Empty passwords: two seemingly innocuous words that can spell disaster for your organization’s security posture. These accounts offer no protection whatsoever, often paving the way for more advanced attacks. In this article, we’ll shed light on what exactly empty passwords are, explore why they might exist, how to identify them, and most importantly, how to remediate them. So, buckle up as we uncover this invisible menace and how your organization may unknowingly be susceptible.
Understanding Empty Passwords and Their Origins
To put it simply, empty passwords are accounts that lack a value for the password attribute. You might wonder, how does this happen? Organizations often depend on their password policies to prevent such occurrences. Here are a couple of ways through which accounts with empty passwords could have entered your environment:
- Weak password policy – A weak password policy may have the “MinPasswordLength” set to “0” and the “ComplexityEnabled” setting set to “False.”
- Empty Password Allowed setting on an account – An account could have the setting “PASSWD_NOTREQD” set to “True” in the “UserAccountControl” attribute.
- Password policy doesn’t apply or didn’t exist – Some organizations have multiple password policies or leverage custom primary group IDs. These policies could be enforced or not enforced on certain accounts based on the scope and setting. Additionally, an account could have been created when the current applied policy didn’t exist.
The Dangers of Empty Passwords in Active Directory
Make no mistake, these accounts aren’t merely a benign oversight; they can be a time bomb waiting to detonate within your organization. By neglecting to enforce passwords, companies can unwittingly expose sensitive data and critical systems to a myriad of threats. Attackers often use accounts with empty passwords as the initial foothold to launch additional and more sophisticated attacks. However, lateral movement and privilege escalation aren’t limited to malicious attackers; insider threats also seek these opportunities. Moreover, many threat actors leave these accounts behind for persistence or even use them as a distraction to conceal other attacks.
Finding Empty Password Accounts in Active Directory
Finding accounts with empty passwords may seem daunting for those managing thousands of accounts across their enterprise. Luckily, there are multiple ways to assess the potential for empty passwords as well as to validate if they are in use.
Detecting Accounts That Could Have an Empty Password
First, review your password policies and ensure they apply to all accounts. If you deem the password policy sufficient, you can proceed to examine specific account settings. Various tools can aid in this process; utilize the ones most readily available to you. Here are a few ways that you can detect empty passwords using different tools:
- ActiveDirectory module : Get-ADUser -Filter {PasswordNotRequired -eq $true -and Enabled -eq $true} | Select SamAccountName
- WMI – Get-WmiObject -Query “SELECT * FROM Win32_UserAccount WHERE PasswordRequired=False AND Disabled=False” | select Name
- LDAPSearch – ldapsearch (&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) cn
- BloodHound – MATCH (n:User {enabled: True, passwordnotreqd: True}) RETURN n
Validating Accounts That Have an Empty Password
Merely having the potential for an empty password doesn’t guarantee its existence. You can validate if an account has an empty password through various methods. For a small user base, attempt authentication without supplying a password. For larger-scale validation, consider the following options:
- Dump the domain controller and verify hash values – If you have access to the NTDS file from a domain controller then you can perform an analysis on the hashes as they aren’t salted. If you see an account with the hash value of “31D6CFE0D16AE931B73C59D7E0C089C0”, this means the account does not have a password.
- Mass authentication – Automate authentication to multiple accounts by supplying an empty password. This is a common scenario in penetration testing. A great tool for this is crackmapexec which allows you to password spray via SMB with ease.
Remediating Empty Passwords in Active Directory
Remediating accounts with empty passwords is straightforward; set a password for the account as you would normally. However, addressing the root cause is crucial to prevent recurrence. Ensure that all password policies are uniformly applied without exceptions. Next, configure accounts appropriately by requiring a non-empty password at the account level. Regular auditing and automated change monitoring are essential for maintaining security.
Conclusion
Empty passwords could be the Achilles’ heel for your organization’s security program, granting threat actors an authenticated position within your network. It’s imperative to harden Active Directory accounts, conduct frequent audits, and leverage change monitoring technologies to safeguard your enterprise.
If you want to learn more about Active Directory vulnerabilities and exploits, sign up for our Active Directory Live Training class on February 7, 2025! In this one-day training, you’ll learn about the vulnerabilities that make Active Directory susceptible to hacking, and empower yourself with the knowledge to safeguard it effectively.
About TCM Security
TCM Security is a veteran-owned, cybersecurity services and education company founded in Charlotte, NC. Our services division has the mission of protecting people, sensitive data, and systems. With decades of combined experience, thousands of hours of practice, and core values from our time in service, we use our skill set to secure your environment. The TCM Security Academy is an educational platform dedicated to providing affordable, top-notch cybersecurity training to our individual students and corporate clients including both self-paced and instructor-led online courses as well as custom training solutions. We also provide several vendor-agnostic, practical hands-on certification exams to ensure proven job-ready skills to prospective employers.
Pentest Services: https://tcmdev.tcmsecurity.com/our-services/
Follow Us: Blog | LinkedIn | YouTube | Twitter | Facebook | Instagram
Contact Us: sales@tcm-sec.com
See How We Can Secure Your Assets
Let’s talk about how TCM Security can solve your cybersecurity needs. Give us a call, send us an e-mail, or fill out the contact form below to get started.