-
Notifications
You must be signed in to change notification settings - Fork 17
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
19 additions
and
19 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,34 +1,34 @@ | ||
| # Introduction | ||
|
|
||
| PwnedPasswordsDLL is probably the simplest DLL you've ever seen. It consists of two functions - the built-in DLL boilerplate in Visual Studio, and a function to check passwords against the HaveIBeenPwned database of breached passwords. | ||
| PwnedPasswordsDLL is a DLL that allows password requests through any form of Active Directory integration to be checked against over 330 million previously breached passwords. | ||
|
|
||
| Check out https://jacksonvd.com/checking-for-breached-passwords-in-active-directory/ for more information on the background of the tool. | ||
|
|
||
| # Compiling the Code (Visual Studio) | ||
|
|
||
| 1. Grab the following precompiled libcurl binaries for Windows (https://github.com/HazeProductions/libcurl) | ||
| The code is heavily reliant on the Crypto++ library in order to convert the calling password to a SHA1 hash. I have also only tested the code on x64 architecture, so I'm not sure if it will even work on 32-bit systems. | ||
|
|
||
| 2. Include the libcurl header files through Project –> (Project name) Properties –> Configuration Properties –> VC++ Directories. Edit the Include Directories and add the include directory | ||
| Compiling the code is quite simple in Visual Studio - | ||
|
|
||
| 3. Then, edit the Library Directories and add the static-release-x64 directory from the lib directory. | ||
|
|
||
| 4. Add libcurl_a.lib ws2_32.lib winmm.lib wldap32.lib to your Additional Dependencies list under Project –> (Project name) Properties –> Configuration Properties –> Linker–>Input–> Additional Dependencies | ||
|
|
||
| 5. Add CURL_STATICLIB to your Preprocessor Definitions under Project –> (Project name) Properties –> Configuration Properties –> C/C++–> Preprocessor–> Preprocessor Definitions | ||
|
|
||
| 6. All that's left now is to Build and then test out the DLL! | ||
| 1. Download the PwnedPasswordsDLL source from here | ||
| 2. Download Crypto++ from the following link (https://www.cryptopp.com/#download) | ||
| 3. Build Crypto++ as a library in x64 mode - the following link is a good resource on compiling it for use in Visual Studio (http://programmingknowledgeblog.blogspot.com.au/2013/04/compiling-and-integrating-crypto-into.html) | ||
| 4. Include the Crypto++ header directories through Project –> PwnedPasswordsDLL Properties –> Configuration Properties –> VC++ Directories. Edit the Include Directories and add the include directory | ||
| 5. Then, edit the Library Directories and add the Debug directory from the x64\Outputdirectory. | ||
| 6. Add cryptlib.lib to your Additional Dependencies list under Project –> PwnedPasswordsDLL Properties –> Configuration Properties –> Linker–>Input–> Additional Dependencies | ||
| 7. Change Runtime Library to Multi-threaded Debug (/MTd) underProject –> PwnedPasswordsDLL Properties –> Configuration Properties –> C/C++–> Code Generation | ||
| 8. All that's left now is to Build and then test out the DLL! | ||
|
|
||
| # Implementing the DLL | ||
|
|
||
| The implementation of the DLL is the easy part - whether you've compiled the code yourself or downloaded a release, the implementation process is the same. | ||
|
|
||
| Please note that you will need to follow these instructions for all Domain Controllers on the network, as any of them may end up servicing a password change request. | ||
|
|
||
| 1. The DLL itself needs to be placed in your system root directory (generally C:\Windows\System32). | ||
|
|
||
| 2. The DLL name needs to be added to the multi-string “Notification Packages” subkey under HKLM\System\CurrentControlSet\Control\LSA - note that you only need to add the name of the DLL, not including the file extension. | ||
| The implementation of the DLL is the easy part, save for downloading some rather large text files - whether you've compiled the code yourself or downloaded a release, the implementation process is the same. | ||
|
|
||
| Note: These instructions need to be followed on all Domain Controllers in the domain if you wish to implement this for Active Directory, as any of them may end up servicing a password change request. | ||
|
|
||
| 3. To ensure that the DLL works alongside your Group Policy password filtering settings, ensure that the Passwords must meet complexity requirements policy setting is enabled through your Domain Controllers GPO. | ||
| As the solution is entirely on-premises, you need to download the 3 breached passwords zip files from https://haveibeenpwned.com/passwords and extract the plain-text documents to the C drive (the file path is customisable if you compile the code yourself, but not if you download the Release). | ||
|
|
||
| 4. Reboot the PC. Any password change request should now be filtered through the HaveIBeenPwned API. | ||
| 1. Download and extract the breached password lists, as per the instructions above | ||
| 2. The DLL itself needs to be placed in your system root directory (generally C:\Windows\System32). | ||
| 3. The DLL name needs to be added to the multi-string “Notification Packages” subkey under HKLM\System\CurrentControlSet\Control\LSA - note that you only need to add the name of the DLL, not including the file extension. | ||
| 4. To ensure that the DLL works alongside your Group Policy password filtering settings, ensure that the Passwords must meet complexity requirements policy setting is enabled through your relevant GPO(s). | ||
| 5. Reboot the PC(s). Any password change request should now be filtered through the DLL. |