Active Directory Password Audit

Tip: Impacket's secretsdump.py with DCSync is the cleanest extraction method - run 'secretsdump.py domain/admin@dc-ip -just-dc-ntlm' to get NTLM hashes only. CrackMapExec and NetExec can also DCSync across multiple DCs. If you need the full NTDS.dit for additional analysis, use 'ntdsutil' or Volume Shadow Copy on the DC. Always hash-verify your extract against a known test account to confirm accuracy.

Tip: CrackMapExec's --pass-pol flag dumps the domain password policy. PingCastle provides a comprehensive AD security assessment including password policy scoring against best practices. Check for fine-grained password policies that might apply weaker rules to specific groups - 'Get-ADFineGrainedPasswordPolicy -Filter *' in PowerShell reveals these. Document which accounts are excluded from lockout policies.

Tip: HATE_CRACK automates the optimized attack workflow from basic wordlists through progressively complex rule combinations. Start with the NTLM hashes from Have I Been Pwned - these crack instantly via lookup and typically get 10-20% of a domain on their own. Build an organization-specific wordlist from the company website, LinkedIn, and internal documentation. The pattern 'Season+Year+!' (Summer2024!) is still the most common password format in corporate environments.

Tip: Hashcat mode 1000 is NTLM. Run attacks in this order for maximum efficiency: (1) known-hash lookup against HIBP NTLM database, (2) company wordlist + best64.rule, (3) rockyou + dive.rule, (4) combination attacks with company words, (5) brute-force up to 7 characters. Track timing - if you crack 60% in under an hour, that's your headline finding. Save cracked passwords for pattern analysis in the next step.

Tip: Group cracked passwords by pattern: 'SeasonYear!' variants, 'CompanyName+digits', keyboard walks, etc. Check for identical NTLM hashes across accounts - same hash means same password, revealing reuse without needing to crack. Pay special attention to admin accounts, service accounts, and accounts with sensitive access. Calculate crack rates by OU or department to identify groups needing targeted training.

Tip: DomainPasswordSpray is purpose-built for this - it enumerates valid accounts and sprays while respecting lockout policies. Kerbrute sprays via Kerberos pre-auth which is faster and doesn't generate traditional logon failure events. Spray only the top 3-5 most common passwords found during cracking. Coordinate with the SOC team to verify their spray detection fires correctly - if it doesn't, that's a finding too.

Tip: Lead with the headline number - 'X% of domain passwords cracked in under 1 hour' gets executive attention. Include PingCastle's overall domain security score for broader context. Recommend a minimum 14-character length with a banned password list over complexity requirements - research shows length beats complexity. Recommend Azure AD Password Protection or similar tools that block common patterns. Include a timeline for remediation that accounts for password expiry cycles.