Re: Query for blank passwords in Active Directory

["Thor (Hammer of God)" <thor () hammerofgod com>]

Most of the same answers to this question have already been given on the 
Focus-MS list where the OP originally asked the question.  Apparently, the 
answer sought must be "easy."

You can't query AD for the user password via standard tools.   And without 
knowing what version of AD the OP is referring to, we can't really 
accurately provide an answer.  pwdump2 will dump AD password hashes from 
Win2k from which one can determine NULL entries, but it doesn't work on 
Win2k3.

But it is trivial to write a script to determine which users have a NULL 
password by using a bit of logic... Script a "change password" from NULL to 
NULL and see which ones succeed (If policy allows NULL passwords, it is 
doubtful that it will require X unique passwords, you see).  Harlan Carvey 
already suggested this (kind of) on the MSFT list...

This should make it easy enough...
<triv>
On Error Resume Next

Const ADS_SCOPE_SUBTREE = 2

strPassword = ""

Set objConnection = CreateObject("ADODB.Connection")
Set objCommand =   CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection

objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE

objCommand.CommandText = _
   "SELECT AdsPath FROM 'LDAP://dc=fabrikam,dc=com' WHERE 
objectCategory='user'"
Set objRecordSet = objCommand.Execute

objRecordSet.MoveFirst
Do Until objRecordSet.EOF
   strPath = objRecordSet.Fields("AdsPath").Value
   Set strUser= GetObject(strPath)
   strUser.ChangePassword strPassword, strPassword
   If Err= 0 or Err = -2147023569 Then
       Wscript.Echo strUser.CN
   End If
   Err.Clear
   objRecordSet.MoveNext
Loop
</triv>


Oddly enough, this script was the top hit on Google before this thread 
started when "query active directory for blank passwords" was submitted. 
Amazing how copy and paste still works! ;)

Anyway, that's the way to do it.

HTH

t
----
Timothy Mullen, MVP, MCSE, MCT, MCSD
Vice President of Consulting Services
NGS Software
www.ngssoftware.com






----- Original Message ----- 
From: "Marco Ivaldi" <raptor () mediaservice net>
To: <pen-test () securityfocus com>
Sent: Thursday, April 05, 2007 3:43 AM
Subject: Re: Query for blank passwords in Active Directory


> Igor,
>
> On Thu, 5 Apr 2007, Teh Fizzgig wrote:
>
> > igor.mamuzic () koncar-inem hr wrote:
> > > Hi all,
> > >
> > > Is there any way to get a list of Active Directory users with blank 
> > > passwords? Of course, I'm attempting to discover such user accounts with 
> > > domain admin privileges.


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------