Netwrix Enterprise Auditor (formerly StealthAUDIT) 11.6 has been released LEARN MORE
Stealthbits

Finding Weak Passwords in Active Directory

Blog >Finding Weak Passwords in Active Directory

So far in this series we’ve looked at how plain text passwords can be exposed within Active Directory, which represents a major vulnerability for most AD environments.  However, even if you have proper controls to prevent plain text passwords in your network, attackers can still get them pretty efficiently.  How do they do this?  They guess.  And you’d be surprised how well guessing works at cracking passwords.

As we covered in the introductory post for this series, guessing can be very effective when your users are creating weak passwords.  Unfortunately, there isn’t a whole lot you can do to stop users from doing this.  This explains why in a study released by Praetorian in which 100 real-world penetration tests were analyzed, the #1 attack vector was weak domain user passwords.

What is a Weak Password?

The password policy within Active Directory enforces password length, complexity, and history.  This does not in any way control what the password is, just how long it is and what characters are inside of it.  Many people will use easily guessable passwords like Winter2017 or Password!@# because they technically meet the standards but are easy for them to remember.

Password Spraying

To prevent bad guys from constantly guessing the passwords of user accounts, AD supports account lockout policies.  This will lock an account after a certain number of bad passwords are guessed for a particular user.  But if you were to take a single password and try it against every single account in an organization, it would not trigger any lockouts.  Let’s take a look at how you can do this using CrackMapExec (which we’ve explored in previous posts).

One of the cool features of CME is to enumerate the Active Directory password policy and lockout policy.  This will let an attacker know how many bad passwords he can guess per account to avoid a lockout.  Here is what the command outputs:

Enumerating Active Directory password policy with CrackMapExec and –pass-pol
Enumerating Active Directory password policy with CrackMapExec and –pass-pol

So you can see in my environment I can guess up to 10 passwords for an account before triggering a lockout.  I also see I have a minimum password length of 5 characters and complex passwords is enabled.  This can be used to craft a custom dictionary of passwords to guess against all accounts.  Alternatively you can use any number of existing password lists which are readily available on GitHub and built based on analyzing password dumps from data breaches.

Now we have our list of passwords, we just need a list of users to attack.  We can easily extract all users with an LDAP query.  Alternatively, CME has a nice feature rid-brute which will enumerate all accounts:

Building a list of users with CrackMapExec and –rid-brute
Building a list of users with CrackMapExec and –rid-brute

Now that we have our list of passwords and users, we just need to specify the right command to guess the passwords across all users until we find a hit.

CrackMapExec command to use password spraying
CrackMapExec command to use password spraying

This command will attempt to run commands against a domain controller and cycle through the list of passwords for every user account in the users list.  Here you can see this running until it finds a hit:

Password spraying with CrackMapExec
Password spraying with CrackMapExec

This is a very effective way for attackers with no access rights to compromise AD accounts and have access to their plain text passwords.

Discovering Your Weak Passwords

After reading this you may be wondering just how vulnerable you are to these attacks.  Luckily DSInternals provides a great command Test-PasswordQuality which can be used to do just that.  Using DSInternals you can extract all password hashes, then provide a dictionary of “weak” passwords which it will hash and compare to your account hashes.  It then provides very useful output to identify the biggest weaknesses.

Here is the command you can issue to run the analysis.  This can actually be run remotely and will extract password hashes using DC replication similar to the DCSync Mimikatz attack.

Active Directory password security with the DSInternals Test-PasswordQuality command
Active Directory password security with the DSInternals Test-PasswordQuality command

The first thing the report identifies is accounts stored with reversible encryption, a topic we covered in our last post.

Viewing the AD Password Quality Report with the DSInternals and Test-PasswordQuality
Viewing the AD Password Quality Report with the DSInternals and Test-PasswordQuality

Then it will find which accounts were found with matches in the dictionary.  The ShowPlainTextPasswords flag controls whether you show the matching password or not.

Viewing weak passwords with DSInternals and Test-PasswordQuality
Viewing weak passwords with DSInternals and Test-PasswordQuality

Now we understand how important it is to set strong, and not easily guessable passwords.  STEALTHbits offers products not only to assess this problem but to prevent users from using weak AD passwords going forward.  In our next post, we will look at how an attacker can use this information to plan an attack path to compromise an AD domain.

Blog posts in the series:

Sign up for the full blog series to be notified when each new installment posts, here

Register for the 4 AD Password Attacks webinar, here

Don’t miss a post! Subscribe to The Insider Threat Security Blog here:

Loading

Featured Asset

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe

DON’T MISS A POST. SUBSCRIBE TO THE BLOG!


Loading

© 2022 Stealthbits Technologies, Inc.

Start a Free Stealthbits Trial!

No risk. No obligation.

FREE TRIAL