Introducing Compromise Checker! An easy tool to check the NTLM hashes from HaveIBeenPwned against AD

Hopefully everyone reading this is aware of the amazing HaveIBeenPwned project by Troy Hunt.  As of today, NTLM hashes are officially available for download of all compromised passwords seen in this project.  This is great for checking against your Active Directory environment to see whether or not your users are using passwords that are known to be compromised.  I threw together a quick tool that can get all of the NTLM hashes from your AD environment using DSInternals, and then check to see which (if any) are listed in the download from HIBP.

While this is a fairly simple concept, the shear size of the download from HIBP presents a number of problems when performing this type of searching.  This application is specifically designed to avoid reading the entire HIBP file into memory; as that could negatively affect the computer it is being run on.  Because of the amount of data it has to process, you should expect it to take at least a few hours – no matter how small your AD environment is.  That being said, it uses even less memory than most of the other processes running on your computer (especially Chrome); so multi-tasking shouldn’t be an issue.

Check out the source code here: https://github.com/thegeekkid/CompromiseCheck, and download the pre-compiled project and installer from here: https://bscc.support/files/CompromiseCheckSetup.exe

About thegeekkid

2 thoughts on “Introducing Compromise Checker! An easy tool to check the NTLM hashes from HaveIBeenPwned against AD

  1. What are the system requirements to run this? I’m using Server 2008 and Powershell 5.1 installed. When I run the program I can see part of an an error:

    “Import-Module: The specified module ‘DSInternals’ was not loaded because no…”

    A few minutes later the program stops and says there are no compromised passwords. Yet I know of one test account that was set with a compromised password.

    1. Hey… sorry for the late response, somehow I totally missed this comment. It should run on 2008 with Powershell 5.1, but I’ve only officially tested it on Server 2016 and Windows 10. Do you happen to have the full “Import-Module” error? It looks like it failed to load the DSInternals module that gets installed during the application’s first run, and that is the module that it uses to get the hashes from AD. It could also be an AntiMalware program blocking it, since that should be suspicious behavior to any decent heuristics engine. You could check C:\Program Files\WindowsPowerShell\Modules\DSInternals and see if the folder exists and has the module files in it. According to their specs, it should run on 5.0+; so if you are seeing files in that folder, I would check your AV/AM to see if it has quarantined any of the files. -Brian

Leave a Reply

Your email address will not be published. Required fields are marked *