Options

Auditing AD passwords

MitMMitM Member Posts: 622 ■■■■□□□□□□
I was wondering if it was common practice for security teams to try to cracking ad passwords by dumping NTDS. I'm not referring to 3rd party pen tests where they are able gain access.  This is more like routine auditing.

Comments

  • Options
    yoba222yoba222 Member Posts: 1,237 ■■■■■■■■□□
    I've heard of this before, probably in some training course I can't remember specifically, but I've never actually seen it done.
    A+, Network+, CCNA, LFCS,
    Security+, eJPT, CySA+, PenTest+,
    Cisco CyberOps, GCIH, VHL,
    In progress: OSCP
  • Options
    iBrokeITiBrokeIT Member Posts: 1,318 ■■■■■■■■■□
    edited September 2019
    That is a waste of time and effort because it is very reactive to a problem and does not scale well.

    A better, preventative approach is set an appropriate password length and follow NIST guidance by banning any password from being set which has been exposed in a data breach. You can accomplish this by using Anixis Password Policy Enforce and Troy Hunt's Pwned Passwords list on his site. You can also ban based on custom wordlists that you would use in your cracking.
    2019: GPEN | GCFE | GXPN | GICSP | CySA+ 
    2020: GCIP | GCIA 
    2021: GRID | GDSA | Pentest+ 
    2022: GMON | GDAT
    2023: GREM  | GSE | GCFA

    WGU BS IT-NA | SANS Grad Cert: PT&EH | SANS Grad Cert: ICS Security | SANS Grad Cert: Cyber Defense Ops SANS Grad Cert: Incident Response
  • Options
    iBrokeITiBrokeIT Member Posts: 1,318 ■■■■■■■■■□
    edited September 2019
    Another approach you can take is to run Thycotic's Weak Password Finder which is a free tool. Again, no cracking required.

    It also finds passwords that are stored using weak hashing and encryption.
    2019: GPEN | GCFE | GXPN | GICSP | CySA+ 
    2020: GCIP | GCIA 
    2021: GRID | GDSA | Pentest+ 
    2022: GMON | GDAT
    2023: GREM  | GSE | GCFA

    WGU BS IT-NA | SANS Grad Cert: PT&EH | SANS Grad Cert: ICS Security | SANS Grad Cert: Cyber Defense Ops SANS Grad Cert: Incident Response
  • Options
    MitMMitM Member Posts: 622 ■■■■□□□□□□
    @iBrokeIT thanks for the suggestions. It's not something that I do, was just wondering.  Could also use DSInternals to check for weak passwords based on a list
  • Options
    scascscasc Member Posts: 461 ■■■■■■■□□□
    Was def done back in the day when auditing was a more technical field. I’ve seen this plentiful times. However as pen testing rose as a dedicated field the technicality from auditing was taken out - from the perspective of using tools (e.g. password cracking, firewall config check etc). Nowadays auditing is fundamentally aligned to checking for gaps against policy and standards - higher lever.
    AWS, Azure, GCP, ISC2, GIAC, ISACA, TOGAF, SABSA, EC-Council, Comptia...
Sign In or Register to comment.