2022 DPAT Roadmap Ideas
Opened this issue · 5 comments
Disclaimer - I by no means want to be that guy that makes a bunch of tool complaints. I have some time this month to help make these improvements.
This tool deserves recognition for how brilliant it is. Great job @knavesec !
- Password_Length_Stats - This has the list of the number of users with a specific number character of password. So if 10 people have a password that is 9 characters. Problem is it does not filter out the disabled users.
Request - Filter the amount of affected users by being enabled users. Right now it combines enabled and disabled users.
- Add the column - "Password last changed" or "Pwd Last Set" to all the checks.
Reason - That way you can use new bloodhound data to see if the account has been remediated - without retrieving new ntds data
- Add enabled column to the sheet:
A. LM_Hashes_(Non-Blank)
- Remove Null NTLM hash from list
I noticed that the null ntlm hash 31d6 shows up in a bunch of different sheets
- Add check "computers cracked"
All windows hosts should have random long passwords. Sometimes an admin or perhaps an attacker may change the password. Attackers use this as persistance.
I like some of these additions, so I'll see when I have time to sort them out.
Unless I'm misunderstanding # 4, I probably won't do that, just for completeness. If there are users with null hashes thats still part of AD so IMO it should still be included. May address this in one of the improvements below
Also for # 3, I don't entirely see it as relevant? Enabled status doesn't make a huge difference, if you have the LM hash you can easily crack the password and just enable the user. IMO enable status doesn't really make a difference, and those should just be fixed anyways. Either way, doesn't take a ton to implement, but those are just my thoughts
Additional things I'd like to add
-
Graphs and charts
For either report screenshots or just general ease of display, could include a pie chart of cracked vs not cracked, pie/bar chart for password lengths, etc -
Include a filtering ability to the graphs so you can sort alphabetically, by hash, by pwd length, etc. Tried this a while ago, but ran out of time. This may address the null NTLM hashes thing from above, depending on level of filter ability