Windows – way to audit AD for a particular password

Here are a couple of ideas-- neither of them really very good (from the perspetive that they might set off anti-virus or intrusion detection alarms):

• You can dump the password hashes out of Active Directory and run a password cracker on them. Cain and Abel can do the cracking for you. You can get the hashes out with fgdump. Beware-- both of these utilities will probably set off alarm bells in your antivirus software.

• You could write a simple script to iterate over the output of a user list, checking for valid passwords using the "NET USE" command. Use something like this:

    @echo off

    rem Destination path to "map" a "drive" to for password test
    set DESTPATH=\\SERVER\Share
    rem Drive letter used to "map" a "drive" to for password test
    SET DRIVE_LETTER=Q:

    rem NetBIOS domain name to test against
    set DOMAIN=DOMAIN

    rem File containing list of usernames, one per line
    SET USERLIST=userlist.txt

    rem Password to test
    SET PASSWORD=MyPa55word

    rem Output file
    SET OUTPUT=output.txt

    if exist "%DRIVE_LETTER%\." goto _letter_used

    for /f %%i in (%USERLIST%) do (
        net use %DRIVE_LETTER% %DESTPATH% /USER:%DOMAIN%\%%i %PASSWORD%

        if exist "%DRIVE_LETTER%\." echo %%i password is %PASSWORD%>>%OUTPUT%

        net use %DRIVE_LETTER% /d /y
    )

    goto end

    :_letter_used
    echo %DRIVE_LETTER% is already in use. Change it to a free drive letter and re-run.

    :end

Put the userlist into "userlist.txt" (one username per line), set the variables at the top of the script to refer to a path the user should be able to "map" a "drive" to, and make sure that the PC you're running it on doesn't have any other "drives" "mapped" to the destination server (since a Windows PC only allows one set of credentials to be used for SMB client connections to a given server at a time).

Like I said-- either method is probably not a great idea. >smile<