DSInternals/Documentation/PowerShell/Test-PasswordQuality.md
2019-04-23 20:23:30 +02:00

6.8 KiB

external help file Module Name online version schema
DSInternals.PowerShell.dll-Help.xml DSInternals https://github.com/MichaelGrafnetter/DSInternals/blob/master/Documentation/PowerShell/Test-PasswordQuality.md 2.0.0

Test-PasswordQuality

SYNOPSIS

Performs AD audit, including checks for weak, duplicate, default and empty passwords. Accepts input from the Get-ADReplAccount and Get-ADDBAccount cmdlets.

SYNTAX

Test-PasswordQuality [-Account] <DSAccount> [-SkipDuplicatePasswordTest] [-IncludeDisabledAccounts]
 [-WeakPasswords <String[]>] [-WeakPasswordsFile <String>] [-WeakPasswordHashesFile <String>]
 [-WeakPasswordHashesSortedFile <String>] [<CommonParameters>]

DESCRIPTION

The Test-PasswordQuality cmdlet is a simple tool for Active Directory password auditing. It can detect weak, duplicate, default, non-expiring or empty passwords and find accounts that are violating security best practices. The cmdlet accepts output of the Get-ADDBAccount and Get-ADReplAccount cmdlets, so both offline (ntds.dit) and online (DCSync) password analysis can be done.

Lists of leaked passwords that can be obtained from HaveIBeenPwned are fully supported. Be sure to download the list that is marked as "NTLM (ordered by hash)" and extract the archive to your HDD.

Although the cmdlet output is formatted in a human readable fashion, it is still an object, whose properties can be accessed separately (e.g. $result.WeakPassword) to produce a desired output. When scripted, it can be used to audit Active Directory passwords on a regular basis.

EXAMPLES

Example 1

PS C:\> Get-ADDBAccount -All -DBPath ntds.dit -BootKey acdba64a3929261b04e5270c3ef973cf |
            Test-PasswordQuality -WeakPasswordHashesSortedFile pwned-passwords-ntlm-ordered-by-hash-v4.txt
<# Sample Output

Active Directory Password Quality Report
----------------------------------------

Passwords of these accounts are stored using reversible encryption:
  smith
  doe

LM hashes of passwords of these accounts are present:
  hodge

These accounts have no password set:
  test01
  test02

Passwords of these accounts have been found in the dictionary:
  Administrator

These groups of accounts have the same passwords:
  Group 1:
    graham
    graham_admin
  Group 1:
    admin
    sql_svc01

These computer accounts have default passwords:
  DESKTOP27$

Kerberos AES keys are missing from these accounts:
  sql_svc01

Kerberos pre-authentication is not required for these accounts:
  jboss

Only DES encryption is allowed to be used with these accounts:
  sql_svc01

These administrative accounts are allowed to be delegated to a service:
  AdatumAdmin
  Administrator

Passwords of these accounts will never expire:
  admin
  sql_svc01

These accounts are not required to have a password:
  gonzales
#>

Performs an offline credential hygiene audit of AD database against HIBP.

Example 2

PS C:\> $results = Get-ADReplAccount -All -NamingContext 'DC=contoso,DC=com' -Server LON-DC1 |
                   Test-PasswordQuality -WeakPasswords 'Pa$$w0rd','April2019' -WeakPasswordHashesSortedFile pwned-passwords-ntlm-ordered-by-hash-v4.txt

Performs an online credential hygiene audit of AD against HIBP + a custom wordlist.

Example 3

PS C:\> $pwnedUsers = $accounts |
                      Test-PasswordQuality -WeakPasswordsFile rockyou.txt -SkipDuplicatePasswordTest |
                      Select-Object -ExpandProperty WeakPassword

Performs a dictionary attack against a set of accounts. The Test-PasswordQuality cmdlet always returns structured data.

Example 4

PS C:\> Get-ADDBAccount -All -DBPath ntds.dit -BootKey $key |
            where DistinguishedName -like '*OU=Employees,DC=contoso,DC=com' |
            Test-PasswordQuality -IncludeDisabledAccounts -WeakPasswordHashesSortedFile pwned-passwords-ntlm-ordered-by-hash-v4.txt

Performs an offline credential hygiene audit of a selected OU from AD database against HIBP.

PARAMETERS

-Account

Active Directory account to check. The accounts are typically piped in from the Get-ADDBAccount and Get-ADReplAccount cmdlets.

Type: DSAccount
Parameter Sets: (All)
Aliases: ADAccount, DSAccount

Required: True
Position: 0
Default value: None
Accept pipeline input: True (ByValue)
Accept wildcard characters: False

-IncludeDisabledAccounts

Process even accounts that are disabled. Such accounts are skipped otherwise.

Type: SwitchParameter
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-SkipDuplicatePasswordTest

Do not compare account hashes with each other.

Type: SwitchParameter
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-WeakPasswordHashesFile

Path to a file that contains NT hashes of weak passwords, one hash in HEX format per line. For performance reasons, the -WeakPasswordHashesSortedFile parameter should be used instead.

Type: String
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-WeakPasswordHashesSortedFile

Path to a file that contains NT hashes of weak passwords, one hash in HEX format per line. The hashes must be sorted alphabetically, because a binary search is performed. This parameter is typically used with a list of leaked password hashes from HaveIBeenPwned.

Type: String
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-WeakPasswords

List of passwords that are considered weak, e.g. Password123 or April2019. If more than a handful passwords are to be tested, the WeakPasswordsFile parameter should be used instead.

Type: String[]
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-WeakPasswordsFile

Path to a file that contains weak passwords, one password per line.

Type: String
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

CommonParameters

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216).

INPUTS

DSInternals.Common.Data.DSAccount

OUTPUTS

DSInternals.PowerShell.PasswordQualityTestResult

NOTES

Get-ADDBAccount Get-ADReplAccount