Company should do the password audit annually.
The process normally is:
- Login to domain controller, export ntds.dit, SAM and SYSTEM using shadow copy.
- Extract Hashes from above files. (use tool NTDSXtract - http://www.ntdsxtract.com/ or SANS Investigative Forensic Toolkit (SIFT) - http://digital-forensics.sans.org/community/downloads)
- Use offline cracking tool to crack the hashes: Cain, ophcrack etc.
The weak password can be defined as below:
- All LM hashes are considered as weak.
- The password is considered as short and weak if its length is less than 8.
- Repeatable sequence of a character. eg. ‘111111’, ‘aaaaaa’, are considered as weak.
- Simple patterns, eg. ‘123456’, ‘abcdefgh’, are considered as weak.
- Keyboard combinations patterns. Based on all possible keyboard combinations like ‘qwerty’, ‘qazwsx’, etc.
- National keyboard combinations patterns. The same as previous but uses national keyboard layout.
- User name mutations patterns. For passwords based on user name.
- “Freaked” passwords, eg. ‘pa$$w0rd”, ‘@pp1e’ etc.
- Dictionary attack against well-known passwords, eg. ‘leaking facebook, LinkedIn, eHarmony passwords’, which can be downloaded from Internet.
Step 1: Create shadow copy for copying password files
- Log on to a domain controller as a member of the Enterprise Admins groups or the Domain Admins group.
- Click Start, right-click Command Prompt, and then click Run as administrator
- If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
- At the elevated command prompt, type the following command, and then press ENTER: ntdsutil
- At the ntdsutil prompt, type the following command, and then press ENTER: snapshot
- At the snapshot prompt, type the following command, and then press ENTER:
activate instance ntds
- At the snapshot prompt, type the following command, and then press ENTER:
create
The command returns the following output:
Snapshot set {GUID} generated successfully.
Where GUID is the globally unique identifier (GUID) for the snapshot.
- At the snapshot prompt, type the following command, and then press ENTER:
mount { GUID }
- As an option, to see a list of all mounted snapshots, you can type the following command, and then press ENTER:
list mounted
The output lists each mounted snapshot and a corresponding index number. You can use the index number instead of the GUID to subsequently mount, unmount, or delete the snapshot.
- Open another command line windows with Administrator.
- Run below commands:
E:\temp>copy c:\$SNAP_201603102306_VOLUMEC$\Windows\ntds\ntds.dit
1 file(s) copied.
E:\temp>copy c:\$SNAP_201603102306_VOLUMEC$\windows\system32\config\SYSTEM
1 file(s) copied.
E:\temp>copy c:\$SNAP_201603102306_VOLUMEC$\windows\system32\config\SAM
1 file(s) copied.
E:\temp>reg SAVE HKLM\SYSTEM .\sys
|
- Copy these 4 files to a USB drive.
- To unmount the snapshot after you have finished viewing the data, type either of the following commands, and then press ENTER:
unmount index #
-or-
unmount { GUID }
- Delete old snapshots that you are no longer using because they consume disk space. To delete a snapshot, type either of the following commands, and then press ENTER:
delete index #
-or-
delete { GUID }
- After you are done with snapshot operations, type quit to return to the ntdsutil menu, and then type quit again to return to the command prompt.
Reference: https://technet.microsoft.com/en-us/library/cc753609(WS.10).aspx