Auditing AD passwords

MitMMitM Member Posts: 622 ■■■■□□□□□□
I was wondering if it was common practice for security teams to try to cracking ad passwords by dumping NTDS. I'm not referring to 3rd party pen tests where they are able gain access.  This is more like routine auditing.

Comments

  • yoba222yoba222 Senior Member Member Posts: 1,227 ■■■■■■■■□□
    I've heard of this before, probably in some training course I can't remember specifically, but I've never actually seen it done.
    A+, Network+, CCNA, LFCS,
    Security+, eJPT, CySA+, PenTest+,
    Cisco CyberOps, GCIH, VHL,
    In progress: OSCP
  • iBrokeITiBrokeIT GICSP, GCIP, GXPN, GPEN, GWAPT, GCFE, GCIA, GCIH, GSEC, CySA+, Sec+, eJPT Member Posts: 1,309 ■■■■■■■■■□
    edited September 2019
    That is a waste of time and effort because it is very reactive to a problem and does not scale well.

    A better, preventative approach is set an appropriate password length and follow NIST guidance by banning any password from being set which has been exposed in a data breach. You can accomplish this by using Anixis Password Policy Enforce and Troy Hunt's Pwned Passwords list on his site. You can also ban based on custom wordlists that you would use in your cracking.
    2019: GPEN | GCFE | GXPN | GICSP | CySA+ 
    2020: GCIP | GCIA | eCPPT | eWPT | eCTHP

    WGU BS IT-NA | SANS Grad Cert: PT&EH | SANS Grad Cert: ICS Security
  • iBrokeITiBrokeIT GICSP, GCIP, GXPN, GPEN, GWAPT, GCFE, GCIA, GCIH, GSEC, CySA+, Sec+, eJPT Member Posts: 1,309 ■■■■■■■■■□
    edited September 2019
    Another approach you can take is to run Thycotic's Weak Password Finder which is a free tool. Again, no cracking required.

    It also finds passwords that are stored using weak hashing and encryption.
    2019: GPEN | GCFE | GXPN | GICSP | CySA+ 
    2020: GCIP | GCIA | eCPPT | eWPT | eCTHP

    WGU BS IT-NA | SANS Grad Cert: PT&EH | SANS Grad Cert: ICS Security
  • MitMMitM Member Posts: 622 ■■■■□□□□□□
    @iBrokeIT thanks for the suggestions. It's not something that I do, was just wondering.  Could also use DSInternals to check for weak passwords based on a list
  • scascscasc Member Posts: 391 ■■■■■□□□□□
    Was def done back in the day when auditing was a more technical field. I’ve seen this plentiful times. However as pen testing rose as a dedicated field the technicality from auditing was taken out - from the perspective of using tools (e.g. password cracking, firewall config check etc). Nowadays auditing is fundamentally aligned to checking for gaps against policy and standards - higher lever.
    MSc, BSc (Hons), AWS CSA, C-CISO, CISSP, CCSP, CCSK, CISM, CISA, CRISC, GSTRT, GSNA, GDSA, GCSA, GCCC, CEH, ECSA, CHFI, TOGAF, CISMP
Sign In or Register to comment.