Avatar of cawasaki
cawasaki
 asked on

extract the password hashes of all users in Active directory= are its safe?

hello,

Currently we are working on a monthly internal security test which among other should contain a verification of the real password strength the users choose. For this reason security team ask me to extract the password hashes of all users via LDAP.

what the security team want to do is extracting the hashes though we can run a syllable attack against them to verify if the passwords are really or just technically good.

is this method good and safe, I'm afraid the hash go in the wrong hand.
Windows OSActive DirectorySecurity

Avatar of undefined
Last Comment
serialband

8/22/2022 - Mon
McKnife

I recommend to look at this article: https://www.experts-exchange.com/articles/33078/How-to-create-an-Intelligent-Password-Policy-for-Active-Directory.html?anchor=c2262812¬ificationFollowed=213945133#c2262812
It explains how to do such a check yourself, you don't need to give it to them.
cawasaki

ASKER
ok what i can say to my security team and explain that its bad to export user hashes
McKnife

As said, it's not too complicated to do that check yourself - you don't need to trust a 3rd party here, so don't do it.
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
Adam Brown

Allowing access to Hashes via LDAP is also a horrible idea. Normally, only Domain Controllers have access to the hash data for accounts. This is an important security configuration that you should not change. There are applications, tools (like Mc Knife referenced), but hash checks/extraction should not be done remotely. Allowing remote access to hashes would make it very very easy for an intruder to escalate privileges. 

serialband

Is the 3rd party a reputable security company?  Are they going to delete the hashes afterwards and make sure no hash is available for attackers or others to copy off their systems.

If you want to do it yourself.  You just need to download the 11GB of  hashes from haveibeenpwned and compare them with your users' hashes.  Any hashes found to be on the list means the user with that hash should change their password immediately.
Next you run a password cracker and see if any hashes were easier than expected to crack.
masnrock

is this method good and safe,
This method is something common that a hacker would take, so I can understand why the request.

I'm afraid the hash go in the wrong hand.
If the security team itself is making the request, then make sure that you have it in writing. If you feel uncomfortable with it, don't be afraid to go to your manager. If a 3rd party is requesting it, make sure you have in writing that they're authorized to get those hashes from the security team. That way, if anything happens, you have documentation. In either scenario, the responsibility falls on the security team as they're the ones authorizing things.

I'm a security person, and I would recommend against the exact path here. One time (or even annually) as part of an audit or exercise is one thing, but on the monthly basis? I get the spirit of what they want to do, but what would make more sense is actually enforcing a strong password policy. Users should be changing their passwords every so often anyway, so a better policy should be able to get enforced. Besides, with all of the reporting tools available for AD, you should be able to audit all sorts of *other* things very easily.

Example: A stronger password policy got implemented yesterday. Assuming that the time between password changes is 90 days, you know that all of the accounts within that policy should be in compliance after about 91 days (the few that haven't been changed should be forced to get changed).
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
cawasaki

ASKER
Hello

the problem today with Active directory password policy i dont have a way to applicate a specific policy.

for exemple, my actual policy is 12 character and 90 days to change password but some user can choose this type off password:

if the compagny name is Contoso, same user choose password like:

ContosoJanuary2020
after 90 days
ContosoApril2020

Contoso@123456
....

any way to prohibit some word?
ASKER CERTIFIED SOLUTION
McKnife

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
serialband

You can't do quite that much fine tuning of password requirements with just AD.  You could get something like Password Policy Enforcer and set stricter requirements.  https://anixis.com/products/ppe/
serialband

As for changing passwords every 90 days, that's a terrible idea.  I've don't believe in that and mainly run password crackers on my password hashes and forced people to change passwords if they were cracked.  If the passwords are strong enough, then you shouldn't have to force any sort of change.  Forcing users to change passwords that frequently just causes them to make easier passwords and do repetitive sequences.  It's easy enough to change your password 12 times or 20 times in 20 days to get your original password back.  I'd rather they set a strong password to start, at least during this narrow few years left before quantum computing really arrives on the scene to make current password access schemas entirely moot.

If you're still interested in testing for password, you can do it yourself and download all the password hashes from https://haveibeenpwned.com/Passwords
The NTLM version 5 hash is 7.63 GB and you can use that set to compare hashes with user hashes.  If any hashes match something in that hash list, the users should be forced to change their passwords immediately.

That's just the initial test.  You should also run a brute force password cracker on your user accounts.
Your help has saved me hundreds of hours of internet surfing.
fblack61
serialband

@mcknife sorry,  Didn't see your post about anixis until after I posted.  No points for my post on that subject please.