From: Thor (Hammer of God) (thor@hammerofgod.com)
Date: Sat Apr 07 2007 - 00:02:18 EDT
Most of the same answers to this question have already been given on the
Focus-MS list where the OP originally asked the question. Apparently, the
answer sought must be "easy."
You can't query AD for the user password via standard tools. And without
knowing what version of AD the OP is referring to, we can't really
accurately provide an answer. pwdump2 will dump AD password hashes from
Win2k from which one can determine NULL entries, but it doesn't work on
Win2k3.
But it is trivial to write a script to determine which users have a NULL
password by using a bit of logic... Script a "change password" from NULL to
NULL and see which ones succeed (If policy allows NULL passwords, it is
doubtful that it will require X unique passwords, you see). Harlan Carvey
already suggested this (kind of) on the MSFT list...
This should make it easy enough...
<triv>
On Error Resume Next
Const ADS_SCOPE_SUBTREE = 2
strPassword = ""
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
objCommand.CommandText = _
"SELECT AdsPath FROM 'LDAP://dc=fabrikam,dc=com' WHERE
objectCategory='user'"
Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst
Do Until objRecordSet.EOF
strPath = objRecordSet.Fields("AdsPath").Value
Set strUser= GetObject(strPath)
strUser.ChangePassword strPassword, strPassword
If Err= 0 or Err = -2147023569 Then
Wscript.Echo strUser.CN
End If
Err.Clear
objRecordSet.MoveNext
Loop
</triv>
Oddly enough, this script was the top hit on Google before this thread
started when "query active directory for blank passwords" was submitted.
Amazing how copy and paste still works! ;)
Anyway, that's the way to do it.
HTH
t
---- Timothy Mullen, MVP, MCSE, MCT, MCSD Vice President of Consulting Services NGS Software www.ngssoftware.com ----- Original Message ----- From: "Marco Ivaldi" <raptor@mediaservice.net> To: <pen-test@securityfocus.com> Sent: Thursday, April 05, 2007 3:43 AM Subject: Re: Query for blank passwords in Active Directory > Igor, > > On Thu, 5 Apr 2007, Teh Fizzgig wrote: > >> igor.mamuzic@koncar-inem.hr wrote: >>> Hi all, >>> >>> Is there any way to get a list of Active Directory users with blank >>> passwords? Of course, I'm attempting to discover such user accounts with >>> domain admin privileges. >> ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:41 EDT