PwnedPasswordsDLL is a DLL that allows password requests through any form of Active Directory integration to be checked against over 500 million previously breached passwords using Troy Hunt's Pwned Passwords API and k-Anonymity.
Check out https://jacksonvd.com/checking-for-breached-passwords-ad-using-k-anonymity/ for more information on the background of the tool.
- Download the PwnedPasswordsDLL-API source from here
- Download Crypto++ from the following link (https://www.cryptopp.com/#download)
- Build Crypto++ as a library in x64 mode – the following link is a good resource on compiling it for use in Visual Studio (http://programmingknowledgeblog.blogspot.com.au/2013/04/compiling-and-integrating-crypto-into.html)
- Include the Crypto++ header directories through Project –> PwnedPasswordsDLL-API Properties –> Configuration Properties –> VC++ Directories. Edit the Include Directories and add the include directory
- Then, edit the Library Directories and add the Debug directory from the x64\Output directory.
- Add cryptlib.lib to your Additional Dependencies list under Project –> PwnedPasswordsDLL-API Properties –> Configuration Properties -> Linker –>Input –> Additional Dependencies
- Build libCurl as a library in x64 mode – this is a great resource from Github that will build libcurl on Windows (https://github.com/blackrosezy/build-libcurl-windows)
- Include the libCurl header directories through Project –> PwnedPasswordsDLL-API Properties –> Configuration Properties –> VC++ Directories.
- Edit the Include Directories and add the include directory
- Then, edit the Library Directories and add the relevant libCurl library directory.
- Add libcurl_a.lib to your Additional Dependencies list under Project –> PwnedPasswordsDLL-API Properties –> Configuration Properties –> Linker –>Input –> Additional Dependencies
- Add CURL_STATICLIB to your Preprocessor Definitions under Project –> PwnedPasswordsDLL-API Properties –> Configuration Properties –> C/C++ -> Preprocessor
- Change Runtime Library to Multi-threaded Debug (/MTd) under Project –> PwnedPasswordsDLL-API Properties –> Configuration Properties –> C/C++ –> Code Generation
- All that’s left now is to Build and then test out the DLL!
The implementation of the DLL is the easy part - just download or build the DLL, place it in system32 and add a registry key!
Note: These instructions need to be followed on all Domain Controllers in the domain if you wish to implement this for Active Directory, as any of them may end up servicing a password change request.
- Download or build the DLL
- The DLL itself needs to be placed in your system root directory (generally C:\Windows\System32).
- The DLL name needs to be added to the multi-string “Notification Packages” registry subkey under HKLM\System\CurrentControlSet\Control\LSA – note that you only need to add the name of the DLL, not including the file extension.
- To ensure that the DLL works alongside your Group Policy password filtering settings, ensure that the Passwords must meet complexity requirements policy setting is enabled through your relevant GPO(s).
- Reboot the DC(s). Any password change request should now be filtered through the DLL.