, because the calculation is very quick. The Test-PasswordQuality cmdlet should not run that long, even on large ADs. I think that I have tested it on a 30M list without any problems.
There might be a bug in the cmdlet. Do you have any updates on it?
Hi. After this test, I have users in the sections “LM hashes of passwords of these accounts are present:”. How do I fix the problem?
Dear Francois, you just change/reset their passwords.
This utility is very helpful. I would also love to have a way of serializing the NT Hashes so that it can be imported and exported easily.
I’m seeing an odd behavior when running it in a script. Ultimately am running:
$Results = Get-ADReplAccount -All -Server MyDC.company.com -NamingContext “DC=domain,dc=com” | Test-PasswordQuality -WeakPasswordHashes $dictionary -ShowPlainTextPasswords But I get weird issues/ errors:
Test-PasswordQuality : Item has already been added. Key in dictionary: ‘AusersSamAccountName’ Key being added: ‘AusersSamAccountName’
At line:1 char:191
+ … n,dc=com” | Test-PasswordQuality -WeakPasswordHashes $dictionary -Sho …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Test-PasswordQuality], ArgumentException
+ FullyQualifiedErrorId : System.ArgumentException,DSInternals.PowerShell.Commands.TestPasswordQualityCommand
This user is not a duplicate that I can find…
Hi Micheal,
Sorry for the slow reply – I am running with a ~500MB password list and a 150 user AD, which is why it’s quite slow.
It still works well though, thanks!
Is there any way to use this excellent library with SHA-1 hashes, such as those available for download from haveibeenpwned.com?
https://haveibeenpwned.com/Passwords
If anyone else is interested in combining these forces (DSInternals and the Pwned Passwords DB), make your voice heard on this thread:
http://disq.us/p/1u1s1j3
https://www.troyhunt.com/pwned-passwords-v3-is-now-live/
Hi Hugh, I have recenlty filed a suggestion at HIBP’d UserVoice and the idea behind it was the same as yours – make DSInternals interoperable with HIBP. Feel free to vote for it.
Hi Michael,
Thanks for supplying this tool. I just downloaded from Github and installed. When I run the line $dictionary = Get-Content passwords. txt | ConvertTo-NTHashDictionary it seems to run for a while and then get the following error:
ConvertTo-NTHashDictionary : Cannot validate argument on parameter ‘Input’. The argument is null or empty. Supply an argument that is not null or empty and then try the command again.
At line:1 char:43 + $dictionary = Get-Content passwords.txt | ConvertTo-NTHashDictionary + ~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidData: (:PSObject) [ConvertTo-NTHashDictionary], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationError,DSInternals.PowerShell.Commands.ConvertToNTHashDictionaryCommand I am afraid I am far from a PowerShell expert. I created a smaller passwords.txt file and then I did not get the error. What kind of work-around can I do to use a large file? The one I originally used is about 175MB and comes from the KnowBe4 Weak Password Test passwords file. It contains about 11 million passwords. I am running your powershell module on a virtual windows 2012 server. Do you think I just need to up the available memory?
i tried the script and working amazing. but my issue with -showpassword is not working. what i have to do ?
Hi Michael, I am facing one of the weird issue with the testpassword quality when it is ran against the complete domain we are not getting the outputs for weak passwords in dicitionary at all and histroical section is missing altogether in the report. DO you think there might be something missing in the way I am running it .
It is the same command which I am using to run it as above post.
Hi Michael, The v.3.4 release of dsinternals is amazing, especially the search improvements. My ‘regular’ search time went from 7h:30m to 27m (opening the HIBP NTLM file across a UNC share). It’s even faster with the ‘sortedfile’ switch: 52 seconds with the HIBP NTLM file local; only 1m20s across a UNC share. Wow!
Great, thx for info, Greg.
i am new to this tool. can you please let me know if i can run this tool in a production environment without getting user accounts lockouts?
Get-ADReplAccount -All -Server $dc -NamingContext $domain | Test-PasswordQuality -WeakPasswordHashes $dict -ShowPlainTextPasswords -IncludeDisabledAccounts
It replicates the entire AD DB and tests passwords against its own copy, so no lockouts, that’s the beauty of it.
thanks for the response!!! awesome tool..