James Tusini|February 25, 2020December 14, 2020|Active Directory, Passwords, pwncheck, pwned
Finding pwned passwords in Active Directory doesn’t need to be taxing. Choosing the right approach can save time and mitigate instability risk. This complete guide walks through each approach, pros and cons and some quicker alternatives.
Weak and pwned passwords accounted for 73% of breaches in the last year, as reported by Verizon and Rapid7. Do you know how many of your users are using a blacklisted password?
If you test user passwords, you’ll know Microsoft has never made it easy. There are always tricks to export password hashes but each method has its pros and cons.
Table of Contents
- Table of Contents
- Before We Begin
- Why Find Pwned Passwords?
- How To Find Pwned Passwords?
- Local Security Authority Subsystem Service (LSASS) Injection
- Problems with this technique:
- Using The Windows Tools
- Create Shadow Copy
- Copy NTDS.dit, SYSTEM and SAM
- Clean-Up
- (Ab)Using the Domain Replication Service
- Local Security Authority Subsystem Service (LSASS) Injection
- Identifying Vulnerable User Accounts
- Using Wordlists
- Using JtR (John the Ripper)
- Using Hashcat
- Viewing the results
- Using HIBP NTLM
- Using Wordlists
- Password Analysis
- Pipal
- A Different/Better Approach
- Running Pwncheck
- The pwncheck report dashboard
- Running Pwncheck
Before We Begin
If you find this post useful you’re going to love our weekly newsletter. Every monday we send the best 5 Active Directory security links we’ve read each week. Stuck on something? Just search your inbox for our newsletter plus your term and you’ll usually find an answer.
Get the best Active Directory security news, tips and tweaks every Monday.
Why Find Pwned Passwords?
The New NIST Password Guidelines make sensible new recommendations. The current climate of data breaches is at the heart of one of its major changes. That is: check a user password against a corpus of breached data.
A password audit is a very effective way of demonstrating this area of weakness. Two of the most prevalent attacks today: Password Spraying and Credential Stuffing.
How To Find Pwned Passwords?
This is a two-step process. Dump the hashes from a DC first, and then compare the hashes to a list of breached passwords/hashes (we’re going to be using Troy Hunt’s Have I Been Pwned database). Various ways to grab the hashes exist, each carrying some risk as it’s an unsupported process. Techniques for obtaining the hashes from a Windows Domain Controller boil down to:
- Local Security Authority Subsystem Service (LSASS) injection
- Shadow Copy replication with Microsoft Vssadmin
- (Ab)Using the Domain Replication Service
Local Security Authority Subsystem Service (LSASS) Injection
Dumping the LSASS (Local Security Authority Subsystem) process space is the oldest method. This is the historical way of extracting domain hashes within a Windows eco-system. Several tools and techniques exist to do that, one of the most common and reliable is Mimikatz.
Start mimikatz.exe and type the following commands:
privilege::debuglog mimikatz-output.txtlsadump::lsa /inject /patch
The first command takes care of granting the privileges required. The second sets a log file for the output. The final command instructs the tool on which technique to use (LSASS Injection).
Once this is complete, the log file created should look like this:

But it needs to be in a pwdump format and to look like this:
user:hash
Note: this is not the full pwdump format but it’s all that’s needed here.
A few lines of awk (after stripping out the header/footer of the log file) will suffice:
# cat mimi.awkBEGIN { RS = "" ; FS = "\n" ; ORS =""; OFS=""}{ sub(/User : /,""); print $2 ","}{ sub(/NTLM : /,""); print $4}{ print "\n"}
Problems with this technique:
- Risks crashing / blue screening the server
- Very likely to trigger an AV
- Slow and cumbersome (takes a long time to parse the memory space)
- It’s not secure (hashes will need to be scrubbed).
Using The Windows Tools
A safer way is to rely on the Windows built-in Vssadmin (Volume Shadow Copy) utility. Vssadmin can take a copy of the c:\Windows\NTDS\NTDS.dit file (this file is locked as it’s used by LSASS).
This method is less disruptive, much less likely to get caught by AV and unlocks the password history too. It can take up a lot of space, as the NTDS.dit can grow pretty large. It also might increase the risk of detection and network disruption as a result.
To create a shadow copy and copy the required files (NTDS.dit, SYSTEM, SAM), the commands are as follows:
Create Shadow Copy
vssadmin create shadow /for=C:

Copy NTDS.dit, SYSTEM and SAM
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\system32\ntds\ntds.dit c:\tempcopy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\system32\config\system c:\tempcopy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\system32\config\sam c:\temp

Clean-Up
vssadmin List shadowsvssadmin Delete Shadows /shadow={Shadow Copy ID}

The DSInternals Powershell Module will convert it into a suitable format for cracking:
$key = Get-BootKey -SystemHiveFilePath 'c:\temp\system'Get-ADDBAccount -All -DBPath 'c:\temp\ntds.dit' -Bootkey $key | Format-Custom -View HashcatNT | Out-File shadow-hashes.txt -Encoding ASCII
The above will process a copy of the NTDS.dit file, extract user and hash information, format it in a hashcat-compatible output and write it to a file.

(Ab)Using the Domain Replication Service
The safest method of obtaining domain hashes is to (ab)use the ‘Domain Replication Service’. This works by temporarily spawning up a new Domain Controller on the network and syncing up the credential storage to it.
The steps to perform this are as follows:
- Install the DS-Internals Powershell Module
- Set the credentials
- Export the Hashes from AD
- Run the script.
The DSInternals package needs to be installed, as follows:
Install-Module -Name DSInternals

Enter credentials by running the following powershell command:
$credentials = Get-Credential
The following will dump those pesky hashes:
Get-ADReplAccount -all -NamingContext “DC=Example,DC=org” -Server DC1 -Credential $mycredentials | Format-Custom -View HashcatNT | Out-File c:\temp\hashes.txt -Encoding ASCII
Note: Ensure you change the domain and DC according to your environment (here Example, org, and DC1).
The above will produce a hashcat-compatible ASCII plain-text file to compare against the HIBP hashes.
This is how hashes.txt will look like:

Identifying Vulnerable User Accounts
So which users on the network are vulnerable? Let’s explore a couple of ways of doing this.
Using Wordlists
A good wordlist of compromised passwords is needed. There are various lists of cracked passwords over at hashes.org, such as:
John the Ripper and Hashcat are amongst the most respected crackers out there. Usage for these is as follows:
Using JtR (John the Ripper)
john --format=nt hashes.hashcat --wordlist=hashes.org-2019.txt
Using Hashcat
hashcat -m 1000 -a 0 --username hashes.hashcat hashes.org-2019.txt
On a very modest system, it takes less than a couple of minutes to run through the dictionary file which results in the output below:
Viewing the results
$ john --show --format=nt hashes.hashcat|tailex468260:budlightex360998:passw0rdex458554:Mother21ex997924:Number44ex591208:Welcome14ex480187:Lauren24ex305134:Claire1987ex956673:abcd1234323 password hashes cracked, 329 left----$ hashcat --username --show -m 1000 hashes.hashcat |tailex665602:a4e7a61a102b34f0e0a15e4cc1e8ab77:Liverpool123ex999378:d59287f790dcbcf24f1bbd8c4703bd54:Password17ex295780:d59287f790dcbcf24f1bbd8c4703bd54:Password17ex939490:c5ab70617cae17f46f60a2f175bb5386:Champs02ex499827:37184b08e38ae6f5057b94141722fa65:M0nday30ex178773:cab8e82c0ea675f7e3744c808cf3209b:Butterfly29ex852117:cab8e82c0ea675f7e3744c808cf3209b:Butterfly29ex472603:cab8e82c0ea675f7e3744c808cf3209b:Butterfly29ex453529:2fa2b0486ca0fff77ba6ce64d640d864:Central02ex808769:4b21ab52ba9834f8cd167effc7ec087e:Christmas12
Using HIBP NTLM
To perform this check offline, download a copy of the Have I Been Pwned database, in NTLM format (ordered by hash). It’s not a good idea to perform the password check online.

Extracting it (with 7zip) can take a while:

The final step is to compare the Have I Been Pwned (HIBP) database containing the NTLM hashes (sorted by hash) in c:\temp\ with the extracted hashes in the same folder.
This script will make it easy:
powershell -Executionpolicy bypassImport-Module .\Match-ADHashes
The comparison of the hashes is done using the Match-ADHashes
function.
$list = Match-ADHashes -ADNTHashes C:\temp\hashes.txt -HashDictionary C:\temp\hibp.txt
The above command will populate the $list
list variable with the results (Note: this might take a while). The results can be exported into a more useful format and write it to disk:
$list | select Hash,Frequency,@{Name=’user’;Expression={[string]::join(“;”, ($_.user))}} | Export-Csv -Path c:\temp\pwned-users-report.csv -Delimiter ‘;’ -NoTypeInformation
Note: Frequency is the number of times that password(hash) has been seen collectively within the Have I Been Pwned leaked database.
The above will pipe the contents of $list
into a CSV file with the matching hash, a count and the list of pwned users.

Password Analysis
Pipal
Pipal is a useful utility written by Robin Wood to perform an analysis of user passwords. You have to have access to the plain-text of the password in order to gather any useful information.
Usage of the tool is pretty simple, no external library is needed, just Ruby installed.
Running Pipal on the results obtained yields the following output:
$ ./pipal.rb found.txtGenerating stats, hit CTRL-C to finish early and dump stats on words already processed.Please wait...Processing: 100% |oooooooooooooooooooooooooooooooooooooooooo| Time: 00:00:00Basic ResultsTotal entries = 346Total unique entries = 285Top 10 passwordsButterfly29 = 3 (0.87%)Password2 = 3 (0.87%)Reind33r = 3 (0.87%)Tanzania3 = 3 (0.87%)Password284 = 3 (0.87%)Tilling7 = 3 (0.87%)Christian7 = 3 (0.87%)Babybrain3 = 3 (0.87%)1111111111 = 2 (0.58%)Molly154 = 2 (0.58%)Top 10 base wordspassword = 28 (8.09%)welcome = 5 (1.45%)london = 5 (1.45%)victoria = 4 (1.16%)tilling = 3 (0.87%)tanzania = 3 (0.87%)christmas = 3 (0.87%)jessica = 3 (0.87%)april = 3 (0.87%)liverpool = 3 (0.87%)Password length (length ordered)8 = 155 (44.8%)9 = 85 (24.57%)10 = 57 (16.47%)11 = 34 (9.83%)12 = 14 (4.05%)14 = 1 (0.29%)Password length (count ordered)8 = 155 (44.8%)9 = 85 (24.57%)10 = 57 (16.47%)11 = 34 (9.83%)12 = 14 (4.05%)14 = 1 (0.29%)<--output stripped for brevity-->
Pipal can be used to get a good insight into what common passwords are being used on the Active Directory Domain being tested. This knowledge can be used to create relevant exclusion wordlists to prevent users from setting common, easy-to-guess passwords.
A Different/Better Approach
It’s easy to check how many Windows domain users are using compromised passwords. It’s also rather convoluted and error-prone as well as very time-consuming.
What if there were an automated way of checking this that:
- Gives instant results (a few minutes vs hours/days)
- Is comprehensive, repeatable and deterministic
- Is secure (doesn’t leave a trace of the domain hashes anywhere)
- Doesn’t require software installation
- Is user-friendly (not just for ubergeeks)
- Doesn’t need Domain Admin privileges
- Has a low footprint and doesn’t require a 30GB+ download of Have I Been Pwned
The efficiency of this process can be significantly improved. Comparison times can be optimized down to milliseconds.
Running Pwncheck
Pwncheck is the most optimal way of getting a list of pwned users. No installation is needed, nor Domain Admin privileges.
The 3 privileges that pwncheck needs can be granted like so:
#Just substitute the pwncheck account below with the account you want to assign replication privileges with$Account = "pwncheck"$RootDSE = [ADSI]"LDAP://RootDSE"$DefaultNamingContext = $RootDse.defaultNamingContext$cmd = "dsacls '$DefaultNamingContext' /G '`"$Account`":CA;`"Replicating Directory Changes`";'"Invoke-Expression $cmd$cmd = "dsacls '$DefaultNamingContext' /G '`"$Account`":CA;`"Replicating Directory Changes All`";'"Invoke-Expression $cmd$cmd = "dsacls '$DefaultNamingContext' /G '`"$Account`":CA;`"Replicating Directory Changes In Filtered Set`";'"Invoke-Expression $cmd
Running pwncheck is a simple three-step process:
- Start the pwncheck executable
- Wait for it to download/load the DB
- Enter your credentials and click Go

After a few seconds, the pwncheck GUI will:
- Write the report to disk
- Securely scrub the process memory space and close its main window
- Open up the report folder to reveal the report data.
The README.html file containing the password audit results can then be viewed for the full report:

The pwncheck report dashboard



The Pwncheck report dashboard gives you an at-a-glance overview of compromised, reused and blank passwords across your infrastructure. The free version contains a summary, while the full version can be unlocked at a low cost.
Visit our product page to find out more about pwncheck, or if you’d like to try the full version for yourself at no cost, fill in the form below and we’ll send you details on how to claim a free Pwncheck voucher.
Test Drive Pwncheck
The best way to find out if pwncheck is right for you is to try it out. Use the download button below to try Pwncheck's free version with absolutely zero strings attached, no form entry required.
If you'd like to test drive the full version fill in the form and we'll send you a single-use evaluation licence (normally $150, €120 or £100).
FAQs
Is there a way to see Active Directory passwords? ›
Yes, you can check the Last Password Changed information for a user account in AD. The information for the last password changed is stored in an attribute called “PwdLastSet”. You can check the value of “PwdLastSet” using the Microsoft “ADSI Edit” tool.
Where are passwords stored in Active Directory? ›In AD, passwords are stored as hashes by default. In Windows environments, passwords are hashed using the LAN Manager hash (LM hash) and the Windows NT LAN Manager hash (NTLM hash).
What are pwned passwords? ›Pwned Passwords are hundreds of millions of real world passwords previously exposed in data breaches. This exposure makes them unsuitable for ongoing use as they're at much greater risk of being used to take over other accounts.
How to find password complexity requirements in Active Directory? ›You can find your current AD password policy for a specific domain either by navigating to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Account Policies -> Password Policy via the management console, or by using the PowerShell command Get-ADDefaultDomainPasswordPolicy.
How can I see all passwords used by CMD? ›...
In the window, type in this command:
- rundll32.exe keymgr. dll,KRShowKeyMgr.
- Hit Enter.
- Stored User Names and Passwords window will pop up.
Password Storage. LDAP passwords are normally stored in the userPassword attribute. RFC4519 specifies that passwords are not stored in encrypted (or hashed) form. This allows a wide range of password-based authentication mechanisms, such as DIGEST-MD5 to be used.
What is the most pwned password? ›- 123456 (23.2 million users)
- 123456789 (7.7 million users)
- Qwerty (3.8 million users)
- Password (3.6 million users)
- 1111111 (3.1 million users)
If one of your online accounts has been hacked - often called being 'pwned' - then it's important not to panic. Follow a few simple steps and you can check the scale of the damage and get your account security under control.
How do hackers find your passwords? ›Keylogger programs enable hackers to spy on you, as the malware captures everything you type. Once inside, the malware can explore your computer and record keystrokes to steal passwords. When they get enough information, hackers can access your accounts, including your email, social media, and online banking.
Can you see who changed a password in Active Directory? ›Open “Event Viewer” ➔ “Windows Logs” ➔ “Security” logs. Search for event ID 4724 in “Security” logs. This ID identifies a user account whose password is reset. You can scroll down to view the details of the user account whose password was reset.
How do I get password requirements? ›
- No common names or dictionary words.
- No sequences of more than 4 digits in a row.
- Include at least one character from at least 3 of these categories: Uppercase letter. Lowercase letter. ...
- Password reset/expiration period as follows: 10-20 characters = no periodic reset/expiration required.
The Active Directory attribute lastLogon shows the exact timestamp of the last password change for the regarding account. Here it doesn't matter if the user changed it's password himself or if the password was reset by an administrator.
How do I find hidden and saved passwords in Windows? ›- Press Win + R to open Run.
- Type inetcpl. cpl, and then click OK.
- Go to the Content tab.
- Under AutoComplete, click on Settings.
- Click on Manage Passwords. This will then open Credential Manager where you can view your saved passwords.
Windows password hashes are stored in the SAM file; however, they are encrypted with the system boot key, which is stored in the SYSTEM file. If a hacker can access both of these files (stored in C:WindowsSystem32Config), then the SYSTEM file can be used to decrypt the password hashes stored in the SAM file.
What is the difference between LDAP and LDAP? ›The main difference between LDAP and LDAPS is that LDAPS is more secure than LDAP. This is because LDAPS is essentially LDAP encrypted using TLS/SSL as a wrapper. For that reason, LDAPS is also called LDAP over SSL or Secure LDAP.
Can LDAP be exploited? ›LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it's possible to modify LDAP statements using a local proxy.
How are passwords stored in shadow file? ›Each user's password is stored in an encrypted form within the /etc/passwd file. These credentials are hashed using a one-way hash function so they cannot be decrypted.
Can you check if passwords have been compromised? ›How to Find Compromised Passwords on an Android Device. To find compromised passwords on your Android device, open the Google Chrome app and tap the three-dot icon in the top-right corner. Then go to Settings > Passwords and tap Check passwords.
What is the number 1 most used password? ›- 123456.
- 123456789.
- qwerty.
- password.
- 12345.
- qwerty123.
- 1q2w3e.
- 12345678.
It's being called the biggest breach of all time and the mother of all breaches: COMB, or the Compilation of Many Breaches, contains more than 3.2 billion unique pairs of cleartext emails and passwords.
Do people still use pwned? ›
People do still use the word online in its original meaning — just search for it on your preferred social media site — but, in truth, its popularity simply ebbed away in time. Such is the fate of most jargon, of course.
Should I change my password if I have been pwned? ›Changing your password is the most important thing to do if your account has been pwned. If you have reused your password on other accounts, you should change passwords for those accounts as well. Criminals will try to access accounts with payment details and other valuable data.
Why is pwned offensive? ›At this point, pwn allegedly meant to demote or dethrone someone, but the slang was quickly picked up by early computer-users that exchanged messages on FidoNet, a system created in the 1980s for exchanging emails or text on digital bulletin boards. This is where pwn slowly transformed into the insult we know today.
What are the 6 methods that criminals employ to steal your password? ›- Phishing. Phishing is when a hacker posing as a trustworthy party sends you a fraudulent email, hoping you will reveal your personal information voluntarily. ...
- Man-in-the-Middle Attack. ...
- Brute Force Attack. ...
- Dictionary Attack. ...
- Credential Stuffing. ...
- Keyloggers.
- On your Android phone or tablet, open Chrome .
- At the top right, tap More .
- Tap Settings. Password Manager.
- Show, delete, edit, or export a password: Show: Tap the password that you want to show. Show password. . Delete: Tap the password that you want to remove. At the top, tap Delete. .
In 2016, plenty of security vulnerabilities were reported by white-hat hackers and security experts. Among the affected password managers were LastPass, Dashlane, 1Password, and Keeper. In most cases, the attacker would still have to use phishing to trick the user into revealing some data.
How do you check who made changes in Active Directory? ›To track user account changes in Active Directory, open “Windows Event Viewer”, and go to “Windows Logs” ➔ “Security”. Use the “Filter Current Log” option in the right pane to find the relevant events.
How do I find out who modified my AD account? ›- Open “Windows Event Viewer”
- Go to “Windows Logs” ➔ “Security”
- In the right pane, click “Filter Current Log” option to list the relevant events.
By default, the Active Directory domain password policy has the following settings: Enforce password history – the default value is 24 passwords. This means users can use a password again until 24 passwords later.
What are the NIST password guidelines 2022? ›NIST now recommends a password policy that requires all user-created passwords to be at least 8 characters in length, and all machine-generated passwords to be at least 6 characters in length. Additionally, it's recommended to allow passwords to be at least 64 characters as a maximum length.
What is fine-grained password policy in Active Directory? ›
Fine-grained password policies apply only to global security groups and user objects (or inetOrgPerson objects if they are used instead of user objects). By default, only members of the Domain Admins group can set fine-grained password policies.
What is the difference between PasswordLastSet and PwdLastSet? ›The pwdLastSet attribute is a LargeInteger where dates are represented as the number of ticks (100-nanosecond intervals) since 12:00 am January 1, 1601. The PasswordLastSet property converts the LargeInteger into a datetime in the curren time zone.
How to see when a user last changed their password in Active Directory? ›- Click the Permissions & Privileges icon and select Password Older than n Days.
- Specify a domain name.
- Click Generate Report.
- The report shows the date the password was last changed.
- The report can be filtered, sorted, saved, and exported.
Use the Net User command to display the date and time you last set your Windows 10 user account password. Check the Password last set output of the net user %username% command.
Is pwned passwords legit? ›Is "Have I Been Pwned?" legit? Yes, it is. To date, HIBP has been around for almost a decade, and through the years, it has only proven itself to be an essential tool for everyday internet users, governments, and organizations alike.
What does being pwned mean? ›What does "pwned" mean? The word "pwned" has origins in video game culture and is a leetspeak derivation of the word "owned", due to the proximity of the "o" and "p" keys. It's typically used to imply that someone has been controlled or compromised, for example "I was pwned in the Adobe data breach".
What does pwned account mean? ›What does being pwned mean? Being pwned means that someone has taken control of your email address, or a user profile that has been created with it.
How does pwned work? ›The service collects and analyzes hundreds of database dumps and pastes containing information about billions of leaked accounts, and allows users to search for their own information by entering their username or email address. Users can also sign up to be notified if their email address appears in future dumps.
Can a Trojan steal my passwords? ›Trojan stealers
These stealthy spies, once on your device, usually display no visible signs of activity. After all, the longer they remain under the radar, the more of your data they can steal and pass to their handlers, such as passwords for banking apps or gaming services.
There are a variety of types of Trojans, many of which can launch sophisticated and clever attacks. Here are some types to be aware of: Password-stealing Trojans—These look for saved passwords on your computer and email them to the hackers. Some can even steal passwords cached in your browser history.
Can I tell if my email has been hacked? ›
You can't sign into your email account. Hackers will often lock you out of your account as soon as they get access. If your normal email password isn't working, there's a good chance you've been hacked. There are strange messages in your “Sent” folder.
What is a data breach pwned? ›Breaches you were pwned in
A "breach" is an incident where data has been unintentionally exposed to the public. Using the 1Password password manager helps you ensure all your passwords are strong and unique such that a breach of one service doesn't put your other services at risk.
Some of the warning signs that you've been hacked include:
You receive emails or text messages about login attempts, password resets, or two-factor authentication (2FA) codes that you didn't request. You see logins from devices and locations you don't recognize in your account activity or sign-in logs.
How accurate is the website haveibeenpwned.com? It's quite accurate and it's being run by an industry veteran (Troy Hunt) so if you've found yourself in their database - make sure to change password to affected websites/services immediately.
Should I use Have I Been Pwned? ›Have I Been Pwned is a useful resource for finding out when you've been affected by a data breach, but it's best to get ahead of the problem by making your accounts more secure. Two important steps, Hunt says, are enabling multifactor authentication and using a password manager to generate and save strong passwords.
Why is it spelled pwned? ›Background – pwned
When the computer beat a player, a message along the lines of: X has been owned should have been displayed. Instead, it said: X has been pwned. A related, and perhaps more convincing theory, is that pwned derives from a simple keyboard error, p being next to o on a standard QWERTY keyboard.
Have I Been Pwned was created in 2013 by Australian security researcher Troy Hunt, who has so far collected over 11,599,230,942 pwned accounts from more than 564 data breaches.