How to find Breached Passwords with PowerShell

How to find Breached Passwords with PowerShell can easily become a problem in an organization’s Active Directory environment. For example, end-users often use passwords that are easily guessed and meet the criteria for complex passwords, but are not actually secure. An example of this is using the password “P@$$w0rd123.” It meets the technical definition of complex, but is easily hacked.

Due to modern cybersecurity threats, it is a priority to find breached passwords in Active Directory; however, there is no native way in Active Directory to identify breached passwords.

Why breached passwords are so dangerous?

Read also: Trucking Industry is still a Prime Target for Cybercriminals

An admin that is trying to do good might think that even if a password from a breached database is used by someone in their organization, it isn’t the same account. And they would be right, an attacker needs the valid account and password to be a match before they can technically “log in”. However, attackers can use these known passwords in certain attacks to “figure out” which accounts are using them.

Password spraying attacks involve using a few known passwords and spraying them at a large number of accounts to see if any of the passwords are found to work. Attackers often use breached password lists of known passwords that users have chosen before.

The problem is that we as humans tend to think alike. Let’s say, for example, one user thinks of a password that uses certain transformations in characters and a certain combination of special characters. It’s highly likely that another user, in a completely different organization, will think of the same password. Attackers know this, and they often use passwords from previous breaches to try to break into other accounts.

Most users have to juggle multiple passwords for different systems, both on-premises and in the cloud. weak passwords are easily guessed by hackers and if one password is compromised, all systems using that password are compromised.

Experts Study on Password Data Breach

According to a 2019 Google study, which polled Harris Poll, only 35 percent of people use a different password for every online account they have. Thirteen percent of people use the same password across all accounts, while 52 percent use the same password for multiple (but not all) accounts.

If legitimate credentials are found to gain access to a critical system, attackers can “go right through the front door” with little effort, compromising business-critical data. In the 2021 Data Breach Investigations Report published by Verizon, it was stated:

Credentials are one of the most desirable types of information for an attacker, according to the same report.

According to the IBM Cost of a Data Breach 2020 report, the credential compromise increases the cost of data breach events.

How to find breached passwords with PowerShell

Active Directory does not have any built-in way to discover breached passwords or protect against them. However, businesses can use PowerShell to find breached passwords that are in use.

The National Counterintelligence and Security Center (NCSC) has released a PowerShell module called pwauditor which makes use of a module called DSInternals to find breached passwords in use by end-users.

Install-Module -Name DSInternals -RequiredVersion 2.22

When the module is installed, it is placed in the following directory:

C:\Program Files\WindowsPowerShell\Modules\DSInternals\2.22

Copy the “DSInternals” directory into the unzipped directory for the pwauditor download. Also, you will need to place all the files in the 2.22 directory inside the parent DSInternals directory. The directory structure will look like this:

Now, run your command as follows:

.\pwauditor -DC dctest1.neptune.local -NC “dc=neptune,dc=local” -blacklists

Both the “results.txt” and “results.json” files show how many passwords from the breached password lists were found.

The results file only tells you that the password was found in the searched user accounts, not which user account is affected. This leaves organizations vulnerable to simple password lists. To ensure password security against modern cybersecurity threats, checking accounts against large breached password databases, in real-time, is necessary.

An easier approach than PowerShell is using Specops Password Auditor

The native Active Directory capabilities can be improved by using PowerShell, but it can be difficult to use and maintain. The NCSC script is an open-source option that could provide the visibility you need, but it might not be actively supported or reliable.

Specops Password Auditor is a tool that lets you find breached passwords in Active Directory. It quickly scans your environment for breached passwords from our combined list of 750M+ known breached passwords and can show you admin entropy, repeated passwords, policy compliance and more.

Wrapping it up

Organizations looking to bolster their account security prioritize finding breached passwords in Active Directory. However, Active Directory does not natively have a feature to gain visibility to breached passwords used in the environment. PowerShell tools can help to have visibility to breached passwords despite a few challenges of its own, including lifecycle management and support.

Leave a Comment