NebulousAD v1.1: automated credential auditing tool

NuID Active Directory Hashcheck Tool

At a high level, NebulousAD has three functions:

1. Extract user passwords from an AD domain in their native NTLM hash format and output them into a csv or json file (for this step we use the popular Impacket tool).
2. Wrap the NTLM hashes in a more secure SHA-2 hash.
3. Submit the SHA-2(NTLM(password)) hashes to our API, which queries our database of breached passwords and returns a YES/NO status for each hash depending on if a match was found.

Changelog v1.1

This release adds a few bug fixes, as well as adding support for k-Anon functionality.
k-Anon is now enabled by default but can be disabled (to speed up the audit) with –disable-k-anon.

-snap

The -snap param will automatically snapshot Active Directory (using ntdsutil.exe), and dump the ntds.dit file as well as the SYSTEM registry hive, if you have the privileges. You can dump this manually using any variety of methods or the ntdsutil.exe tool.

If dumping manually you can point to the files with -system path\to\SYSTEM and -ntds path\to\ntds.dit. This is useful if you want to audit old snapshots.

-check

This requires an API key from https://nebulous.nuid.io/#/register. Once you have that and installed with -init-key, you can check the hashes against the NuID API. If you have specified -history it will also check each accounts password history to see if there was a password the user previously used that was compromised.

-user-status

Adds output indicating whether or not the account is Enabled or Disabled in Active Directory

-pwd-last-set

Adds output indicating the date the account’s password was the last set. This can be useful in detecting violations of security policy of accounts that do not get reset automatically as defined in GPO, such as Service Accounts.

-history

Also, audit or dump the accounts stored password history

-shred

Use a DoD 7 pass overwrite when wiping snapshots. This requires having sdelete.exe in your path. You can get that here:https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete

Just download that and place it in your %SYSTEMDRIVE\Windows\System32\ directory, or set up the environment variable.

-clean-old-snaps

Useful on cleaning backups when setting this application to run with the Task Scheduler. The SYSTEM hive and .dit file can be rather large in bigger domains and take a good amount of disk space. If you use Task Scheduler to make a daily audit, you can use this option like so: -clean-old-snaps 7 to only store 1 week worth of snapshots.

-no-backup

If we detect an old snapshot, we back it up to %SYSTEMDRIVE%\Program Files\NuID\snapshot-backups by default. This is due to ntdsutil.exe requiring an empty directory. If you want to disable this backup and just wipe the current snapshot, use this argument.

Download

Copyright (c) 2019 NuID, Inc.