Enforcing a strong password policy is crucial to safeguard organizational data and resources. One effective approach is to ensure that users are not using weak or commonly used passwords that are easily guessable. This can be achieved by comparing user password hashes in Active Directory (AD) against a list of banned passwords. In this blog, I’ll walk you through how to achieve this using PowerShell and the DSInternals module.
Prerequisites
Before we get started, make sure you have the following:
- DSInternals Module: This module provides access to various low-level AD features, including extracting password hashes. You can install it via PowerShell Gallery using the command: Install-Module -Name DSInternals
- Active Directory PowerShell Module: To interact with your AD environment.
- A List of Banned Passwords: Create a text file with passwords that you want to validate, such as common or weak passwords. The file should contain one password per line. You need to convert the banned password from normal text to hashes on https://www.infoalias.com/text-to-hash-converter/ Post converting into NTLM hashes, copy the result and put this in a txt file. in my case i have copied into banned txt file.
- Domain Admin Privileges: You need appropriate permissions to retrieve password hashes from the domain controller.
Powershell Script:
# Import the DSInternals module
Import-Module DSInternals
# Path to your banned passwords file
$bannedPasswordsFile = "C:\PS\banned.txt"
# Get the domain context
$domain = Get-ADDomain
$domainController = $domain.PDCEmulator
# Fetch password hashes from the domain controller
$passwordHashes = Get-ADReplAccount -All -Server $domainController -NamingContext $domain.DistinguishedName
# Load the banned passwords
$bannedPasswords = Get-Content $bannedPasswordsFile | ForEach-Object { $_.Trim().ToLower() }
# Function to convert byte array to hexadecimal string
function Convert-ByteArrayToHex {
param([byte[]]$byteArray)
# Check if byte array is null or empty
if ($null -eq $byteArray -or $byteArray.Length -eq 0) {
return $null
}
return [BitConverter]::ToString($byteArray).Replace("-", "").ToLower()
}
# Function to check if a password hash is banned
function Test-BannedPassword {
param($passwordHash)
# Check if the hash is in the list of banned passwords
foreach ($bannedPassword in $bannedPasswords) {
if ($passwordHash -eq $bannedPassword) {
return $true
}
}
return $false
}
# Check each account's password hash
foreach ($account in $passwordHashes) {
# Convert NTLM hash to hex and check for null
$hashHex = Convert-ByteArrayToHex -byteArray $account.NTHash
if ($hashHex -ne $null) {
# Check if the hash is in the banned list
if (Test-BannedPassword -passwordHash $hashHex) {
Write-Output "User $($account.SamAccountName) is using a banned password!"
}
}
}
How It Works
- DSInternals fetches the NTLM password hashes of all AD user accounts.
- We convert the password hashes into hexadecimal strings for easier comparison.
- A list of banned passwords is loaded from a file, and the script checks if any user’s password hash matches one from the banned list.
- If a match is found, the script outputs the user’s SamAccountName.
Security Considerations
- Run with Caution: Handling password hashes should be done securely. Ensure that this script is run in a controlled environment and that the results are appropriately handled.
- Regular Updates: Regularly update your banned password list with new weak or compromised passwords.
- Audit and Review: Implement regular password audits to ensure your security policies are adhered to.
Conclusion
This PowerShell script allows you to detect users in Active Directory using banned passwords based on their password hashes. It is a simple but effective way to enforce password security policies in your domain.
Implementing such checks periodically will significantly reduce the likelihood of users relying on weak passwords, improving the overall security posture of your organization.
You can also watch the video on youtube