Say you’re a blue teamer in an organisation of a few thousand people. Unless you’re in a kubernetized, SaaSified and cloudified startup, you’re likely to have an Active Directory running. An AD and its accounts are a prime target for attackers, so how do you go about insuring your assets are a bit safer? Eliminating weak passwords is a start.
AD accounts are a target
In a relatively modern enterprise setting, an AD serves as the backbone for any and all authentication. It has a central and powerful role in an organisation and it’s easy to see why penetration testers and attackers nearly always reach for them.
They’re often set up as the Identity Provider in an SSO paradigm. As a result, gaining access to an AD account generally allows access to other services available on the enterprise network or on the internet. Getting your hands on a Domain Admin account gives you greater power as it has large privileges over other assets (accounts, workstations, GPOs etc.).
Securing an AD and its accounts is an entire field of expertise, and cannot be condensed in a blog post. One small part of this field is making sure your users don’t get their accounts stolen.
To do that, you either:
- use mutli-factor authentication (MFA)
- try to enforce robust high-quality passwords
MFA greatly mitigates the risk of an account being stolen. Yet, large organisations are reluctant to adopt it. MFA requires changing the authentication process, and change is hard. Implementing organisation-wide MFA assumes that all members have access to some type of token, which is not necessarily true and sometimes hard to have. As a result, your organisation might still rely on good old password based authentication for its members. It might even force password rotation every few months.
By default, AD provides admins with the possibility of selecting complexity rules for user passwords :
- length rules (eg. password must be 10 characters or longer)
- required character cases rules (eg. password must contain at least one number and one special character)
- remembered passwords rules (eg. password must not be identical to one of the last 5 passwords)
This approach is less than ideal for the following reasons:
- “my-password1” is valid
- if password rotation is enabled, it’s highly likely users will keep the same radical in their password and simply change a suffix
So your organisation probably has scores of weak passwords. What do you do now?
Automated auditing for the win
The first step in eliminating weak passwords is knowing the weak passwords. To find the weakest passwords, you have to do some kind of password cracking attack.
Not everyone has access to a cluster of 448 Nvidia RTX 2080 with hashcat installed though. But that’s not a problem since a modern AD stores passwords on disk in NTLM hash format. For compatibility reasons, it also stores LM hashes by default. And both those hashes are rather quick to compute on a CPU.
It uses the excellent DSInternals module and can run multiple threads to accelerate the cracking process. It does require a dictionary however. I’ve used Mentalist to generate the dictionaries used in my attacks. You can use various wordlists as well.
I highly recommend running this tool on a machine separate from an actual Domain Controller, as it consumes a lot of CPU horsepower. It also makes sense to run this on a machine only accessible to trustworthy persons since the results will be written directly to disk.
Running an automated password audit regularly allows me to track the weakest passwords in my organisation and identify the points I need to spend time on during my next security awareness trainings.
Keeping tabs on the weakest passwords in your organisation can also be invaluable during incident response investigations.