GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → Ne0nd0g → ADPasswordHealth

Ne0nd0g / ADPasswordHealth

Licence: other
A tool to evaluate the password health of Active Directory accounts.

Programming Languages

python
139335 projects - #7 most used programming language

Labels

metricspassword

Projects that are alternatives of or similar to ADPasswordHealth

cracker-ng
ZIP cracker, CCRYPT cracker, and others to come.
Stars: ✭ 60 (+81.82%)
Mutual labels:  password
emq exporter
Simple server that scrapes EMQ metrics and exporters them via HTTP for Prometheus consumption
Stars: ✭ 31 (-6.06%)
Mutual labels:  metrics
Hystrix.Dotnet
A combination of circuit breaker and timeout. The .net version of the open source Hystrix library built by Netflix.
Stars: ✭ 88 (+166.67%)
Mutual labels:  metrics
laravel-pwned-passwords
Simple Laravel validation rule that allows you to prevent or limit the re-use of passwords that are known to be pwned (unsafe). Based on TroyHunt's Have I Been Pwned (https://haveibeenpwned.com)
Stars: ✭ 67 (+103.03%)
Mutual labels:  password
chia-monitor
🍃 A comprehensive monitoring and alerting solution for the status of your Chia farmer and harvesters.
Stars: ✭ 131 (+296.97%)
Mutual labels:  metrics
twitter-analytics-wrapper
A simple Python wrapper to download tweets data from the Twitter Analytics platform. Particularly interesting for the impressions metrics that are unavailable on current Twitter API. Also works for the videos data.
Stars: ✭ 44 (+33.33%)
Mutual labels:  metrics
pwnedpasswords
A wrapper for PwnedPasswords API by Troy Hunt (haveibeenpwned.com).
Stars: ✭ 14 (-57.58%)
Mutual labels:  password
cv4pve-metrics
Metrics for Proxmox VE, Grafana with dasboard, InfluxDb
Stars: ✭ 38 (+15.15%)
Mutual labels:  metrics
page-timing
⏱ Measure browser timing and do something with it
Stars: ✭ 19 (-42.42%)
Mutual labels:  metrics
tellery
Tellery lets you build metrics using SQL and bring them to your team. As easy as using a document. As powerful as a data modeling tool.
Stars: ✭ 219 (+563.64%)
Mutual labels:  metrics
resoto
Resoto - Find leaky resources, manage quota limits, detect drift, and clean up!
Stars: ✭ 562 (+1603.03%)
Mutual labels:  metrics
disent
🧶 Modular VAE disentanglement framework for python built with PyTorch Lightning ▸ Including metrics and datasets ▸ With strongly supervised, weakly supervised and unsupervised methods ▸ Easily configured and run with Hydra config ▸ Inspired by disentanglement_lib
Stars: ✭ 41 (+24.24%)
Mutual labels:  metrics
KafKare
A Kafka monitoring dashboard
Stars: ✭ 87 (+163.64%)
Mutual labels:  metrics
auth0-instrumentation
The goal of this package is to make it easier to collect information about our services through logs, metrics and error catching.
Stars: ✭ 18 (-45.45%)
Mutual labels:  metrics
vault-desktop
🔑 [really] safe password management desktop UI
Stars: ✭ 12 (-63.64%)
Mutual labels:  password
genpw
Password Generator
Stars: ✭ 32 (-3.03%)
Mutual labels:  password
druid-prometheus-exporter
Service to collect Apache Druid metrics and export them to Prometheus
Stars: ✭ 14 (-57.58%)
Mutual labels:  metrics
docker-jmx-prometheus-exporter
Dockerized jmx-exporter for prometheus
Stars: ✭ 24 (-27.27%)
Mutual labels:  metrics
PasswordGenerator
A simple C# helper class for ASP.NET Core to generate a random password with custom strength requirements: min length, uppercase, lowercase, digits & more
Stars: ✭ 27 (-18.18%)
Mutual labels:  password
rust-statsd-server
A statsd server implemented in Rustlang
Stars: ✭ 16 (-51.52%)
Mutual labels:  metrics
View All Similar Projects ➔

ADPasswordHealth

A tool to evaluate the password health of Active Directory accounts. This script will take a list of accounts, a list of cracked passwords, and a list of password rules to determine the health of Active Directory accounts. It will identify weak passwords leveraging user defined rules such as common words and or password length.

Running the script will produce two output files

Secrets Dump

Use Impacket's secretdsdump.py to extract hashes from Active Directory using either the online or offline method.

Example online extraction command:

python secretsdump.py -output secretsdump_example -pwd-last-set -user-status acme.com\Administrator:[email protected]

The -user-status and -pwd-last-set flags are optional, but increase the effectiveness of data manipulation

The resulting output file will be provided to this script using the -S flag. There is an example file here: Examples/secretsdump_example.ntds

John the Ripper

Crack by running:

john --format=nt --wordlist=rockyou.txt secretsdump_example.ntds

Create an output file of all the cracked NTLM hashes with:

john --format=nt --show secretsdump_example.ntds > cracked_ntlm

The resulting output file will be provided to this script using the -J flag. There is an example file here: Examples/cracked_ntlm.txt

Active Directory User Information

Additional Active Directory account information can be passed in to enrich the output file form this script. The input file must be in CSV format and must contain a column named SamAccountName, used to match the user accounts. There is an example file in Examples/Get-ADUser.csv directory.

One way to get this type of additional data is to use the PowerShell Get-ADUser cmdlet and export the results to a CSV. You can install the Active Directory PowerShell module on your workstation using this blog post: https://4sysops.com/archives/how-to-install-the-powershell-active-directory-module/.

An example command to generate the CSV file:

Get-ADUser -Filter * -Server acme.com -Properties SamAccountName,City, Department|Select-Object -Property SamAccountName,City,Department| Export-Csv -NoTypeInformation -Path C:\Get-ADUser.csv

Password Rules

This script leverages a list of common words to determine if a cracked password is weak. The file is found at Examples/password_rules.txt. This list of rules can be changed by the user by running the script with the -R flag. The provided list contains simple words such as password or summer. If the word is found in ANY part of the recovered password, it will be marked as weak. This isn't always ideal as a password of 3f8!$%Winter33432* would be flagged. However, experience has shown that this is typically an edge case.

Pro Tip: Add the company name to the password rules files to identify common passwords such as Acme1234

Password Length

This script will evaluate recovered passwords to determine if the length of the cracked password is considered to be weak. The default is passwords that are less than eight characters (i.e. passwords that are only seven characters long). This can be changed with the -N flag.

Experience has shown that the password for old accounts and/or administrative accounts don't always follow the domain's password policy.

Password Compromise

The script can be run with the --pwned flag to test the recovered passwords against the Have I Been Pwned API. Recovered passwords will be labeled compromised if they are discovered in the HiBP password dump.

Exclude Passwords

The script can be run with the -E flag to exclude the password hashes and cracked passwords from being included in the output files. This is useful when the files are delivered to departments as part of reporting.

Machine Accounts

Active Directory stores information for both user and machine accounts. On average, the machine account information isn't valuable. By default, the script does not include information about machine accounts. The --machine flag can be provided to include information on machine accounts.

Experience has shown that sometimes machine accounts have weak passwords. This could be fruitful for a penetration tester.

Output

The output files will always start with ADPassHealth_ followed by a time stamp and end with either Data.csv or Metrics.csv (i.e. ADPassHealth_20170907-223411-Data.csv). There is an example of each in the Examples directory.

alt text

Metrics

  • If the LM hash is blank (i.e. AAD3B435B51404EEAAD3B435B51404EE), it is not counted. This is to say that the account is currently configured with a LM password hash and we want to know that.
  • 'local' accounts are any accounts that were not prepended with a domain name (i.e. acme.com\Bella would not be local)
  • Machine accounts are any account names that end with $

alt text

Image was edited

Examples

The Examples directory contains example files that can be used to test the script.

  • ADPassHealth_20170910-135811-Data.csv - An example of the output data file.
  • ADPassHealth_20170910-135811-Metrics.csv - An example of the output metrics file.
  • cracked_ntlm.txt - An example of the output from John using the --show command to show cracked hashes from secretsdump_example.ntds.
  • Get-ADUser.csv - An example of the output from the PowerShell Get-ADUser cmdlet.
  • password_rules.txt - An example list of password rules used to determine if a password is weak. This is the default file if one isn't provided.
  • secretsdump_example.ntds - An example file of the output from Impacket's secretsdump.py.
  • source_data.xlsx - An Excel file used to generate usernames, passwords, hashes, domains, machine accounts, city, and department information.

Usage

Example command:

python ADPasswordHealth.py -J Examples/cracked_ntlm.txt -S Examples/secretsdump_example.ntds -A Examples/Get-ADUser.csv -O ./Examples/ --machine

usage: ADPasswordHealth.py [-h] -J JOHN -S SECRETS [-R RULES] [-A ADUSERINFO]
                           [-N NUMBER] [-M] [-E] [--machine] -O OUTPUT
                           [--verbose] [--debug] [--pwned]

optional arguments:
  -h, --help            show this help message and exit
  -J JOHN, --john JOHN  A file with the output from John using the --show flag
                        or hashes in this format ACME.COM\john:cracke
                        dPassword:RID:LMHash:NTLMHash::: (pwdLastSet)
                        (status). The pwdLastSet and status parts are
                        optional.
  -S SECRETS, --secrets SECRETS
                        The output from extracting a NTDS.dit file using
                        secretsdump.py. Example command is:
                        secretsdump.py -outputfile secretsdump_acme
                        -pwd-last-set -user-status
                        acme.com\[email protected]
  -R RULES, --rules RULES
                        A file containing a list of words, each on a new line,
                        that are used as rules to determine if a password is
                        weak. NOTE: if the cracked password contains the word,
                        is deemed weak.
  -A ADUSERINFO, --aduserinfo ADUSERINFO
                        An optional data set in the form of CSV output from
                        PowerShell Get-ADUser user command. Example
                        command: Get-ADUser -Filter * -Server acme.com
                        -Properties SamAccountName,City,Department|Select-
                        Object -Property SamAccountName,City,Department
                        |Export-Csv -NoTypeInformation -Path C:\Get-
                        ADUser.csv
  -N NUMBER, --number NUMBER
                        Find all instances where the cracked password is less
                        than the passed in number. Default is 8
  -M, --metrics         Disable the calculation of metrics of AD password
                        health data.
  -E, --exclude         Exclude cracked password from output
  --pwned               Check cracked passwords against Have I Been Pwned API
  --machine             Include machine accounts in results
  -O OUTPUT, --output OUTPUT
                        Output directory
  --verbose             Enable verbose Output
  --debug               Enable debug output
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].