Password reuse across multiple accounts remains a critical security vulnerability in enterprise environments. When attackers compromise one password, they can potentially access multiple accounts using the same credentials. This blog post explores a PowerShell script that analyzes the output from secretsdump file to identify password hash reuse across all Active Directory accounts.
Understanding the Problem
Active Directory stores password hashes (not actual passwords) for all domain accounts. When users set identical passwords on multiple accounts, these accounts will have identical hash values. By comparing these hashes, we can identify accounts that share the same password without knowing the actual password itself.
PowerShell NTDS Analysis
Our PowerShell script reads an extracted NTDS file outputted from secretdump.py and identifies accounts with matching password hashes, therefore this file is required for this script to work, this can he obtained from using the "Password Auditing" post on this blog.
Let's examine the key components:
Parsing the NTDS File outputted from secretsdump.py
The core of our script begins with parsing the NTDS file:
function Get-PasswordHashes {
param (
[string]$NTDSFilePath
)
# Read the NTDS file
$ntdsData = Get-Content $NTDSFilePath
$userHashes = @{}
# Parse each line of the NTDS file
foreach ($line in $ntdsData) {
if ($line -match '^([^:]+):(\d+):([^:]+):([^:]+):::') {
$user = $matches[1]
$ntlmHash = $matches[4]
# Skip the LM hash and empty NTLM hashes
if ($matches[3] -eq "aad3b435b51404eeaad3b435b51404ee" -and
$ntlmHash -ne "31d6cfe0d16ae931b73c59d7e0c089c0") {
$userHashes[$user] = $ntlmHash
}
}
}
return $userHashes
}
This function:
- Reads the NTDS file line by line
- Uses regular expressions to extract usernames and password hashes
- Filters out LM hashes (legacy) and empty NTLM hashes
- Creates a hashtable mapping usernames to their password hashes
Identifying Duplicate Hashes
Once we have all user hashes, we need to find duplicates:
# Create hash to users mapping
$hashToUsers = @{}
foreach ($user in $allUserHashes.Keys) {
$hash = $allUserHashes[$user]
if (-not $hashToUsers.ContainsKey($hash)) {
$hashToUsers[$hash] = [System.Collections.ArrayList]@()
}
$null = $hashToUsers[$hash].Add($user)
}
# Filter to only duplicated hashes
$duplicateHashes = $hashToUsers.GetEnumerator() |
Where-Object { $_.Value.Count -gt 1 }
This code:
- Creates a reverse mapping (hash to users)
- Identifies which hashes are shared by multiple users
- Filters the results to show only duplicated hashes
Analyzing and Reporting Results
The script provides detailed analysis and creates a CSV report:
foreach ($hashEntry in $duplicateHashes) {
$hash = $hashEntry.Key
$users = $hashEntry.Value
foreach ($user in $users) {
$isAdminAccount = $user -match "\\ADM"
$otherUsers = $users | Where-Object { $_ -ne $user }
$csvOutput += [PSCustomObject]@{
Username = $user
PasswordHash = $hash
IsAdminAccount = $isAdminAccount
SharedWith = ($otherUsers -join "; ")
NumberOfAccountsSharing = $users.Count
}
}
}
$csvOutput | Export-Csv -Path "DuplicateHashChecker_AllUsers_$
(Get-Date -Format 'yyyyMMdd_HHmmss').csv" -NoTypeInformation
The output includes:
- Usernames sharing the same password
- The actual password hash (for reference)
- Whether the account is an admin account
- Which other accounts share the same password
- Total number of accounts sharing the password
Security Implications
This script helps identify several security risks:
Admin Account Compromises: When admin accounts share passwords with standard accounts, compromising a standard account can lead to privilege escalation.
Lateral Movement: Shared passwords facilitate lateral movement within a network.
Password Policy Weaknesses: Widespread password reuse may indicate ineffective password policies or user training.
Summary
Analyzing NTDS files for password reuse provides valuable insights into an organization's security posture. This PowerShell script offers a straightforward way to identify shared passwords without requiring specialized tools. Regular audits using this approach can help organizations identify and remediate password reuse risks before they're exploited by attackers.
Remember: This script requires appropriate permissions and should only be used in authorized security assessments. Always follow your organization's security policies when conducting password audits.