question

Researcher-8306 avatar image
0 Votes"
Researcher-8306 asked Researcher-8306 commented

How can we reliably know that a user has changed his Windows account password?

We are looking at methods to identify whether a user has changed their Windows account password (Local or Domain account). Is there any foolproof way we can determine whether password has been changed?

We got to know that using Windows NT Authority command 'net user' and checking the 'password last set' value we will get this information. However we have also found that there are tools through which it is possible to modify these values and manipulate the output of the command, which makes using the password last set value as unreliable. Also can we reliably compare the windows account password hashes of old and new passwords and determine that password has been changed ? i.e. can we assume administrator cannot revert back to old password hash temporarily after logging to disguise the password change?


windows-10-security
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

TKujala avatar image
0 Votes"
TKujala answered Researcher-8306 commented

Hi @Researcher-8306,

Domain

You can check the Last Password Changed information for a user account in Active Directory. The information for last password changed is stored in an attribute called “PwdLastSet”. You can check the value of “PwdLastSet” using the Microsoft “ADSI Edit” tool.

Local

Open the command prompt window as administrator.

Type the following command.

net user %username%

Also can we reliably compare the windows account password hashes of old and new passwords and determine that password has been changed ? i.e. can we assume administrator cannot revert back to old password hash temporarily after logging to disguise the password change?

On domain members and workstations, local user account password hashes are stored in a local Security Account Manager (SAM) Database located in the registry. They are encrypted using the same encryption and hashing algorithms as Active Directory.

So, it's not possible to compare hashes.



· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @TKujala ,

We have already found out that the value of 'PwdLastSet' can be checked using 'net user' command (has been mentioned in our question). What we were looking for was whether it can be manipulated using any malicious tool/hacker - that is, whether someone can actually change the password, yet leave the 'PwdLastSet' value unchanged to indicate that there has not been any change in the password.

As per this link, the password hashes can be extracted and compared. using Rainbow techniques, even though they are stored in local Security Account Manager (SAM) Database.



0 Votes 0 ·