Password Audit
#1
Hey, I'm curious how a password audit works?

Just think about a company with 150 desktops.
How do you audit all these passwords?
Do you have to get all the 150 NTLM Hashs of every single desktop or are they stored on a server?

Noob question I know, but it would be great if someone could explain it to me.

All the best
elotrix
#2
Well, that entirely depends on how the company's network works.
#3
With 150 clients you would expect an Active Directory setup, where you can get all hashes from.
#4
There's a few ways to to this.

With 150 users you are probably on a Windows Domain (Active Directory) so your options are;

1. Configure a "temporary" SAMBA domain controller to sync all the credentials and then simply ask samba to dump them. HOWTO here : http://www.room362.com/blog/2014/05/14/d...ing-samba/ (requires administrative rights)

2. As you cannot access the database with hashes on a Windows Server while its running, you can perform a Volume Shadow Copy, and then obtain the hashes from the copy (you need administrator rights). You can see a HOWTO here, Method 4 : http://blog.packetheader.net/2014/10/pos...t-and.html

3. On a workstation you can dump the last 10 successful logins from the local cache (depending on GPO settings) using Windows Credential Editor or the Metasploit plugin found here : http://www.rapid7.com/db/modules/post/wi.../cachedump

I have mentioned in my talks before that companies should audit their staff passwords periodically to ensure they are of a successful caliber (relying only on password creation rules does not suffice). Unfortunately given the nature of passwords Microsoft and other companies have and never will make it an easy step to dump the hashes.

Note: That any of these steps are considered malicious and/or illegal without the consent of the company owning the systems and passwords. Also note that sometimes a Volume Shadow Copy could in rare cases cause the domain controller to be unresponsive.