Is there a way to audit AD for a particular password?

Solution 1:

Here are a couple of ideas-- neither of them really very good (from the perspetive that they might set off anti-virus or intrusion detection alarms):

  • You can dump the password hashes out of Active Directory and run a password cracker on them. Cain and Abel can do the cracking for you. You can get the hashes out with fgdump. Beware-- both of these utilities will probably set off alarm bells in your antivirus software.

  • You could write a simple script to iterate over the output of a user list, checking for valid passwords using the "NET USE" command. Use something like this:

    @echo off

    rem Destination path to "map" a "drive" to for password test
    set DESTPATH=\\SERVER\Share
    rem Drive letter used to "map" a "drive" to for password test
    SET DRIVE_LETTER=Q:

    rem NetBIOS domain name to test against
    set DOMAIN=DOMAIN

    rem File containing list of usernames, one per line
    SET USERLIST=userlist.txt

    rem Password to test
    SET PASSWORD=MyPa55word

    rem Output file
    SET OUTPUT=output.txt

    if exist "%DRIVE_LETTER%\." goto _letter_used

    for /f %%i in (%USERLIST%) do (
        net use %DRIVE_LETTER% %DESTPATH% /USER:%DOMAIN%\%%i %PASSWORD%

        if exist "%DRIVE_LETTER%\." echo %%i password is %PASSWORD%>>%OUTPUT%

        net use %DRIVE_LETTER% /d /y
    )

    goto end

    :_letter_used
    echo %DRIVE_LETTER% is already in use. Change it to a free drive letter and re-run.

    :end

Put the userlist into "userlist.txt" (one username per line), set the variables at the top of the script to refer to a path the user should be able to "map" a "drive" to, and make sure that the PC you're running it on doesn't have any other "drives" "mapped" to the destination server (since a Windows PC only allows one set of credentials to be used for SMB client connections to a given server at a time).

Like I said-- either method is probably not a great idea. >smile<

Solution 2:

There's no official way to view user passwords (it's possible, but you have to delve into ... security utilities). It's probably best to approach this from a password-age angle. It sounds as if you could compare the user creation date to the date the password was last changed, and if there's a match, toggle the 'password change on next login' field.

Solution 3:

create a share where you are being asked for a password when doing net use. then write a script that tries to map the share with all the usernames and the default pw. this way no logon is nessecary and you will not break the policy

Solution 4:

You should look at John the Ripper - its a password cracking utility. You can run it in dictionary attack mode which takes a list of passwords from a text file. Your word list could consist of just your default password.

Should be quite fast, probably faster than the share + connect via password script proposed.