Visibility everywhere yeilds a better understanding of work working, or work needing more support or new approaches. this is that for AD passwords en-mass.
While Cracking passwords for an offensive op is usually just to get more access, it's well within thier gift to do mor efor the company, time permitting, or as a second offering
Tasks such as:
- Volume of duplicate hashes
- Volume that fail any password policy such as length, inclusion of special or upper case characters
- Admin Focus, such as password crackability as individuals or as a group, and if they share the password across lower privilidge accounts (duplicate hash)
Of these three talking points there is enough for a report from a view that is quite uniq and worth while annually, possibly after culture and awareness pushes and before the next redteam.
Volume of duplicate hashes
Often indicative of large scale password reset sweeps, where IT have been tasked to change everyone's password, often IT will choose a simple password such as Monday123 or Password1! under the assumption that everyone in the organisation is still a member of staff ready to react to IT's email 'Update your password' from a password audit hight you'll see a certain hash that you can infer accounts arent in use, that's handy if you're wanting to make sure accounts are kept lean within your organisation, but from a concern view, many people leave and few of those accounts are managed to deletion or archiving, this means that when IT push a large reset with a simple password, those idle accounts are sitting like ducks with the simple password, waiting for attackers to log in and mal-secure that account, I'm not sure of any other way to obtain this view easily, but this way sits nicely in Password analysis reporting space.
Volume of policy failure
This works with the cracked accounts only, there may be more, but it's going to me slim pickings. the idea here is that after you've hammered the database of the orgs accounts (ntds.dit for geeks ) you'll be left with a file containing a hash and the password, there will usually be many so running light analytics on that data is a few bash lines once you've lost a few days of GPU power to the wordlists and rules of hashcat or john the ripper, simple questions here are, what passwords are too short, dont contain upper case, lower case, or special characters in any order, this will present some results worth following, especially if there is active policy enforcement making it hard for this to happen, or some might say impossible to happen.
The volume of duplicate hashes, does fall usually on IT as a failure, but also their responsiblity to fix, learn and lower the chances of it happening again, similarly the policy failures would be an area out of their control to be brough in or a practice that needs more guiderails, in the same vain, this is why account analysis on users with administrative privilidges is important, we expect many to follow strong guidance and control but we often find relaxed IT doing as they wish because of pace, or lack of visibility of thier security behaviour, Admin focus tasks in this space are things like, comparing thier low privilidge account with their elevated account(s), AD Groups analysis and password strength analysis (can we crack it, how bad was it)
After an engagment like this IT may feel a little sore or happy to pony up make things harder to mistake.
IT may push back on password resets because they dont know what scripts have what passwords in them, that's worth chasing hard too.
We spend a lot of time focusing on end user credential culture, IT and those with elevated privilidges often dismiss training, really, organisations need self service password managment, and even then there's gaps worth highlighting. if there isnt a self service function within your org and you're still pushing an AD, this work is worth while.