Get insights into the actual strength and quality of passwords in Active Directory.

This module is able to compare password hashes of enabled Active Directory users against bad/weak/non-compliant passwords (e.g. hackers first guess in brute-force attacks).

• Performs comparison against one or multiple wordlist(s).
  • This script does not transform input from the wordlists (such as transforming between upper/lower case). Each input from the wordlist is used as-is. Use other tools to generate more specialized wordlists if necessary. A PoC-script has been included (New-bADpasswordLists_EN.ps1) for basic wordlist generation.
• Performs additional comparison against publicly leaked passwords, see acknowledgements below.
• Performs password comparison against 'null' in the Active Directory (i.e. finds empty/null passwords).
• Performs password comparison between users in the Active Directory (i.e. finds shared passwords).
• Requires 'Domain Admin' privileges or similar, e.g. 'Domain Controller' or delegated Domain-level permissions for both "Replicating Directory Changes" and "Replicating Directory Changes All", to succesfully fetch passwords from the Active Directory database.
• Choose a Domain Controller or a member server (will become a Tier 0 system) for executing the script, e.g. as a Scheduled Task.

Microsoft Visual C++ Redistributable Package is required by our PSI DLL. This DLL is reponsible for parsing the leaked-password binary file and performing comparisons against it. The source code for the DLL can be found here.

• Go to Microsoft Latest Supported Visual C++ Download.
• Download and install the Visual Studio 2017 version of the Visual C++ Redistributable Package for your target platform:
  • For 32-bit systems: vc_redist.x86.exe
  • For 64-bit systems: vc_redist.x64.exe (recommended)
• No restart required.

Microsoft .NET Framework 4.5.1+ is required by the DSInternals 3.0 PowerShell module by Michael Grafnetter.

• Go to Microsoft .NET Framework 4.5 Download.
• Download and install the .NET Framework 4.5 in your preferred language.
• Might require a restart.

This module is used to query the Active Directory and fetch user information (SAM Account Name, E-mail, Password Hash, etc.). The source code for this module can be found here.

• Go to DSInternals 3.0 PowerShell Module Download.
• Download and install the DSInternals 3.0 PowerShell Module.
• No restart required.

Alternatively, you can install DSInternals 3.0 through PowerShellGet by running the following PowerShell command:

PS> Install-Module -Name DSInternals -Scope AllUsers

This file contains a binary packed list of leaked password hashes from the PwnedPasswords list published by Troy Hunt. The file is too big (13.5 GB) for GitHub (max 25 MB), so we host it on our SharePoint instead.

• Go to Improsec Leaked Password List.
• Download the leaked-passwords-v8.bin file:
  • SHA1: f4fe0b1cbbfd11bd6cd8fd4a28000cd61390104b.
• Place the file in the ./Accessible/PasswordLists/ folder.

Installing this framework is as simple as downloading the entire respository. However, you have to manually configure the following:

• Open 'Get-bADpasswords.ps1':
  • Navigate to the configuration-section and modify the variables to fit your needs, at least:
    • $domain_name
    • $naming_context
    • $mail_smtp
    • $mail_recipient
• (Optional) Modify the wordlists at ./Accessible/PasswordLists/*.txt to your own liking.

Since the desired options has already been selected during the configuration part of the install-section, you can go ahead and run the script:

PS> ./Get-bADpassword.ps1

• Jakob H. Heidelberg - Initial work -
• Valdemar Carøe - Script improvement & PSI-module development -
• Nichlas Falk - Script improvement -

This project is licensed under the BSD 3-Clause License - see the LICENSE.md file for details

• Michael Grafnetter for the amazing DSInternals framework
• Troy Hunt for the amazing PwnedPasswords list