Skip to content

Commit

Permalink
Added cmdlet for API-based check against haveibeenpwned.com
Browse files Browse the repository at this point in the history
  • Loading branch information
hkelley committed Apr 17, 2023
1 parent febb761 commit 2f4893e
Show file tree
Hide file tree
Showing 2 changed files with 58 additions and 1 deletion.
55 changes: 55 additions & 0 deletions HelperFuncs.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,11 @@ Function Format-NTHash {
[Parameter(Mandatory)] $NTHash
)

if([string]::IsNullOrEmpty($NTHash))
{
return $null
}

return [System.BitConverter]::ToString($NTHash).Replace("-","")
}

Expand Down Expand Up @@ -273,7 +278,57 @@ function Test-HashesAgainstList {
}
}

function Test-HashesAgainstPwndPasswords
{
[CmdletBinding()]
param(
[Parameter(Mandatory)] $TestSet # from Get-ADHashes
)

$hashCache = @{}

# Get only the values we haven't already marked
$testSubset = $TestSet.Values.GetEnumerator() | ?{$null -eq $_.Condition }

foreach($user in $testSubset)
{
[string] $hash = Format-NTHash -NTHash $user.Replica.NTHash

if($hashCache[$hash] -eq $true)
{
$user.Condition = "leaked"
$user.Context = "api.pwnedpasswords.com"
}
elseif ($hashCache[$hash] -eq $false)
{
# Hash has already been checked and was not matched
continue
}
else
{
$hashRange = $hash.Substring(0,5)
$hashRemainder = $hash.Substring(5,$hash.Length - 5)

$url = "https://api.pwnedpasswords.com/range/{0}?mode=ntlm" -f $hashRange
if($rangeMatches = Invoke-RestMethod -Uri $url)
{
# find a match for our remainder
$rangeMatches = $rangeMatches -split '\r\n'
if($rangeMatches | ?{$_ -like "${hashRemainder}:*" })
{
$hashCache[$hash] = $true
$user.Condition = "leaked"
$user.Context = "api.pwnedpasswords.com"
}
else
{
$hashCache[$hash] = $false
}
}
}
}

}

function Test-HashesForPasswordReuse {
[CmdletBinding()]
Expand Down
4 changes: 3 additions & 1 deletion demo.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,9 @@ Test-HashesWithHashcat -TestSet $testset -ShowOutput -HashcatDir "


## Second, check for the presence on a banned list
Test-HashesAgainstList -TestSet $testset -BadHashesSortedFile E:\Utils\haveibeenpwned.com\pwned-passwords-ntlm-ordered-by-hash-v7.txt
#Test-HashesAgainstList -TestSet $testset -BadHashesSortedFile E:\Utils\haveibeenpwned.com\pwned-passwords-ntlm-ordered-by-hash-v7.txt
# or new method
Test-HashesAgainstPwndPasswords -TestSet $testset

## Third, look for accounts that re-use the same password between manager and report (lazy IT people who use same password for admin ID)
Test-HashesForPasswordSharing $testset
Expand Down

0 comments on commit 2f4893e

Please sign in to comment.