cqrenet/elysium
3
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
16 Commits 1 Branch 0 Tags
fc0aede0764e1f3d99c4a69aa0ef1802cbfb65db
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Tomas Kracmar fc0aede076 Minor update
2024-04-15 22:43:34 +02:00
.gitignore
Updating .gitignore
2024-03-22 14:20:10 +01:00
decrypt.py
Update version schema
2024-04-15 21:42:37 +02:00
Elysium.ps1
Version 1.0
2024-03-22 08:35:52 +01:00
ElysiumSettings.txt.sample
Update version schema
2024-04-15 21:42:37 +02:00
Extract-NTHashes.ps1
Minor update
2024-04-15 22:43:34 +02:00
khdb.txt
First commit
2024-03-15 09:25:58 +01:00
README.md
Typo fix
2024-04-12 20:42:07 +02:00
Test-WeakADPasswords.ps1
Update the get-credential logic
2024-04-15 21:38:14 +02:00
Uninstall.ps1
Update version schema
2024-04-15 21:42:37 +02:00
Update-KHDB.ps1
Update reading of settings
2024-04-15 18:00:27 +02:00

README.md

Elysium

Summary

This tool is used for regular and ad-hoc checking of weak passwords in Active Directory domain. It is a collection of PowerShell scripts leveraging mainly tools from DSInternals suite. The output of this tool is report of weak passwords in the AD domain that warrant attention from internal security team.

Usage of this tool consists of three steps:

  1. Update the known-hashes database (KHDB).
  2. Test AD passwords against KHDB and generate weak passwords report.
  3. Extract current hashes (without usernames) and securely send them for improving the KHDB.

Sensitive operations are confined only to the dedicated host. In the third step, only extracted hashes without usernames are tranferred (in compressed and encrypted form). This step is completely optional, but recommended as it enables the tool provider to update the KHDB.

Prerequisities

  • Windows Host: A Windows machine with PowerShell and DSInternals suite installed.
  • Administrative Access: Local admin privileges on the host for installation and updating.
  • Domain Credentials: A domain user account with Domain Admin privileges for each tested AD domain. This account should be active only during testing.
  • Network Requirements: A stable connection to the domain controller in each tested AD domain and internet access (specific hostnames/IP addresses will be provided).

Operation

Install and update

This tool is provided in private git repository. Installation and updating is done with cloning and pulling from this repository. During first run, the tool will ask for passphrase that will be used to encrypt/decrypt sensitive content. After installation, edit ElysiumSettings.txt, check all variables and add domains to test.

Update Known-Hashed Database (KHDB)

Run script Elysium.ps1 as an administrator and choose option 1 (Update Known-Hashes Database). The script will then download the database from dedicated Azure Storage, decompresses it and updates the current database.

Test Weak AD passwords

Run script Elysium.ps1 as an administrator and choose option 2 (Test Weak AD Passwords). The script will then ask for the domain to be tested and upon choice will ask for domain administrator password. The DA username is already provided in the script for each domain. The tool then connects to Domain Controller and tests all enabled users in the domain against KHDB. PDF report with findings is then generated.

Send current hashes for update KHDB

Run script Elysium.ps1 as an administrator and choose option 3 (Extract and Send Hashes). The tool will then ask for domain and password of domain administrator. With correct credentials, the tool will then extract current hashes (no history) of non-disabled users, compresses and encrypts them and sends them to the tool provider.

Uninstallation

Run script Elysium.ps1 as an administrator and choose option 4 (Uninstall). The script will then delete everything and remove the passphrase variable.

FAQ

What happens to the hashes we uploaded?

These hashes are subjected to cracking. Any cracked hash is then added to KHDB. Hash cracking happens on dedicated air-gapped machine and all sensitive material is never decrypted outside this machine. Secure exchange of decryption keys is arranged beforehand with every client.

Do we need to upload the hashes?

Not at all. This step is purely optional, but it enables us to constantly improve the KHDB.

What does "weak password" mean?

Account is flagged when it returns one or more of these conditions:

  • Password hash is found in KHDB (that means it is known).
  • Password is stored using reversible encryption.
  • LM hashes are present.
  • Has no password set.
  • Has the same password as multiple other accounts.
  • Has the SamAccountName as password.
  • Is computer account with default password.
  • Has Kerberos AES keys missing.
  • Has not required Kerberos pre-authentication
  • Only DES encryption is allowed to be used.
  • Is susceptible to the Kerberoasting attack.
  • Administrative accounts is allowed to be delegated to a service.
  • Passwords of the account will never expire.
  • Is not required to have a password.
  • Requires smart card authentication and has a password.

How are usernames paired with KHDB?

They are paired online while running the script. KHDB does not contain usernames as the extract script provides only hashes, not usernames.

Would our EDR solution interfere with this tool?

It should! If you have EDR installed on the host machine, this tool should be exceptioned.

Would our monitoring tool detect this activity?

It should, as it is extremely sensitive operation that should never happen outside of this (or similar) procedure. Running this tool should be cleared with your SOC beforehand (or used as a test case).

Description
Automated testing of weak AD accounts.
Readme 154 KiB
Languages
PowerShell 95.1%
Python 4.9%