AD Security – Weak Passwords
Each company has different security challenges, but the common is securing Active Directory, which remains a critical issue because it’s used to store increasing amounts of data.
Currently, businesses face a major risk in granting access to many people without knowing who is safe.
Weak Password Problem
As you know, Active Directory was put in two decades ago, and many companies, especially large ones, have had it a long time.
One of the biggest problems is a lack of visibility into the number of admins and systems with administrative rights.
Admins and sometimes systems have access to keys and codes and the ability to disable or enable controls as they want.
Passwords are the most common authentication factor and the most frequently abused, and they’re a prime target for attackers seeking Active Directory access. With so much sensitive data in one place, AD authentication is a single point of failure.
The most common way for attackers to obtain passwords is through social engineering or phishing attacks.
Active Directory allows you to enforce password policy with settings such as basic password, length, and complexity, but these are not enough. They can’t stop common password patterns from being used like Password!@#, or other common conventions, which are easy to remember.
This leaves the window wide open for attackers to quickly compromise a handful of accounts with weak passwords, giving them a solid foothold in an attack.
The ideal password is over 15 characters long, with a mix of upper and lower case letters, numbers, and special characters. But many users are allowed to use weak passwords based on the weak password policy.
Weak passwords are an open invitation for hackers to exploit user accounts and gain access to the corporate network.
The IT admins need to ensure that every user account in Active Directory is secured with a strong password.
Unfortunately, the default domain password policy, which admins use to enforce password rules in Active Directory, is usually not configured to force good passwords.
In many cases, it does not even provide the needed controls to strong passwords.
The password policy within Active Directory enforces password length, complexity, and history. This does not control what the password is, just how long it is and what characters are inside it.
Many people will use easily guessable passwords like Aa123456! or Password!@# because they technically meet the standards but are easy for them to remember.
How to discover Weak Passwords?
So after reading this, you may be wondering what to do and how vulnerable you are to these attacks. Today, few vendors provide tools and great command, which can be used to do just that.
You can extract all password hashes, then provide a dictionary of “weak” passwords, which it will hash and compare to your account hashes.
It then provides a beneficial output to identify the biggest weaknesses.
For our example, let’s use the DSInternals tool based on PowerShell with the following actions:
- Download https://github.com/MichaelGrafnetter/DSInternals
- Import DSInternals module
The import action allows you to enable PowerShell and work with the Active Directory PowerShell module.
Note: The DSInternals PowerShell Module exposes several internal features of Active Directory; however, it is not supported by Microsoft, so use with caution.
$DictFile – the path to your dictionary file. There are many dictionary files that you can download and use for this process. However, you should stop to think about what people in your organization will be using.
$DC – the name of the domain controller you wish to use
$Domain – the name of your internal domain
Convert passwords to Hashes
This line converts all of the individual passwords in your dictionary file into NT hashes to compare against the hashes retrieved from Active Directory.
Hashes will be retrieved from AD and then compare against the dictionary file.
Finally, the code’s mainline will use the variables we have declared to connect to your Active Directory instance and retrieve all the users’ hashes in your domain.
Then the hashes from the dictionary file are used to find and report on weak passwords.
#Install DSInternals Module
Install-Module -Name DSInternals
Get-Command -Module DSInternals
#Find weak password
$DictFile = “C:\Attack\weakpasslist.txt”
$DC = “A-DC01”
$Domain = “DC=Cloud,DC=ms”
$Dict = Get-Content $DictFile | ConvertTo-NTHashDictionary
Get-ADReplAccount -All -Server $DC -NamingContext $Domain | Test-PasswordQuality -WeakPasswordHashes $Dict -ShowPlainTextPasswords -IncludeDisabledAccounts