search

phillips321 / adaudit

Powershell script to do domain auditing automation
https://www.phillips321.co.uk
374 stars 100 forks source link

Include DSInternals? #23

Closed Cool34000 closed 2 years ago

Cool34000 commented 2 years ago

Hi,

I'm testing DSInternals PS Module and I found it very nice. https://github.com/MichaelGrafnetter/DSInternals

It quickly generates a password quality report like this (empty for this example) :

Active Directory Password Quality Report
----------------------------------------

Passwords of these accounts are stored using reversible encryption:

LM hashes of passwords of these accounts are present:

These accounts have no password set:

Passwords of these accounts have been found in the dictionary:

These groups of accounts have the same passwords:

These computer accounts have default passwords:

Kerberos AES keys are missing from these accounts:

Kerberos pre-authentication is not required for these accounts:

Only DES encryption is allowed to be used with these accounts:

These accounts are susceptible to the Kerberoasting attack:

These administrative accounts are allowed to be delegated to a service:

Passwords of these accounts will never expire:

These accounts are not required to have a password:

These accounts that require smart card authentication have a password:

It's easy to install as it's in PSGallery (at least for WS 2016+): Install-Module -Name DSInternals It would be great to add this toy to go deeper in password auditing, but I don't know how much to integrate it as it needs to be installed first.

What do you think about it? I think the better way to integrate it would be to do the checks only if the module is found and tell the user to download/install it manually if not present (I wouldn't like a script to do this for me)

Cool34000 commented 2 years ago

Simple check: Get-ADReplAccount -All -Server $env:ComputerName -NamingContext $(Get-ADDomain | select -exp DistinguishedName) | Test-PasswordQuality -IncludeDisabledAccounts

If you downloaded HaveIBeenPwned hash file (30GB once unzipped!), you can also search for weak passwords: Get-ADReplAccount -All -Server $env:ComputerName -NamingContext $(Get-ADDomain | select -exp DistinguishedName) | Test-PasswordQuality -IncludeDisabledAccounts -WeakPasswordHashesFile "C:\Path\to\pwned-passwords-ntlm-ordered-by-hash-v8.txt"

Cool34000 commented 2 years ago

So, I've added the DSInternals PS module as an optionnal check If not installed, you can force install with -installdeps It is not included if you use the -all flag - Choice is yours!

You need at least PowerShell 5 to install DSInternals module.