This article walks you through how to perform a security audit on Active Directory passwords step by step. Learn how to use tools like Mimikatz and Hashcat to extract and analyze password hashes, check for weak spots, and identify areas for improvement.
This guide makes it easy to assess and strengthen your organization’s password security.
Step 1: Download Mimikatz
To extract password hashes, we’ll use Mimikatz, a widely known tool for security professionals. It can be downloaded here: gentilkiwi/mimikatz on GitHub.
- Important Notes:
- Use Firefox to download the tool, as browsers like Chrome might block it.
- Disable or create an antivirus exclusion for Mimikatz; most antivirus solutions flag it as malicious due to its capabilities, even though it’s not inherently a virus.
Step 2: Extract Password Hashes with Mimikatz
After downloading, unzip the file and navigate to the mimikatz_trunk folder.
- Open the
x64folder (orx86if using a 32-bit OS). - Run
mimikatz.exe. - Use the following command in the Mimikatz console to extract all Active Directory password hashes with a csv format:
lsadump::dcsync /all /csv
Step 3: Save Hashes
Copy the output from the previous step and save it into a file only the hashes:
Step 4: Get Hashcat
Hashcat is one of the most popular password-cracking tools available. Download it from the official Hashcat GitHub repository.
- Extract the
.7zfile, and make a note of the directory where you’ve saved it.
Step 5: Obtain a Wordlist Dictionary
Password cracking requires a wordlist of common passwords.
- A popular wordlist,
rockyou.txt, can be downloaded here. - You can enhance your dictionary by adding entries like names, company-specific terms, or relevant details.
Step 6: Add a Rule File
Rule files improve cracking effectiveness by modifying words in the dictionary (e.g., appending numbers or symbols).
- A recommended rule file is One Rule to Rule Them All, available here.
Step 7: Crack the Hashes
Now, use Hashcat to crack the hashes.
- Open a command prompt and navigate to the directory where Hashcat is located:
cd C:\Path\To\Hashcat2. Use the following command:
hashcat.exe -m 1000 -o "C:\Path\To\Output\cracked_passwords.txt" -r "C:\Path\To\Rules\OneRuleToRuleThemAll.rule" "C:\Path\To\Input\raw_hashes.txt" "C:\Path\To\Wordlist\rockyou.txt"Explanation of Flags:
-m 1000: Specifies the hash type (1000 = NTLM for Windows).-o: Specifies the output file for cracked passwords.-r: Points to the rule file.- The last two arguments are the input hash file and the wordlist.
Step 8: Review Results
Hashcat might take some time, depending on the complexity of the hashes and the size of your wordlist.
- Once completed, check the output file to review the cracked passwords.
- Compare these with the usernames to identify accounts that need immediate action, such as password resets or enhanced security.
