Auditing AD passwords

I was wondering if it was common practice for security teams to try to cracking ad passwords by dumping NTDS. I'm not referring to 3rd party pen tests where they are able gain access. This is more like routine auditing.

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

yoba222

I've heard of this before, probably in some training course I can't remember specifically, but I've never actually seen it done.

iBrokeIT

That is a waste of time and effort because it is very reactive to a problem and does not scale well.

A better, preventative approach is set an appropriate password length and follow NIST guidance by banning any password from being set which has been exposed in a data breach. You can accomplish this by using Anixis Password Policy Enforce and Troy Hunt's Pwned Passwords list on his site. You can also ban based on custom wordlists that you would use in your cracking.

iBrokeIT

Another approach you can take is to run Thycotic's Weak Password Finder which is a free tool. Again, no cracking required.

It also finds passwords that are stored using weak hashing and encryption.

MitM

@iBrokeIT thanks for the suggestions. It's not something that I do, was just wondering. Could also use DSInternals to check for weak passwords based on a list

scasc

Was def done back in the day when auditing was a more technical field. I’ve seen this plentiful times. However as pen testing rose as a dedicated field the technicality from auditing was taken out - from the perspective of using tools (e.g. password cracking, firewall config check etc). Nowadays auditing is fundamentally aligned to checking for gaps against policy and standards - higher lever.