Thursday, May 8, 2014

Starting an Active Directory Password Auditing Program

Introduction and Background

This post provides an overview of the systemic issue of weak password requirements within organizations, including a tutorial detailing steps to begin an enterprise Active Directory (AD) password auditing program. The goal of AD password auditing is to provide usable metrics and actionable insight to better assist organizations in strengthening their password policies, which in-turn raises their overall security posture. 

In our experience as consultants we asses many different types networks, which vary by size, industry, complexity and age. However, one of the most common issues we find in need of improvement is passwords. 

AD is commonly used as an authentication source for organizations. Users authenticate to AD to log into their workstations, to access email or VPNs, and to access internal web applications. As such, it is an extremely critical piece of most environments and of high-value to attackers.

A corporate culture with an over reliance on meeting bare minimum requirements in compliance standards or other regulatory guidance has lead to organizations implementing password policies that do not provide sufficient protection from attack.

Online Attacks Against Passwords

One of the primary ways weak password requirements affect an organization's security posture is by allowing users to choose passwords that can be brute-forced, or put more simply: guessed.

Passwords like Welcome1, Happy123 or Password1 are still in use today. Obtaining a list of users is not overly complex. Attempting historically weak passwords against the discovered users limits the number of authentication attempts, and often yields successful authentication results. 

Offline Attacks Against Passwords

AD stores passwords in an encrypted form in a value called a hash. If an attacker retrieves a password hash, he or she performs off-line password attacks against the hash in an attempt to discover the plaintext value. The only factor keeping attackers from determining the value of the password hash is the strength and complexity of the password. The advent of GPU enabled password auditing programs has made it possible to calculate billions of password hash values per second. 

Chances are, if your organization uses laptops and those laptops run the Windows operating system, user password hashes have been exposed to unknown entities. If your organization has not implemented multi-factor authentication for remote access, and the password hash is successfully "cracked," then an unauthorized entity may have direct access into your environment.

Why Audit AD?

Performing AD audits can help identify areas that need improvement in your organization's password policy. It can also show where passwords are re-used, or bring to light systemic failures to follow existing policies or guidelines. Performing AD password audits can also provide metrics that can be used to measure the success of password policy enhancement efforts.

Technical Steps and Tools


This tutorial assumes the user will use Linux operating system with Python installed. Any virtual machine (e.g. VMWare or VirtualBox) or live boot instance of a current Linux distribution will do. For example, a popular IT security-centric Linux distribution is Kali Linux

When referencing commands that should be entered in a prompt or terminal window the text will look like the sample below:
Hello World!

The following two packages should be installed on the system:

 LibesedbJoachim Metz created library and scripts to interact with Extensible Storage Engine (ESE) Database File (EDB) format. 

ntdsxtract - Csaba Barta's framework for working with NT directory information tree file files containing AD objects.


1. Gather NTDS.dit file and System registry hive from the Domain Controller.

This is all done from the domain controller. You will need two files: %SystemRoot%\ntds\NTDS.dit and %SystemRoot%\System32\config\System.

Start the Volume Shadow Copy Service (VSS).
net start vss

Create volume shadow copy of drive containing the target files.
vssadmin create shadow /for=c: 

List  the volume shadow copies (to make it easier to copy/paste the path).
vssadmin list shadows

Copy the SYSTEM and NTDS.dit files off, in this example I'm copying to the T: drive.
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\ntds\ntds.dit T:\

copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\SYSTEM T:\

2.  Extract data from NTDS.dit.
This is all done from your Linux system (not the domain controller).

Extract the libesedb tarball.
tar -xvzf libesedb-alpha-20120102.tar.gz

Enter the extracted dir and compile libesedb tools.
cd libesedb-20120102 && ./configure && make && sudo make install

Navigate to the libesedb-20120102/esedbtools directory and run the esedbexport script with appropriate arguments.

./esedbexport -t /home/demo/AD /home/demo/samba/ntds.dit

This will extract data from the NTDS.dit file and place it in the "/home/demo/AD.export" folder, using the example above. The resulting output will need to be processed with the NTDSExtract framework. We care about the datatable and link_table objects.

3. Extract password hashes with NTDSExtract.

Extract Barta's NTDSExtract framework.

I prefer using a python script by LaNMaSteR53 which outputs the extracted hashes in PWDump format. Run the (or the file that comes with framework) from the directory that you extracted NTDSExtract.

./ /home/demo/AD.export/datatable.3 /home/demo/AD.export/link_table.5 --passwordhashes /home/demo/samba/SYSTEM

4. Crack the hashes.

Now you can use a password auditing program like John The Ripper (John) to attempt to determine the cleartext values of the password hashes. Password cracking is an art and science, and you will find many tutorials and methods. What follows is an example to get started, using the "rockyou.txt" file as a password list for a dictionary based attack against password hashes.

Install John.

git clone
cd JohnTheRipper/src && make clean generic

Now run john.

./john --pot=demo.pot --wordlist=rockyou.txt --rules --format=nt2 /home/demo/ad_hashes.txt

You can use the "show" command in john to show the results.

./john --pot=demo.pot --show --format=nt2 /home/demo/ad_hashes.txt

This will output the cracked passwords and usernames for your input file of hashes.

As you progress in your password auditing program you may desire to use GPU enabled cracking, and password auditing tools like ocl-hashcat. However, this should be enough to get you started auditing your AD environment.

5. Analyze and Present the Data. 

Now we need to provide highlights of the data. We use a tool called pipal. This is a ruby script that takes an input file of the cracked passwords and returns useful metrics that can be incorporated into reports or presentations very easily.

Get pipal.

git clone

cd pipal && ruby pipal.rb demo_pipal_in.txt >> pipal_out.txt

Here are some examples of pipal output:

6. Clean up.

Ensure that the output of the AD password audit, the NTDS.dit file, SYSTEM registry hive, and resultant password hashes and retrieved passwords are securely deleted. The data should be treated as sensitive information and protected and disposed of appropriately.

On Linux systems the "shred" command can be used on files that are left-over from the audit. 


The information provided above is not an all-encompassing password auditing program. The steps outlined should lay the groundwork to help organizations formulate a password policy enhancement strategy, and further strengthen their overall security posture.


Csaba Barta's framework

No comments:

Post a Comment