Test Common Password on AD accounts

ian1662 · 2010-03-15T17:56:24.000Z

Description

This will retrive a list of users from your AD and then test a common password on the accounts giving you a text file of the results. Useful for checking very easy passwords eg “password”

PLEASE NOTE: you can lock yourself out with this code as well as every other user account!!! In theory if you have account lockout set to more than three attempts you should be fine to run this once(which is what it was intended for)

If you are finding easy passwords you should create a GPO to enforce password complexity

Source Code

/*
 * Date: 10/03/2010

 */
using System;
using System.Collections;
using System.Collections.Generic;
using System.DirectoryServices;
using System.IO;

namespace CheckLDAPUsers
{      
       class checkADpassword
       {
              public static void Main(string[] args)
              {
                     string ldapIP;
                     string accessUser;
                     string accessPW;
                     string checkPW;
                     bool authenticate = false;
                     
                     //Get password to check
                     Console.WriteLine("Enter password to check: ");
                     checkPW = Console.ReadLine();
                     Console.WriteLine("Enter AD IP Address: ");
                     ldapIP = "LDAP://" + Convert.ToString(Console.ReadLine());
                     Console.WriteLine("Enter username for AD: ");
                     accessUser = Console.ReadLine();
                     Console.WriteLine("Enter password to connect to AD: ");
                     accessPW = Console.ReadLine();
                     Console.WriteLine();
                     Console.WriteLine("Analysing. Please wait...");
                     Console.WriteLine();
                     
                     //Write to file
                     string outputFile = checkPW + ".txt";
                     TextWriter output = new StreamWriter(outputFile);
                     
                     //new directory connection.
                     DirectoryEntry getDE = new DirectoryEntry(ldapIP, accessUser, accessPW, AuthenticationTypes.Secure);
                     
                     //New Directory seach filtered to Person objects
                     DirectorySearcher deSearch = new DirectorySearcher(getDE);
                     deSearch.Filter = "(&(objectClass=user)(objectCategory=Person))";
                     SearchResultCollection search = deSearch.FindAll();
                     
                     //Iterate through the results.
                     foreach(SearchResult result in search)
                     {
                           string theProperty = "samaccountname";
                           
                           ResultPropertyCollection resultProps = result.Properties;
                           
                           foreach(string prop in resultProps.PropertyNames)
                           {                                 
                                  if(prop == theProperty)
                                  {
                                         foreach(object theObject in resultProps[prop])
                                         {
                                                //check authentication.
                                                authenticate = false;
                                                try{
                                                       DirectoryEntry entry = new DirectoryEntry(ldapIP, theObject.ToString(), checkPW);
                                                       object nativeObject = entry.NativeObject;
                                                      authenticate = true;
                                                       output.WriteLine("{0} , {1}", theObject, authenticate);
                                                       entry.Dispose();
                                                }
                                                catch(DirectoryServicesCOMException)
                                                {
                                                       output.WriteLine("{0} , {1}", theObject, authenticate);
                                                }
                                                
                                         }
                                  }
                           }
                     }
                     
                     //Close connections.
                     getDE.Dispose();
                     output.Close();
                     Console.WriteLine("Analysis is complete. See {0}.txt.", checkPW);
                     Console.WriteLine("Press any key to continue.....");
                     Console.Read();
                                         
              }
       }
       
 }

ian1662 · 2010-03-15T17:57:51.000Z

Please ensure you understand the risk before running this too many times!

jazz1 · 2010-03-16T09:45:41.000Z

Its like you said. Everyone will get locked out. Spooky.

justin.davison · 2010-03-16T09:48:25.000Z

Interesting script though. I would turn off account locking before running, just in case.

danlewis · 2010-03-16T09:57:22.000Z

I used to have a program that would do this l0pht-crack. (Um. Maybe I shouldn’t admit to that. Oh, well. I’m somewhat reformed.) Is there a way to take the AD database (well, a copy of of it) “offline” for testing? I think that’s what LC did, and it prevented large numbers of users standing at my desk with torches and pitchforks. Thanks for sharing this. Cheers.

ian1662 · 2010-03-16T15:44:08.000Z

You could always take a VM copy of your DC and remove any VNICs and then run it. In theory if you have lockout set to more than three attempts you should be fine to run this once(which is what it was intended for)

mikebunner8340 · 2010-03-25T08:27:56.000Z

Neat! But like Justin said, turn off account locking. better to be safe than sorry!

adurrant · 2010-03-29T03:23:00.000Z

I might be a little thick here, but how do you run the script? Thanks

ian1662 · 2010-03-29T15:41:52.000Z

@adam_durrant You need to compile this as it’s c#

adurrant · 2010-07-15T02:57:34.000Z

@Ozboing How do I do that then? Thanks

danottley5781 · 2011-07-22T02:19:19.000Z

Cool idea, thanks.

ianfagan · 2011-10-19T06:47:00.000Z

Cool idea, the lockout thing is a little scary though. (it will give you headaches for years!) Last time I did a password analysis I just dumped the hashed from our DC and ran them through ophcrack. No lockouts