Get-bADpasswords: Get insights into the actual strength and quality of passwords in Active Directory

compare password hashes of enabled Active Directory

Get-bADpasswords

Get insights into the actual strength and quality of passwords in Active Directory.

This module is able to compare password hashes of enabled Active Directory users against bad/weak/non-compliant passwords (e.g. hackers first guess in brute-force attacks).

  • Performs a comparison against one or multiple wordlists (s).
    • This script does not transform input from the wordlists (such as transforming between upper/lower case). Each input from the wordlist is used as-is. Use other tools to generate more specialized wordlists if necessary. A PoC-script has been included (New-bADpasswordLists_EN.ps1) for basic wordlist generation.
  • Performs additional comparison against publicly leaked passwords, see acknowledgments below.
  • Performs password comparison against ‘null’ in the Active Directory (i.e. finds empty/null passwords).
  • Performs password comparison between users in the Active Directory (i.e. finds shared passwords).
  • Requires ‘Domain Admin’ privileges or similar, e.g. ‘Domain Controller’ or delegated Domain-level permissions for both “Replicating Directory Changes All” and “Replicating Directory Changes All”, to successfully fetch passwords from the Active Directory database.
  • Choose a Domain Controller or a member server (will become a Tier 0 system) for executing the script, e.g. as a Scheduled Task.

Download && Use

Copyright (c) 2018, Improsec ApS All rights reserved.