A weak password is one of the most common vulnerabilities exploited by threat actors to gain initial access to a system and then move laterally across the network in search of higher-value targets. After obtaining an initial foothold into a Microsoft Windows environment, for instance, a threat actor will typically attempt to extract the password hashes loaded into the compromised system's memory and either attempt to crack them offline or use them in a pass-the-hash attack against another Microsoft Windows system. Finally, the game usually ends with the threat actor compromising the Microsoft Active Directory domain controllers and extracting the NTDS.dit file, which stores Active Directory information, including all password hashes for the domain. Indeed, there are many ways in which threat actors can achieve their actions on objectives. Still, this very common attack lifecycle has been successfully replayed by penetration testers across many industries years on end.
One of the measures that organizations use to maximize security is to perform regular password security audits. A password security audit helps identify compromised, reused, and weak passwords by examining each account password against a list of vulnerable passwords. In general, a password security audit can help reveal:
Password reused between regular and administrator accounts
Password reuse across accounts assigned to different individuals
This blog will show you how to use Gigasheet to quickly conduct a Windows password security audit without the need for third-party software installed in your Active Directory servers. We will compare a list of Windows NTLM password hashes against a password dump obtained from a public repository and identify vulnerable passwords. Although this blog focuses on Windows hashes, you can apply these steps to audit any password and password hash type.
The first step is to extract the NTDS.dit file from Microsoft Active Directory. We do not cover this step in this blog because many online resources (like this one) already explain how to do it. However, we recommend that you temporarily store the NTDS.dit file in a "clean" system and delete it entirely after the audit is complete.
Next, you need to convert each password in the password dump file to an NTLM hash using your favorite NTLM hash generator. I used NTLMme.py, a script written in Python3 that reads the clear-text passwords and writes hashes to an output file.
After completing the first two steps, we should have two CSV files, one with the NTDS.dit hashes and the other with the password dump hashes.
Using Gigasheet's timeline feature, we can combine the two files and create a time-ordered list of events from these two data sources. However, because Gigasheet uses timestamps to order the events, we need to add a column to each file containing bogus timestamps. The timestamp column has no real significance in this scenario because it is only used to join the two files.
After uploading the two files to Gigasheet, we can merge the files and create a timeline summary of events, then begin the audit.
The resulting Summary column in the timeline file contains the NTDS.dit and password dump hashes, but it also includes the timestamp value, which we need to eliminate. We can use Gigasheet's "split column" feature to split the Summary column using || as a delimiter, which will move the password hashes into a separate column.
With the NTDS.dit and password dump hashes in a separate column, we can group the Summary–Summary_Split_2 column by unique values to identify duplicate hashes.
Grouping the hashes by unique value quickly revealed four duplicate password hashes, resulting in four potentially leaked passwords and one password reused between two different user accounts.