In my experience, as a security consultant, one of the many arduous tasks that I've had to perform was auditing account passwords for Active Directory Domains. One of the main reasons for this was to highlight weak passwords used by administrative or service accounts, with the aim of highlighting these to clients so that they could further harden their systems.
Previously I had imported the usernames and cracked passwords within an Excel spreadsheet that I had created, but this still required a mostly-manual review for difficult password 'variations'. At the very least it would have required further macro scripting, which is something that I definitely didn't want to do.
There have been several password analysis tools that both colleagues and myself have used, but none of these provided the level of depth that I wanted. Most importantly, none of them provided the output that I wanted.
Pwdlyser and Pwdlyser GUI
In 2015 I wrote the original Pwdlyser in Python, which had several input arguments that could be used by users to audit against different requirements. Over time this grew into a more fully-featured tool, with numerous input argument and output options.
Now, there is a Windows version that's available that can provide the same quality of auditing as the command line version, but with the added benefit of several more features and an easy to use GUI.
All example usernames and passwords shown within these images have been created for demo purposes. Some passwords are representative of real-life passwords, with some variation.
Analysis Features and Functionality
The current feature set offers a wide variety of analysis options that have been industry-tested for both security consultants, pentesters, and of course for client usage for responding to staff security awareness and technical control implementations. These features include:
- Character freqency analysis
- Password length analysis
- Password frequency analysis
- Common password usage
- Password re-use within or between user accounts
- Keyboard pattern anaylsis
- Passwords using a variation of date/time/etc
- User accounts that utilise a variation of the Organisation Name
- Hashcat mask frequency analysis
- Passwords that contain a variation of the Username
- Administrative/Service accounts that were able to be cracked
- User account password history and trend analysis
There are two formats that Pwdlyser can process, but thankfully the formats are the default exports of Hashcat and John-The-Ripper. Each input file used must have one credential set per-line, and be delimited in either of the following formats:
Password Reverse Engineering
Something that other tools didn't offer was the feature of 'reverse engineering' the cracked passwords when auditing against certain checks. For example, a user may be using
P4s$w0rd as their password, which with Pwdlyser would be reported through the analysis as a variation of the word
password. This feature is available within Pwdlyser and Pwdlyser GUI.
Organisation Names in Passwords
Using this functionality has shown to greatly improve the automation and resulting accuracy of password analysis. Not only does it work on common passwords, but paves the way to be able to review other types of issues. One of these is the use of an organisation name (or similar) within passwords. As you may expect, I cannot provide real-life examples.
However, just as a rough example, let's assume the organisation name as 'Demo Org'. For this, we may see passwords appear as:
!dem0org. In my experience I have seen many different organisations have staff passwords that are a variation of the username. Some with over 20% of the account passwords using the organisation name!
Frequency, Character, and Hashcat Mask Analysis
Pwdlyser is not only usefull for security consultants/penetration testers like myself, but also businesses and organisations that are interested in further enhancing all aspects of security. Which they may look do so through internal password auditing of their domains and systems.
A key analysis output here is the ability to list the most common passwords in use on an analysed system. Here, it will be evident where users are settings passwords with similar and weak passwords. One real-life example I've seen from an organisation using this was where their IT Service Desk were resetting passwords of user accounts to a specific syntax of the current date.
The character analysis and Hashcat mask features are more aimed at users that want to utilise Pwdlyser to potentially crack more passwords within the original target export. There are two methods of doing so (three if you include the baseline wordlist creation feature in Pwdlyser CLI):
- Manually reviewing the character frequency analysis results and creating custom masks for Hashcat or John-The-Ripper.
- Using the auto-generated Hashcat masks, which are listed by the most occurences.
Personally, I regularly use the results from Hashcat mask frequency analysis and have usually gained an extra 5-10% from cracking passwords when performing an audit.
Password Sharing and Reuse
Within each tool there is the functionality to automatically check for password sharing/reuse between user accounts; most importantly, low-privileged and high-privileged user accounts that are similarly named.
A prime attack vector that is commonly seen is the use of hyphenated or other delimited usernames to distinguish an administrator's low and high privileged accounts to their Domain. An example of this would be
bobjones as the standard user account and
bobjones-da as a high privileged account. Pwdlyser uses various checks to audit the password list and reports upon any user account, and the shared account, that use the same password.
Administrative Account Audit
An often overlooked, yet very simple check is to ensure that any high-privileged accounts do not have weak passwords. I define a weak password here as something that I could crack on a GPU within a reasonable time. Of course this assumes some sort of credential-harvesting attack has been performed to obtain the hash.
Exporting a list of administrative user names and using them within the admin/administrative accounts check will display the results within the table views or automated summaries. From here, a general recommendation would be to change the passwords to a more secure value.
Passwords using Usernames
Another common attack vector that I've used during penetration testing engagements is to enumerate usernames from a system and then attempt to gain access to these accounts using a variation of the username as the password. This is often successful, possibly due to organisations beliving that these passwords are sufficiently secure. Of course, the implementation of rate limiting or lockout thresholds greatly hinders live brute-force attacks, and is highly recommended.
Nevertheless, Pwdlyser incorporates this check within its standard analysis options. Passwords using variations of the respective username will be reported to the end-user, which can range from simple substitutions of some characters (e.g.
sq1user) or multiple iterations of this.
User Password History
The Pwdlyser GUI tool offers the ability for users to review historic passwords from an Active Directory domain. Within this tab each user can be selected, and will list the historic passwords if they have been cracked. Historic passwords that use a password more than once will be highlighted in red within the table view.
Other Analysis Features
There are many different analysis features, which include the following:
- Display a list of passwords that are, or a variation of, the date, month, year, etc. For example:
- Perform keyboard pattern analysis, which is performed by looking at the common keyboard patterns or variations of these patterns. For example,
- Users can see the most common password lengths within the analysed passwords, with a descending list of these lengths.
- Output a list of passwords that do not meet a certain length. For example, if an organisation’s password policy is 9 characters a list of passwords less than 9 characters will be displayed.
- Search for exact or variations of usernames and/or passwords. Useful for large results when auditing against individual accounts.
Analysis Results Output
There are a few methods of reviewing the results of the password analysis within both the Windows and command-line application.
One of the major benefits of Pwdlyser, which was the main reason for its creation, was the ability to automatically generate an executive summary of a password audit. The purpose of this summary is of course to provide a high-level overview of this activity, written to be aimed at a management level.
The commandline tool and the Windows application both provide the same display format for the technical summary. This incorporates all of the standard analysis options and displays this within a high-level summary. Each issue reported includes a bullet-pointed list of the affected usernames and passwords (masked - see below) that were identified during the analysis.
Password Character Masking
Any passwords listed in the Technical summary will display a masking to only display a limited amount of characters. This is to enable assessors and auditors to be able to include these results within reports without breaching compliance. Passwords shown within this output will be masked for at least 3 characters, with the total masked characters depends upon the length of the password being displayed.
The final output option is a basic table view of each of the analysis results with their corresponding username and password listed in plaintext (without masking). In the GUI tool, the tables can be selected and copy/paste used to store the raw data in other media. The command-line tool output can simply be copied from the terminal directly.
Please feel free to use this tool for any of your security assessment or auditing needs. Development will always be on-going with both the commandline and GUI applications, and whilst some features are listed on the Pwdlyser site there are a few more that I'm working on behind-the-scenes.