word image 2

Pwncheck 1.0.31 and a database update

| | ,

We’re delighted to announce the latest release of pwncheck 1.0.31 – the fastest and safest way to find users with pwned passwords on your Active Directory network, offline and without sending your hashes to the cloud.

The purpose of this release is to bring pwncheck inline with the latest version of Troy Hunt’s Have I Been Pwned database, using the new API described in this blog post. The number of unique breached passwords we now check against is over 931 million.

We recommend that you run pwncheck to ensure that none of your Active Directory users are currently using a compromised password, likely to be present in the latest credential stuffing and password spraying lists.

The latest pwncheck documentation has been updated accordingly and can be downloaded here

#Requires -Version 5
#Stop on error
$ErrorActionPreference = "Stop"
#speedup Invoke-WebRequest
$ProgressPreference = "SilentlyContinue"
 
# download the database
$DbFiles = @(
	@{
		DownloadUrl	= "https://downloads.safepass.me/support/HIBPv10-extra.dat"
		FileName	= "HIBPv8.dat"
		FileHash	= "CDA5A7C288068A0E5C536CE5AE0B50B777EED1A17A37F8E25373DFF67B60CC54"
	}
)

$CWD = $PSScriptRoot
if ($CWD -eq '') {
	$CWD = Get-Location
}

ForEach ($DbFile in $DbFiles) {
	$DbFile.FilePath = Join-Path -Path $CWD -ChildPath $DbFile.FileName

	If ( !(Test-Path $DbFile.FilePath) -or ((Get-FileHash -Algorithm SHA256 $DbFile.FilePath).Hash -ne $DbFile.FileHash) ) {
		Invoke-WebRequest -Uri $DbFile.DownloadUrl -OutFile $DbFile.FilePath -Verbose
		If ((Get-FileHash -Algorithm SHA256 $DbFile.FilePath).Hash -ne $DbFile.FileHash) {
			Write-Error "Error downloading $(Split-Path $DbFile.DownloadUrl -Leaf)"
		}
	}
	Else {
		Write-Host "File $FileName already exists with correct hash, so skipping download" -ForegroundColor Green
	}
}

# upload it to the DCs
Get-ADDomainController -Filter * | ForEach-Object {
	Write-host "Performing actions on $($_)"
	$DestPath = "\\$_\C$\windows\system32\safepassme"
	ForEach ($DbFile in $DbFiles) {
		If (Test-Path $DestPath) {
			Copy-Item -Path $DbFile.FilePath -Destination (Join-Path -Path $DestPath -ChildPath $DbFile.FileName) -Verbose
		}
		Else {
			Write-Error "SafePass does not appear to be installed on $_ since folder '$DestPath' not found"
		}
		$oldDB = Join-Path -Path $DestPath -ChildPath HIBPv8-extra.dat
		If (Test-Path $oldDB) {
			Remove-Item -Path $oldDB -Confirm:$false
		}
	}
}

ForEach ($DbFile in $DbFiles) {
	Remove-Item $DbFile.FilePath -Confirm:$True
}

Please note that this script will replace the existing ‘HIBPv8.dat’ database and will delete any ‘HIBPv8-extra.dat’ file. With this release we have decided to ship the enhanced database by default; get in touch with our support if your DCs are resource constrained and require a lightweight version.