Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Test-IsAdUserPasswordCompromised fails on an account with no password #10

Open
mickpoz opened this issue Apr 4, 2019 · 8 comments
Open
Assignees
Labels
bug Something isn't working

Comments

@mickpoz
Copy link

mickpoz commented Apr 4, 2019

I've copied the powershell script from here: https://github.com/lithnet/ad-password-protection/wiki/Audit-existing-passwords
I'm running it directly on the DC with a domain admin account.
I get the following output (this runs through the user list with the same result for every one):

WARNING: User Administrator has a null UPN
WARNING: User Guest has a null UPN
WARNING: User krbtgt has a null UPN

Test-IsADUserPasswordCompromised : Object reference not set to an instance of an object.
At C:\users\xxxx\Desktop\password_audit.ps1:31 char:15

  • ... $result = Test-IsADUserPasswordCompromised -UPN $user -server local ...
  •             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    • CategoryInfo : NotSpecified: (:) [Test-IsADUserPasswordCompromised], NullReferenceException
    • FullyQualifiedErrorId : System.NullReferenceException,Lithnet.ActiveDirectory.PasswordProtection.PowerShell.Test
      IsADUserPasswordCompromised

The get-pwned-users.csv is created but there is nothing in the file except for the column headers.

I'm able to run the Test-IsADPasswordCompromised module directly from the command line, so thats working.

Thanks.

@ryannewington ryannewington self-assigned this Jun 15, 2019
@ryannewington ryannewington added the bug Something isn't working label Jun 15, 2019
@ryannewington
Copy link
Member

ryannewington commented Jun 15, 2019

@mickpoz sorry for the delay in getting back to you. Is this still a problem for you?

If so, when the error occurs, could you send me the result from the following command

$error[0].Exception.ToString()

Immediately after the error condition

@mickpoz
Copy link
Author

mickpoz commented Jun 16, 2019

Hi Ryan,
No problems, I've kind of dropped it but FYI this is what I get from running your command.
Note, the script runs for approx 1/3 of the users now and I get output in the csv file but the rest of the users display the same original error.

System.NullReferenceException: Object reference not set to an instance of an object.
at Lithnet.ActiveDirectory.PasswordProtection.Extensions.ToHexString(Byte[] hash, Int32 offset, Int32 count)
at Lithnet.ActiveDirectory.PasswordProtection.BinaryStoreInstance.IsHashInStore(Byte[] hash)
at Lithnet.ActiveDirectory.PasswordProtection.PowerShell.TestIsADUserPasswordCompromised.ProcessRecord() in D:\github
\lithnet\ad-password-protection\src\PasswordProtectionPS\TestIsADUserPasswordCompromised.cs:line 62
at System.Management.Automation.CommandProcessor.ProcessRecord()

@ryannewington
Copy link
Member

@mickpoz thanks so much for getting back to me. I suspect it's choking on a user that has no password. I'll look into this further and confirm.

@ryannewington ryannewington changed the title Unable to run Existing Password Audit Script Test-IsAdUserPasswordCompromised fails on an account with no password Jun 17, 2019
ryannewington added a commit that referenced this issue Jun 17, 2019
@ryannewington
Copy link
Member

@mickpoz
Copy link
Author

mickpoz commented Jun 17, 2019

Hi Ryan,

The latest release fixed the error! However it isn't running for all users. It completes without error but the csv only has about a third of my users in there. Can confirm that they definitely do not have no passwords, my own account is in the list.

@ryannewington ryannewington reopened this Jun 17, 2019
@ryannewington
Copy link
Member

That sounds like an issue enumerating the users in the domain.

Are they all in the same domain?
Any differences between the accounts that are appearing and those that aren't (eg OU locations?)

@mickpoz
Copy link
Author

mickpoz commented Jun 18, 2019

Hi Ryan,
I can't figure it out!
All users in the same domain and same OU.
The ones that are working are a mix of older and newer accounts so I don't think account age is a factor.

@ryannewington
Copy link
Member

Looking into this further, the script only logs details for users who have a compromised password. If the user's password is not compromised, they are not added to the list.

Could it be as simple as the gact that the 2/3 of users appearing in the list do not have passwords that are known to be compromised?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

2 participants