There’s no dubiety that domain accounts amongst weak passwords tin last a serious concern for companies, at that spot are a few ways y'all tin protect yourself against issues similar this. The outset is to laid upward a domain too local trouble organization human relationship lockout policy too the 2d is to enforce password complexity. However if your users are using “Password1” equally their password, neither of these steps volition protect you.
An alternative approach would last to analyse the passwords existence used yesteryear your users too re-educate whatever users who induce got chosen i of the mutual bad choices – such as, Password1, Companyname123, Summer2016 – y'all instruct the idea.
There are 3 principal steps to the analysis:
1. Extract the Hashes from the Domain Controller
2. Crack the hashes using a bully tool
3. Analyse the passwords used to decide weak accounts
Running the tool FGdump on a domain controller equally an administrator volition output a .pwdump file called 127.0.0.1.pwdump which contains all of your user password hashes that tin last “cracked” to let on too analyse their manifestly passwords. To run an EXE equally an administrator on modern Windows it’s non plenty to last logged inwards equally an administrator – y'all induce got to correct click the EXE too select “Run As Administrator” to instruct total permissions.
Influenza A virus subtype H5N1 actually proficient beginning for password lists is SkullSecurity, I’d recommend y'all induce got a await at the “rockyou” list. This file is a bz2 file hence if you’re on Windows you’ll in all probability involve something similar 7-zip to opened upward it.
Download your wordlist of pick too see a re-create of John the Ripper. You tin invoke John the Ripper on your password hash file similar this:
Have fun hunting weak passwords!
An alternative approach would last to analyse the passwords existence used yesteryear your users too re-educate whatever users who induce got chosen i of the mutual bad choices – such as, Password1, Companyname123, Summer2016 – y'all instruct the idea.
There are 3 principal steps to the analysis:
1. Extract the Hashes from the Domain Controller
2. Crack the hashes using a bully tool
3. Analyse the passwords used to decide weak accounts
Extracting hashes from a domain controller
When it comes to extracting hashes, you’ve got a twosome of options too I’ve elaborated on those options previously – to summarise though, the simplest means is to role the tool FGDump. Be aware though that this is a hacking tool, hence of class your Anti-virus scanner may flag it equally such, if you’d similar to extract hashes from your server for local extraction using Windows built inwards tools instead take a await at Volume Shadow Copies here.Running the tool FGdump on a domain controller equally an administrator volition output a .pwdump file called 127.0.0.1.pwdump which contains all of your user password hashes that tin last “cracked” to let on too analyse their manifestly passwords. To run an EXE equally an administrator on modern Windows it’s non plenty to last logged inwards equally an administrator – y'all induce got to correct click the EXE too select “Run As Administrator” to instruct total permissions.
Cracking Hashes to let on Plaintext Passwords
Once password hashes are extracted y'all tin feed them to a bully tool such equally OphCrack, Hashcat or John the Ripper. My personal preference is John the Ripper too I’ve posted about this tool previously although to summarise “John” is available for Linux, Mac too Windows y'all tin render it a hash file too it’ll create its best to scissure the passwords but it actually comes inwards to its ain when y'all render it amongst a wordlist of possible passwords. If y'all desire to gyre upward your sleeves too hence I’ve talked nearly generating your ain wordlist here or the simplest means is to role a pre-made wordlist such equally i from a recent information breach – these induce got the create goodness of existence existent footing passwords users induce got chosen! (Although are non-context specific hence powerfulness missy passwords similar Companyname123).Influenza A virus subtype H5N1 actually proficient beginning for password lists is SkullSecurity, I’d recommend y'all induce got a await at the “rockyou” list. This file is a bz2 file hence if you’re on Windows you’ll in all probability involve something similar 7-zip to opened upward it.
Download your wordlist of pick too see a re-create of John the Ripper. You tin invoke John the Ripper on your password hash file similar this:
john.exe --wordlist=rockyou.txt --format=nt 127.0.0.1.pwdumpIt’ll churn away at your hashes too spit out passwords equally it finds them, if y'all halt John at whatever indicate too precisely desire to encounter passwords it has previously managed to scissure y'all tin use:
john.exe 127.0.0.1.pwdump --showWhich volition give y'all a neat list, this fourth dimension including the password against the username.
Analysing the Passwords
The simplest analysis y'all tin create is to only flag users that are using passwords similar “password”, “Password1”, “Password123” too remediate that consequence – but if y'all desire to instruct farther too hence DigiNinja has created a Ruby tool called Pipal which volition perform some great analysis for y'all too highlight issues such equally mutual base of operations words, the average password length, all sorts. His tool is available here too tin last invoked by:pipal crackedpasswords.txtIt’s a Ruby script hence if you’re running on Windows don’t forget to install Ruby first!
Have fun hunting weak passwords!
