‘Credential stuffing’ is an automated attack method used to finding credentials of of web-based applications, as well as direct network login account credentials. To execute these attacks, the attackers obtain lists of stolen usernames, email addresses, and corresponding passwords from the dark web, and then use automated scripts to try the compromised credentials on other websites in an attempt to log in and gain unauthorized access to these systems.
Credential stuffing attacks are emerging as a more effective way for attackers to gain unauthorized access to systems and networks than the traditional brute force password attacks.
Silverfort’s Credential Stuffing Protection Tool compares known Pwned passwords against the passwords hashes that exist in a target infrastructure. To Clarify – the checker grabs just the hashes and not the passwords themselves in an offline mode, minimizing any external exposure.
The tool is now available for free! Use it to weed out known compromised passwords, and minimize the risk of Credential Stuffing attacks.
Important Note About the Tool’s Security
Silverfort’s Credential Stuffing Protection Tool compares the hashes of passwords from your organization’s AD infrastructure to the ones in the leaked password list. Note, that obtaining the hashes themselves from your Domain Controllers can be a sensitive task. Since hashes within the AD ecosystem are equal to passwords, you should avoid storing them – even temporarily – on an unsecure computer.
After we reviewed the methods available to obtain the hashes from the Domain Controller, we believe that using the secretsdump tool is the most secure method. This is because secretsdump uses the native protocol to receive the hashes over the network (DRSUAPI).
Most of the methods for obtaining hashes save them to a file. However, to reduce the risk of exposure we included in our tool an option to parse the hashes directly from the output of secretsdump. Remember, if you choose to save these hashes to a file, make sure to delete the file after running the test, as this file includes your employees hashes!
How to use Silverfort’s Free Leaked Password Checker
To Use Silverfort’s Leaked Password Checker do the following:
• Get the leaked password file
• Get the organization passwords hashes from your AD
• Run the tool to analyze the passwords and export the results. Note that the tool can run on any Windows or Linux machine with Python3 installed.
First, obtain the leaked passwords hashes file from Pwned Passwords – link here. Download the NTLM version (ordered by hash).
The file is compressed using 7zip so you will need to extract it first (on Windows you can download 7zip from here and on Linux you can install p7zip from your package manager)
To obtain the AD password hashes, we recommend using the inline stdin method. We consider it more secure because the passwords are never written to the disk. If you choose any other method, remember to delete them after you use them.
Note that exporting the password hashes using the secretsdump tool can be done on any Windows or Linux machine running Python3 with network access to one of the domain controllers.
Next install the impacket python package: secretsdump.py is a script from the impacket python package that exports hashes from DC (Kerberos keytabs, NTLM hashes, and more). In the default configuration the script uses the DRSUAPI (DC replication API). Install this from the pip repository (“pip3 install impacket“), or directly from github.
After installing impacket, secretdump.py should be mapped to your path but if not, you can fill up the form to download https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py
Now it’s time to run our tool.
stdin method using secretsdump.py
<DOMAIN_NAME</<USERNAME_OF_DOMAIN_ADMIN>@<SPECIFIC_DC_FQDN>-just-dc-ntlm-k | python3.8 find_weak_users.py –stdin –nthash-file –<LOCATION_OF_LEAKED_PASSWORD_TXT_FILE>–export-xlsx <REPORT_XLSX_FILE>
if you can’t resolve the FQDN to an IP address, you can specify it directly
<DOMAIN_NAME>/<USERNAME_OF_DOMAIN_ADMIN>@<SPECIFIC_DC_FQDN> -just-dc-ntlm -k -target-ip <DC_IP>-dc-ip<DC_IP> | python3.8 find_weak_users.py –stdin –nthash-file<LOCATION_OF_LEAKED_PASSWORD_TXT_FILE>–export-xlsx <REPORT_XLSX_FILE>
Where <DOMAIN_NAME>is your domain name (acme.local),<USERNAME_OF_DOMAIN_ADMIN>is a user with DRSUAPI permissions, usually domain admin (admin).
>SPECIFIC_DC_FQDN> is a FQDN of one of your DC’s (usually dc_name.domain), we will obtain the passwords form it.
<DC_IP>is the IP address of the DC entered in <SPECIFIC_DC_FQDN>;use this in the DNS is not available.
<LOCATION_OF_LEAKED_PASSWORD_TXT_FILE>is the path to the extracted leaked hash file (remember, this should be the .txt file and not the .7z one)
<REPORT_XLSX_FILE>is a path where an Excel file will be created with the results of the scan.
We hope you find the tool useful.