From 964e91d20fe2695807f8d214866ba6df0e3411f1 Mon Sep 17 00:00:00 2001 From: Tomas Kracmar Date: Tue, 21 Oct 2025 15:34:44 +0200 Subject: [PATCH] Fixing handling errors in datasets --- CHANGELOG.md | 4 ++++ README.md | 1 + Test-WeakADPasswords.ps1 | 4 ++-- 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 183afc3..590e6e7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,10 @@ Fixed: - Hardened hashing helpers to avoid `ComputeHash` overload ambiguity under Windows PowerShell. - Domain selection menu now respects the configured numeric order. +### Test-WeakADPasswords.ps1 v1.3.2 +Changed: +- Switched to the sorted KHDB path when driving `Test-PasswordQuality`, eliminating full linear scans and avoiding malformed-line crashes on massive datasets. + ### Test-WeakADPasswords.ps1 v1.3.1 Fixed: - Domain picker now renders in numeric order from settings for predictable operator workflows. diff --git a/README.md b/README.md index 12f3d23..ef3377b 100644 --- a/README.md +++ b/README.md @@ -27,6 +27,7 @@ The script downloads the database from the configured storage (Azure Blob or S3- Run script Elysium.ps1 as an administrator and choose option 2 (Test Weak AD Passwords). The script will list domains in the same order as they appear in `ElysiumSettings.txt` and, after you pick one, prompt for the corresponding domain administrator password (the username is taken from the settings file). The tool connects to the selected Domain Controller and compares accounts against KHDB (respecting the optional `CheckOnlyEnabledUsers` flag if configured). A timestamped text report is saved under `Reports`, and accounts with dictionary hits are also exported to a dedicated UPN-only text file to support follow-up automation. +The KHDB file is consumed via binary search as a sorted hash list (plain text lines like `HASH:count`); ensure the file you place at `khdb.txt` keeps that ordering and omits stray blank lines. ### Send current hashes for update KHDB Run script Elysium.ps1 as an administrator and choose option 3 (Extract and Send Hashes). Domains are listed in configuration order, after which the script prompts for the replication-capable account password. With valid credentials, it extracts current NTLM hashes (no history) for active accounts, compresses the results, encrypts them with the configured passphrase, and uploads the payload to the configured storage (Azure Blob or S3-compatible). A checksum-verified round-trip download confirms the upload before local artifacts are removed. diff --git a/Test-WeakADPasswords.ps1 b/Test-WeakADPasswords.ps1 index 7aec352..0c12b96 100644 --- a/Test-WeakADPasswords.ps1 +++ b/Test-WeakADPasswords.ps1 @@ -8,7 +8,7 @@ ################################################## ## Project: Elysium ## ## File: Test-WeakADPasswords.ps1 ## -## Version: 1.3.1 ## +## Version: 1.3.2 ## ## Support: support@cqre.net ## ################################################## @@ -355,7 +355,7 @@ function Test-WeakADPasswords { if ($_.PSObject.Properties.Name -contains 'Enabled') { $_.Enabled } else { $true } } } - $testResults = $accounts | Test-PasswordQuality -WeakPasswordHashesFile $FilePath + $testResults = $accounts | Test-PasswordQuality -WeakPasswordHashesSortedFile $FilePath Write-Verbose "Password quality test completed." } catch { Write-Error ("An error occurred while testing passwords: {0}" -f $_.Exception.Message)