Check if your Active Directory passwords are compromised in a data breach

To compare Active Directory accounts against breached passwords you need access to your Active Directory with a specific privileged account, a password list with NTLM hashes and some PowerShell commands.

But why should you do this?

  • Password hashes of Domain accounts can be dumped locally from SAM, memory, remotely and as well just with Windows built-in features (memory dump).
  • Users with well known passwords (compromised passwords) are extremely easy to “recover” by using password lists
  • Therefore the passwords of these accounts must be changed to reduce the risk of getting easily “hacked”.

Password list

As the download of the password list could take a while, start downloading the latest version from:

Make sure to download the NTLM password list (version 4 or newer).

NTLM PWNED Passwords

When finished, extract the file: I’m using C:\temp\pwned-passwords.txt as target.

Export password hashes from AD

You do not have to be a member of the Domain Admins, Enterprise Admins or the Administrators group, but you need the “Replicating Directory Changes All” permission on Domain level.

Install PS Module

Now launch PowerShell and run:

Install-Module -Name DSInternals

More info about module:

Set credentials

Now you have to run another command in PowerShell, then enter the credentials which are delegated on Domain level with ReplDir permissions:

$mycredentials = Get-Credential

Enter credentials

Export users and password hashes of all users to file

Run the following command within PowerShell to “pull” all account information from the Domain Controller of your choice. When finished, the hashes are saved in the file c:\temp\hashes.txt

Get-ADReplAccount -all -NamingContext “DC=Domain,DC=local” -Server Domaincontroller.domain.local -Credential $mycredentials | Format-Custom -View HashcatNT | Out-File c:\temp\hashes.txt -Encoding ASCII

Make sure to change Domain name and Domain Controller!

Compare it…

Download PowerShell script from and save the file to c:\temp\

Load function and compare hashes

Run the following command to load the function:


Make sure you run it from c:\temp

Start comparison:

$list = Match-ADHashes -ADNTHashes C:\temp\hashes.txt -HashDictionary C:\temp\pwned-passwords.txt

save result to a list

Export into CSV

Write output to a CSV file:

$list | select Hash,Frequency,@{Name=’user’;Expression={[string]::join(“;”, ($_.user))}} | Export-Csv -Path c:\temp\report.csv -Delimiter ‘;’ -NoTypeInformation


Open the CSV and make sure to remediate all accounts. Set priority on privileged accounts. These must be changed immediately!

About Mahyar

OrcID: 0000-0001-8875-3362 ​PhD Candidate (National Academy of Sciences of Ukraine - Institute for Telecommunications and Global Information) MCP - MCSA - MCSE - MCTS Azure Security Engineer Associate MCITP: Enterprise Administrator CCNA, CCNP (R&S , Security) ISO/IEC 27001 Lead Auditor CHFI v10 ECIH v2

Check Also

Inspect RDP traffic in Wireshark

Wireshark RDP resources Looking for a way to capture and inspect RDP traffic in Wireshark? …