Powershell : Password Reuse from Hash Values


Password reuse across multiple accounts remains a critical security vulnerability in enterprise environments. When attackers compromise one password, they can potentially access multiple accounts using the same credentials. This blog post explores a PowerShell script that analyzes the output from secretsdump file to identify password hash reuse across all Active Directory accounts.

Understanding the Problem

Active Directory stores password hashes (not actual passwords) for all domain accounts. When users set identical passwords on multiple accounts, these accounts will have identical hash values. By comparing these hashes, we can identify accounts that share the same password without knowing the actual password itself.

PowerShell NTDS Analysis

Our PowerShell script reads an extracted NTDS file outputted from secretdump.py and identifies accounts with matching password hashes, therefore this file is required for this script to work, this can he obtained from using the "Password Auditing" post on this blog.

Let's examine the key components:

Parsing the NTDS File outputted from secretsdump.py

The core of our script begins with parsing the NTDS file:

function Get-PasswordHashes {
    param (
        [string]$NTDSFilePath
    )

    # Read the NTDS file
    $ntdsData = Get-Content $NTDSFilePath
    $userHashes = @{}

    # Parse each line of the NTDS file
    foreach ($line in $ntdsData) {
        if ($line -match '^([^:]+):(\d+):([^:]+):([^:]+):::') {
            $user = $matches[1]
            $ntlmHash = $matches[4]
            
            # Skip the LM hash and empty NTLM hashes
            if ($matches[3] -eq "aad3b435b51404eeaad3b435b51404ee" -and 
                $ntlmHash -ne "31d6cfe0d16ae931b73c59d7e0c089c0") {
                $userHashes[$user] = $ntlmHash
            }
        }
    }
    return $userHashes
}

This function:

  • Reads the NTDS file line by line
  • Uses regular expressions to extract usernames and password hashes
  • Filters out LM hashes (legacy) and empty NTLM hashes
  • Creates a hashtable mapping usernames to their password hashes

Identifying Duplicate Hashes

Once we have all user hashes, we need to find duplicates:

# Create hash to users mapping
$hashToUsers = @{}

foreach ($user in $allUserHashes.Keys) {
    $hash = $allUserHashes[$user]
    
    if (-not $hashToUsers.ContainsKey($hash)) {
        $hashToUsers[$hash] = [System.Collections.ArrayList]@()
    }
    $null = $hashToUsers[$hash].Add($user)
}

# Filter to only duplicated hashes
$duplicateHashes = $hashToUsers.GetEnumerator() | 
    Where-Object { $_.Value.Count -gt 1 }

This code:

  • Creates a reverse mapping (hash to users)
  • Identifies which hashes are shared by multiple users
  • Filters the results to show only duplicated hashes

Analyzing and Reporting Results

The script provides detailed analysis and creates a CSV report:

foreach ($hashEntry in $duplicateHashes) {
    $hash = $hashEntry.Key
    $users = $hashEntry.Value
    
    foreach ($user in $users) {
        $isAdminAccount = $user -match "\\ADM"
        $otherUsers = $users | Where-Object { $_ -ne $user }
        
        $csvOutput += [PSCustomObject]@{
            Username = $user
            PasswordHash = $hash
            IsAdminAccount = $isAdminAccount
            SharedWith = ($otherUsers -join "; ")
            NumberOfAccountsSharing = $users.Count
        }
    }
}

$csvOutput | Export-Csv -Path "DuplicateHashChecker_AllUsers_$
(Get-Date -Format 'yyyyMMdd_HHmmss').csv" -NoTypeInformation

The output includes:

  • Usernames sharing the same password
  • The actual password hash (for reference)
  • Whether the account is an admin account
  • Which other accounts share the same password
  • Total number of accounts sharing the password

Security Implications

This script helps identify several security risks:

  1. Admin Account Compromises: When admin accounts share passwords with standard accounts, compromising a standard account can lead to privilege escalation.

  2. Lateral Movement: Shared passwords facilitate lateral movement within a network.

  3. Password Policy Weaknesses: Widespread password reuse may indicate ineffective password policies or user training.

Summary

Analyzing NTDS files for password reuse provides valuable insights into an organization's security posture. This PowerShell script offers a straightforward way to identify shared passwords without requiring specialized tools. Regular audits using this approach can help organizations identify and remediate password reuse risks before they're exploited by attackers.

Remember: This script requires appropriate permissions and should only be used in authorized security assessments. Always follow your organization's security policies when conducting password audits.

Previous Post Next Post

نموذج الاتصال