Identifying Shared Passwords in Active Directory with Invoke-PWAudit

Privileged Accounts and Password Sharing

A common security practice within Windows domains is to require separate accounts for privileged actions. This way, IT administrators and other privileged users only cache privileged credentials in the environment when they need to perform specific tasks. This is an effective way of reducing the likelihood an attacker can compromise accounts with privileged access on the network.

We commonly see these special privileged accounts denoted with specific prefixes and suffixes. Take the following scenario as an example:

User John Smith is an IT administrator with Domain Admin privileges. He has two accounts, “john_smith” and “john_smith_a”. Day to day, he logs into his workstation with the “john_smith” account, which has no elevated privileges. When he needs to perform administrative tasks, he logs in with “john_smith_a”, a member of the Domain Admins group. By doing so he reduces the frequency that his Domain Admin credentials are cached somewhere on the network.

We also see similar scenarios across multiple Windows domains. For instance, John Smith may also have an account in a parent domain, “PARENT\john_smith”, that allows him to access resources in a more privileged domain environment.

Managing privileged accounts in this manner can be an effective tool to reduce the attack surface of your Active Directory environments, and we recommend it! Unfortunately, all too often we find that passwords are shared between these accounts. This effectively ruins any separation of privilege and defeats the purpose of having different accounts for privileged and non-privileged actions.

Users are bound to share passwords between multiple accounts; it’s hard to remember multiple complex passwords for two or more accounts. The problem is exacerbated by the fact that there aren’t defenses against this type of issue baked into Active Directory.

To address this issue, we developed a tool for red and blue teams to audit shared passwords in an Active Directory environment: Invoke-PWAudit.

 

Invoke-PWAudit

Invoke-PWAudit is a PowerShell tool which provides an easy way to check for shared passwords between Windows Active Directory accounts. It can search for similarly named accounts either within a single Windows domain, or across multiple domains. If you already know the accounts you want to test, you can also provide the tool with a csv file of account sets.

The tool leverages Mimikatz's DCSync function to pull password hashes from Active Directory and compare these hashes between the identified users. This means that Domain Administrator level permissions are required to run Invoke-PWAudit. If you are comparing accounts across domains however, Domain Administrator is only needed in one domain. The tool can then use the password hashes to attempt authentication in the other domain.

In this example, we check for users within the "golden.eagle.bank" domain with matching root usernames and "_a" appended. Then, we check to see if they are sharing passwords.

The tool is designed to be useful for both blue teams and red teams. Network defenders and IT admins can audit their users' accounts to check for password sharing. Red teamers can make use of the -TestAuth option to identify shared passwords when looking to escalate privileges across domains.

 

The tool and more information on its use are available on our GitHub here:

 https://github.com/ubeeri/Invoke-PWAudit