├── LICENSE
└── README.md


/LICENSE:
--------------------------------------------------------------------------------
 1 | BSD 3-Clause License
 2 | 
 3 | Copyright (c) 2018, Ubeeri
 4 | All rights reserved.
 5 | 
 6 | Redistribution and use in source and binary forms, with or without
 7 | modification, are permitted provided that the following conditions are met:
 8 | 
 9 | * Redistributions of source code must retain the above copyright notice, this
10 |   list of conditions and the following disclaimer.
11 | 
12 | * Redistributions in binary form must reproduce the above copyright notice,
13 |   this list of conditions and the following disclaimer in the documentation
14 |   and/or other materials provided with the distribution.
15 | 
16 | * Neither the name of the copyright holder nor the names of its
17 |   contributors may be used to endorse or promote products derived from
18 |   this software without specific prior written permission.
19 | 
20 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
23 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
24 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
26 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
27 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
28 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
29 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
30 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # Invoke-PWAudit
  2 | 
  3 | Invoke-PWAudit is designed to discover similarly named accounts with shared passwords in Windows Active Directory. It works by DCSyncing password hashes for given accounts, and then either comparing hashes with other accounts, or using the hashes to test authentication against other accounts. It will search for "matching" usernames given prefixes and suffixes, as well as direct matches.
  4 | 
  5 | There are many scenarios where Invoke-PWAudit can be used, which are outlined in this readme.
  6 | 
  7 | **The tool requires Domain Administrator (or equivalent) permissions in at least one domain to function.**
  8 | 
  9 | ## Comparing users within a single Windows Domain
 10 | 
 11 | To compare users' passwords within a single domain, you will need to specify possible prefixes or appendices that the tool will search for (since there cannot be users with identical usernames in one domain). This is done with the `-Prepend` and `-Append` options.
 12 | 
 13 | ### A simple suffix (john and john_a)
 14 | 
 15 | For example, say you have a group of "standard users" (john, george, and fred) who have privileged accounts designated with a "\_a" (john_a, george_a, and fred_a), all in the domain "local.corp". You could use the following command to compare passwords between these users' standard and privileged accounts:
 16 | 
 17 | ```
 18 | Invoke-PWAudit -Domain1 local.corp -Append "_a"
 19 | ```
 20 | 
 21 | If john and john_a had the same password, the output would look something like this:
 22 | 
 23 | ```
 24 | Found 1 user sets with matching passwords:
 25 | john
 26 | john_a
 27 | ```
 28 | 
 29 | Note that we explicitly specify the domain here with Domain1. This will default to the current domain if not set.
 30 | 
 31 | ### Multiple prefixes and suffixes
 32 | 
 33 | The tool can handle multiple prefixes and suffixes simultaneously. Let’s say your account naming scheme was \[department letter\]\[user id\]\[privilege level\]. Pretend we had a user with an unprivileged (T4325U) and privileged (T4325A) tech support account, as well as an privileged server admin account (S4325A). Now we need to specify 2 prefixes and 2 suffixes to catch all these usernames in our search:
 34 | 
 35 | ```
 36 | Invoke-PWAudit -Append U,A -Prepend T,S
 37 | ```
 38 | 
 39 | Let’s say just T4325U and S4325A share a password. The tool will identify all 3 of these matching accounts:
 40 | 
 41 | ```
 42 | Found 1 matching username sets:
 43 | T4325U
 44 | T4325A
 45 | S4325A
 46 | 
 47 | DCSync all users and compare password hashes? (Y/n)
 48 | ```
 49 | If we continue, just the accounts with matching passwords will be returned:
 50 | 
 51 | ```
 52 | Found 1 user sets with matching passwords:
 53 | T4325U
 54 | S4325A
 55 | ```
 56 | 
 57 | ## Comparing users across Windows Domains
 58 | 
 59 | To compare users across domains, simply specify both a `-Domain1` and `-Domain2` parameter. (`-Domain1` will default to the current domain if not specified, so you may not need it.)
 60 | 
 61 | ### Exact matches
 62 | 
 63 | If just the domains are specified, the tool will search for usernames that match exactly (case-insensitive) between the domains and compare those. 
 64 | ```
 65 | Invoke-PWAudit -Domain1 domain.one -Domain2 domain.two
 66 | ```
 67 | This would find and compare user sets such as domain.one\john & domain.two\john.
 68 | 
 69 | ### Append and Prepend across domains
 70 | 
 71 | `-Append` and `-Prepend` can be used here as well, but are not required as usernames can have exact matches between domains. If you do use these modifiers they will **only apply to usernames in Domain2**. For example:
 72 | ```
 73 | Invoke-PWAudit -Append "_a" -Domain1 domain.one -Domain2 domain.two
 74 | ```
 75 | would find a set of users such as domain.one\john, domain.two\john, and domain.two\john_a. It would **not** find domain.one\john_a however.
 76 | 
 77 | ### Testing auth in the 2nd domain
 78 | 
 79 | If you do not have permissions to DCSync users in a second domain, you can use the `-TestAuth` argument to actually attempt to authenticate users in that domain using the hashes gathered via DCSync in the first domain.
 80 | 
 81 | **This will cause authentication attempts against accounts that are found, so you risk locking out accounts if it is run multiple times, or if an account already only has one attempt left.**
 82 | ```
 83 | Invoke-PWAudit -Domain1 domain.one -Domain2 domain.two -TestAuth
 84 | ```
 85 | Let's assume that the tool found the set of users domain.one\john & domain.two\john. With `-TestAuth` specified, the tool will DCSync the password hash for domain.one\john, then use that hash to attempt to authenticate as domain.two\john to domain.two.
 86 | 
 87 | (Authentication is tested by establishing an SMB connection to \\\\domain.two\\netlogon\\)
 88 | 
 89 | ## Using a .csv input file
 90 | 
 91 | If you already know what users you want to compare, you can put them in a csv\* file and pass that to the tool.
 92 | \* It's not really a proper csv file, there are no headers, and lines can have varying numbers of elements.
 93 | 
 94 | Each line is simply a comma delimited list of users to test against each other. A domain can be specified, or the tool will use the value of the `-Domain1` argument (defaults to the current domain if also not specified) where only a username is given.
 95 | 
 96 | By using a .csv file, you can compare dis-similar usernames, as well as usernames across more than two domains at once.
 97 | 
 98 | A sample file could look like this:
 99 | ```
100 | george,george_a
101 | domain.one\john,domain.two\john,domain.two\john_a
102 | domain.two\fred,domain.three\henrey
103 | ```
104 | If this were saved as users.csv, it would be passed to the tool using `-CSV` as such:
105 | ```
106 | Invoke-PWAudit -CSV users.csv
107 | ```
108 | Since we didn't specify a `-Domain1` here, the users without a domain given (george & george_a) would default to the current domain where the tool was run from.
109 | 
110 | ### Testing auth with a .csv file
111 | 
112 | If `-TestAuth` is specified when using a .csv file, the first user of every line will be DCSynced, and then their password hash used to attempt authentication with the other users on the same line. If the same .csv as above were used
113 | ```
114 | Invoke-PWAudit -CSV users.csv -TestAuth
115 | ```
116 | [current.domain]\george, domain.one\john and domain.two\fred would all be DCSynced. The password hashes returned would then be used to authenticate as the other users on each line respectively.
117 | 
118 | ## Whitelisting and blacklisting users
119 | 
120 | You can specify to only search for certain users, or conversely, specify to skip certain users. If in the 2nd example, we only wanted to look at user 4325, we could specify that with `-Users T4325U`. (Any of 4325's 3 usernames could be used here, and the other 2 would be found.)
121 | 
122 | The option for skipping users works the same way. If we didn't want to touch george or fred's accounts, we could specify `-Skip george,fred`
123 | 
124 | ## Running without prompts
125 | 
126 | By default, the tool will prompt before actually DCSyncing or testing authentication against any users that it discovered through searching. To skip this, you can specify `-NoConfirm`. This does not apply when using a .csv file input, as all of the usernames are already user chosen.
127 | 
128 | 


--------------------------------------------------------------------------------