CredDefense doesn't list DC's

[ddonders]

When running the CredDefense.exe and selecting the Password Filtering > Install/ Uninstall no Unconfigured DC's are listed.

The *.dll hasn't been previously deployed.

OS is Windows Server 2016.

Any idea what would cause this? Selecting the Password Auditing option it does enumerate the domain and DC.

Thanks for your feedback.

[fullmetalcache]

That is strange, nothing is under the "Configured" list either? Does the DC respond to a ping request? If not, that might be the issue. I believe I have a check under the Password Filtering option that it attempts to ping the DCs before listing them in either column. I should probably just take that check out.

Let me know please. Thanks!

On Wed, Oct 4, 2017 at 3:54 AM, ddonders notifications@github.com wrote:

When running the CredDefense.exe and selecting the Password Filtering > Install/ Uninstall no Unconfigured DC's are listed.

The *.dll hasn't been previously deployed.

OS is Windows Server 2016.

Any idea what would cause this? Selecting the Password Auditing option it does enumerate the domain and DC.

Thanks for your feedback.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/CredDefense/CredDefense/issues/5, or mute the thread https://github.com/notifications/unsubscribe-auth/ALb0HCHPmA3qfTxX9-DjlHf4CISzEN3pks5so1XGgaJpZM4PtXEs .

[ddonders]

Correct, nothing under configured either.

Doing this on a DEV DC, so running the tool locally.

[ddonders]

Today tried on a 2008R2 DC, same result DC not listed when trying to install.

[ddonders]

Followed the manual steps from the blog post

1. install .dll
2. copy \epf folder
3. add registry key
4. reboot

That appears to work.

[7MinSec]

Hey @ddonders I've got the same issue. Brand new 2012 DC in a test/dev lab, and the DC list is empty when I install CredDefense. When you say you followed manual steps from the blog post, were you referring to:

--

• Deploy the EasyPasswordFilter DLL to the %SystemRoot%\Windows\System32 directory on the target DC

• Deploy the password list to %SystemRoot%\epf folder on the target DC

• Add the EasyPasswordFilter value to the HKLM\System\CurrentControlSet\Control\Lsa\Notifications registry key on the target DC

I'm thinking I've done all these right but still have an empty DC list for CredDefense, so wondering if maybe I'm missing a step.

Thanks, Brian

[ddonders]

Hello Brian With manual deployment I mean implementing the Password Filter. It doesn't change the usage of the tool.

I've exchanged some messages using Twitter with one of the creators, @fullmetalcache, and they were going to remove a system live check in the tool. So far they haven't published that update yet.

[7MinSec]

@ddonders thank you!

If you get a minute would you mind detailing out your manual steps a little bit? As I mentioned, I'm running a standalone DC and attempting to install the tool but cannot for the life of me get the DC list to populate. Maybe I need to drop down and try a 2008R2 DC.

[ddonders]

Sure no problem. I tested on a Windows 2016 Server.

What I did is exactly the steps the program would do automatically. On a DC:

1. Copy the EasyPasswordFilter DLL to the System32 folder, file can be found in CredDefense-master\Build\x64
2. Create an epf folder in C:\Windows and copy epfdict/ exclude/ excludeupdated/ updated from CredDefense-master\Build\epf Add passwords you don't want to allow in epfdict
3. Registry key value change/ update HKLM\System\CurrentControlSet\Control\Lsa\Notifications Packages and add EasyPasswordFilter
4. Reboot the DC
5. Test

Good luck.

[7MinSec]

Thanks much. I did all the steps and am still seeing an empty DC list. Argh. Only thing I anticipate I could goof up is step 3, but that looks like this, right?

[ddonders]

This doesn't fix the CredDefense tool, the manual procedure should enable the password dictionary.

[7MinSec]

Hey sorry, I think my nose was so buried in this that I needed to take a step back. The manual steps we take install the filter and BYPASS the CredDefense GUI, yes? Sorry...in my head I was thinking that your manual install would make the GUI pick up on the missing DC and...yeah, I need sleep.

[fullmetalcache]

Hey Guys,

Sorry that it's been awhile with radio silence. We are hoping to be more active on this going forward.

I removed the code that checks if a system is reachable before adding it to the DCs list. This feature isn't in the Password Audit module and I am pretty sure it's what is causing the issue you are seeing. Here's a link to the commit:

https://github.com/CredDefense/CredDefense/commit/caf676ff17177be9ec868d118116da707c1ce580

Please let me know if that helps.

Thank you guys for your feedback!

[7MinSec]

Hey @fullmetalcache thanks for that change. I spun up a brand new 2012 server, made it into a DC, installed .Net and ran the installer but unfortunately I'm still seeing a blank "Unconfigured DC" list. Any other things I can test, logs I can post, etc. to help figure out what's up?

Thanks, Brian

[7MinSec]

For grins, I tried a fresh 2008R2 DC since I was working on another lab project this evening. Same exact issue.

Also, if it makes a difference, I tried out the password audit feature, and after selecting a password list and and output file, I get this upon continuing:

This wouldn't be related to the original issue would it?

[hackern0v1c3]

For what it's worth I'm seeing the same problem in a fresh install of server 2012 R2 in a lab environment. I installed Windows, set static IP, ran dc promo, rebooted, and tried installing password filtering. Nothing listed in the Unconfigured DCs column.

[7MinSec]

Thanks for verifying, @hackern0v1c3. Nice to know I'm not crazy (at least not totally).

[7MinSec]

Just thought I'd give this a bump.

BUMP

;-)

[ddonders]

Trying to get this post active again.

[ddonders]

For those interested and having an Azure AD subscription, MS released in preview a feature that should achieve the same.

https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad

[jrdnr]

Hey just ran into similar issues on a clean fresh install 2016 DC in my lab, but was an easy fix so maybe not the same problem.

Two points to keep in mind,

1. The tool uses Powershell under the hood, so script execution must be allowed.
2. This tool must write to protected portions of the OS, and while it is obvious the tool needs to run as admin, I realized it does not prompt to elevate.

So if you still having trouble try this:

1. Open Powershell and do Set-ExecutionPolicy -ExecutionPolicy RemoteSigned
2. Then download the latest bits, and right-click to run as administrator and see if that makes everything just work.

[JacobPete]

Couple things I wanted to note for new users:

1. this is an awesome project! thanks to all that have contributed

2. I could not list DC's as well, I had a 2012 R2 server, but realized I was running the installer (CredDefense.exe) off the DC, I ran off a win10 workstation that I had joined to that domain and it worked perfect.

3. the installer installed the \epf folder off the root of the c:\ drive not in the c:\windows directory as noted in the manual install instructions.

4. I am not sure the the "excludeupdated.txt" and the "updated.txt" is for that is included in the install .zip.

thanks again for making this such a great project!

[jrdnr]

@JacobPete I did not do any work on building this so could be wrong, to your point

2. You will likely find if trying to run CredDefense.exe on a DC again, but run it as administrator, it should work just fine running from a DC. The catch is that CredDefense must run as an administrator for the work it does on the DC. When you log into windows with an admin account you are signed in with reduced privileges and must elevate to actually run anything with full admin rights. However PSRemoting connects with full admin rights. This means when you run the exe on a DC you have to right click and tell the system to run it as admin, but when you run it from a client with an account that has admin rights on a DC it is automatically elevated when it initiates the remote connection to the DC.

all else, good points