We help IT Professionals succeed at work.

extract the password hashes of all users in Active directory= are its safe?

hello,

Currently we are working on a monthly internal security test which among other should contain a verification of the real password strength the users choose. For this reason security team ask me to extract the password hashes of all users via LDAP.

what the security team want to do is extracting the hashes though we can run a syllable attack against them to verify if the passwords are really or just technically good.

is this method good and safe, I'm afraid the hash go in the wrong hand.
Comment
Watch Question

CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
I recommend to look at this article: https://www.experts-exchange.com/articles/33078/How-to-create-an-Intelligent-Password-Policy-for-Active-Directory.html?anchor=c2262812¬ificationFollowed=213945133#c2262812
It explains how to do such a check yourself, you don't need to give it to them.

Author

Commented:
ok what i can say to my security team and explain that its bad to export user hashes
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
As said, it's not too complicated to do that check yourself - you don't need to trust a 3rd party here, so don't do it.
Adam BrownSenior Systems Admin
CERTIFIED EXPERT
Top Expert 2010

Commented:

Allowing access to Hashes via LDAP is also a horrible idea. Normally, only Domain Controllers have access to the hash data for accounts. This is an important security configuration that you should not change. There are applications, tools (like Mc Knife referenced), but hash checks/extraction should not be done remotely. Allowing remote access to hashes would make it very very easy for an intruder to escalate privileges. 

CERTIFIED EXPERT

Commented:
Is the 3rd party a reputable security company?  Are they going to delete the hashes afterwards and make sure no hash is available for attackers or others to copy off their systems.

If you want to do it yourself.  You just need to download the 11GB of  hashes from haveibeenpwned and compare them with your users' hashes.  Any hashes found to be on the list means the user with that hash should change their password immediately.
Next you run a password cracker and see if any hashes were easier than expected to crack.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
is this method good and safe,
This method is something common that a hacker would take, so I can understand why the request.

I'm afraid the hash go in the wrong hand.
If the security team itself is making the request, then make sure that you have it in writing. If you feel uncomfortable with it, don't be afraid to go to your manager. If a 3rd party is requesting it, make sure you have in writing that they're authorized to get those hashes from the security team. That way, if anything happens, you have documentation. In either scenario, the responsibility falls on the security team as they're the ones authorizing things.

I'm a security person, and I would recommend against the exact path here. One time (or even annually) as part of an audit or exercise is one thing, but on the monthly basis? I get the spirit of what they want to do, but what would make more sense is actually enforcing a strong password policy. Users should be changing their passwords every so often anyway, so a better policy should be able to get enforced. Besides, with all of the reporting tools available for AD, you should be able to audit all sorts of *other* things very easily.

Example: A stronger password policy got implemented yesterday. Assuming that the time between password changes is 90 days, you know that all of the accounts within that policy should be in compliance after about 91 days (the few that haven't been changed should be forced to get changed).

Author

Commented:
Hello

the problem today with Active directory password policy i dont have a way to applicate a specific policy.

for exemple, my actual policy is 12 character and 90 days to change password but some user can choose this type off password:

if the compagny name is Contoso, same user choose password like:

ContosoJanuary2020
after 90 days
ContosoApril2020

Contoso@123456
....

any way to prohibit some word?
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
Your question goes sideways, now. Let's try and answer your original question, first.

I hope you understood that you don't have to rely on others to do meaningful tests. The link I gave you (and links within) are a good source, you should be able to test passwords within a day if you follow these instructions. In my opinion, it does not even matter what the other party would be able to do with these hashes - it's not worth considering that since you are able to do these tests by yourself.
--

To disallow password similarity, you need a 3rd party password solution. We use Anixis PPE for that.
To disallow certain words within the password, you could as well use Anixis PPE.
To disallow certain passwords that contain your company name altogether, you could create combinations like what you did with month, year, and so on and put those on a blacklist, but you would need to do that programatically - reinventing the wheel, so to speak. Password policy solutions have all that ready for you and they don't cost much.
CERTIFIED EXPERT

Commented:
You can't do quite that much fine tuning of password requirements with just AD.  You could get something like Password Policy Enforcer and set stricter requirements.  https://anixis.com/products/ppe/
CERTIFIED EXPERT

Commented:
As for changing passwords every 90 days, that's a terrible idea.  I've don't believe in that and mainly run password crackers on my password hashes and forced people to change passwords if they were cracked.  If the passwords are strong enough, then you shouldn't have to force any sort of change.  Forcing users to change passwords that frequently just causes them to make easier passwords and do repetitive sequences.  It's easy enough to change your password 12 times or 20 times in 20 days to get your original password back.  I'd rather they set a strong password to start, at least during this narrow few years left before quantum computing really arrives on the scene to make current password access schemas entirely moot.

If you're still interested in testing for password, you can do it yourself and download all the password hashes from https://haveibeenpwned.com/Passwords
The NTLM version 5 hash is 7.63 GB and you can use that set to compare hashes with user hashes.  If any hashes match something in that hash list, the users should be forced to change their passwords immediately.

That's just the initial test.  You should also run a brute force password cracker on your user accounts.
CERTIFIED EXPERT

Commented:
@mcknife sorry,  Didn't see your post about anixis until after I posted.  No points for my post on that subject please.