Tutorial: Domain Password Auditing

Estimated reading time: 3 minutes

Summary:

This tutorial is for password auditing of network credentials within your domain. We will use Kali Linux along with some open source software to validate your password policies. As always make sure you have permission to perform this audit at the least every everyone should check to verify that people using privileged accounts are not using the same password for their privileged account and normal user account. Preparation:1) Access to a domain controller for the domain that we will be auditing2) Kali Linux3) ntdsxtract-master.zip (https://github.com/csababarta/ntdsxtract)4) libesedb-experimental-20160622.tar.gz (https://github.com/libyal/libesedb/releases)5) Install ntdsextract and libesedb using instructions given within the archive. 

Get your NTDS database off the server:

1. Log into your Domain controller using and admin level account

2. Open a command prompt

3. Type ntdsutil

4. Your prompt should change to ntdsutil:

5. Type active instance ntds

6. Type ifm

7. Your prompt should change to ifm:

8. Type create full <location of where you want your backup> (i.e. c:pentest)

9. Once the backup is complete, type quit.

10. Now copy the folder with your backup to your Kali Linux system

Extract the NTDS database:

1. navigate to the ntds.dit file (i.e. /root/pentest/Active Directory)

2. run esedbexport -m tables /ntds.dit

Extract the password hashes:

• run dsusers.py ./ntds.dit.export/datatable.4 ./ntds.dit.export/link_table.7 ./hashdumpwork –syshive ../SYSTEM –passwordhashes –lmoutfile lm-out.txt –ntoutfile nt-out.txt –pwdformat john

Ok, let's break this command down:

• dsuser.py is the program we just installed for this to pull the hashes out of the database

• ./ntds.dit.export/datatable.4 database table for the ntds database number may be different

• ./ntds.dit.export/link_table.7 same as above number may also be different

• these two tables are need to allow the program to match up usernames with their associated hashes

• ./hashdumpwork just a nice way to keep your directory cleaned up will dump all supported files that will be generated here along with our output files

• --lmoutfile lm-out.txt this is our file for any lm passwords normally will be blank for modern domains

• --ntoutfile nt-out.txt this is our file for ntlm passwords this is where all the good stuff goes

• --pwdformat john this tells our program how we wanted this formatted we will format for john the ripper

We have the user accounts and hashes, now what?This is where we can now start to audit our passwords I prefer to open as a spreadsheet first. This allows me to sort the accounts by hashes. I can now easily see if my admins are using the same password for their normal account and their privileged accounts, same hash = same password. If you have multiple domains you are auditing you can also easily check if people are using the same password across multiple domains which also is a no-no.Everything up to this point should be done as a regular password auditing however some organizations may want to go a step further. Make sure you clear this first, if you decide to check for ‘weak’ passwords, as this could become a ‘resume producing event’.Remember we formatted our output files for john the ripper? Let's open johnny and load in our password file, and your favorite word list. If you don’t have one yet a quick search will give you plenty to choose from. I always also edit it to contain known default passwords. Remember we are not going overboard to see if we can crack everyone's passwords we just want to check for ‘weak’ passwords and you would be surprised at what will pop up even with a good domain password policy.