Penetration Testing mailing list archives
Re: Query for blank passwords in Active Directory
From: "Thor (Hammer of God)" <thor () hammerofgod com>
Date: Fri, 6 Apr 2007 21:02:18 -0700
Most of the same answers to this question have already been given on the Focus-MS list where the OP originally asked the question. Apparently, the answer sought must be "easy."
You can't query AD for the user password via standard tools. And without knowing what version of AD the OP is referring to, we can't really accurately provide an answer. pwdump2 will dump AD password hashes from Win2k from which one can determine NULL entries, but it doesn't work on Win2k3.
But it is trivial to write a script to determine which users have a NULL password by using a bit of logic... Script a "change password" from NULL to NULL and see which ones succeed (If policy allows NULL passwords, it is doubtful that it will require X unique passwords, you see). Harlan Carvey already suggested this (kind of) on the MSFT list...
This should make it easy enough... <triv> On Error Resume Next Const ADS_SCOPE_SUBTREE = 2 strPassword = "" Set objConnection = CreateObject("ADODB.Connection") Set objCommand = CreateObject("ADODB.Command") objConnection.Provider = "ADsDSOObject" objConnection.Open "Active Directory Provider" Set objCommand.ActiveConnection = objConnection objCommand.Properties("Page Size") = 1000 objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE objCommand.CommandText = _"SELECT AdsPath FROM 'LDAP://dc=fabrikam,dc=com' WHERE objectCategory='user'"
Set objRecordSet = objCommand.Execute objRecordSet.MoveFirst Do Until objRecordSet.EOF strPath = objRecordSet.Fields("AdsPath").Value Set strUser= GetObject(strPath) strUser.ChangePassword strPassword, strPassword If Err= 0 or Err = -2147023569 Then Wscript.Echo strUser.CN End If Err.Clear objRecordSet.MoveNext Loop </triv>Oddly enough, this script was the top hit on Google before this thread started when "query active directory for blank passwords" was submitted. Amazing how copy and paste still works! ;)
Anyway, that's the way to do it. HTH t ---- Timothy Mullen, MVP, MCSE, MCT, MCSD Vice President of Consulting Services NGS Software www.ngssoftware.com----- Original Message ----- From: "Marco Ivaldi" <raptor () mediaservice net>
To: <pen-test () securityfocus com> Sent: Thursday, April 05, 2007 3:43 AM Subject: Re: Query for blank passwords in Active Directory
Igor, On Thu, 5 Apr 2007, Teh Fizzgig wrote:igor.mamuzic () koncar-inem hr wrote:Hi all,Is there any way to get a list of Active Directory users with blank passwords? Of course, I'm attempting to discover such user accounts with domain admin privileges.
------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- Query for blank passwords in Active Directory igor . mamuzic (Apr 04)
- Re: Query for blank passwords in Active Directory Teh Fizzgig (Apr 04)
- Re: Query for blank passwords in Active Directory Marco Ivaldi (Apr 06)
- Message not available
- Re: Query for blank passwords in Active Directory Thor (Hammer of God) (Apr 08)
- Re: Query for blank passwords in Active Directory Teh Fizzgig (Apr 04)
- Re: Query for blank passwords in Active Directory SD List (Apr 06)
- How to find the users with local admin rights? WALI (Apr 08)
- Re: How to find the users with local admin rights? Teh Fizzgig (Apr 10)
- How to find the users with local admin rights? WALI (Apr 08)