Lil-Pwny – Auditing Active Directory Passwords Using Multiprocessing In Python
A multiprocessing solution to auditing Lively Listing passwords employing Python.
About Lil Pwny
Lil Pwny is a Python application to carry out an offline audit of NTLM hashes of users’ passwords, recovered from Energetic Directory, versus identified compromised passwords from Have I Been Pwned. The usernames of any accounts matching HIBP will be returned in a .txt file
There are also additional attributes:
- Capacity to offer a list of your own passwords to test Advertisement people towards. This lets you to test user passwords in opposition to passwords related to your organisation that you suspect folks could possibly be utilizing. These are NTLM hashed, and Advertisement hashes are then in comparison with this as effectively as the HIBP hashes.
- Return a record of accounts using the exact same passwords. Practical for getting users employing the exact same password for their administrative and normal accounts.
Far more data about Lil Pwny can be identified on my web site
This application was formulated to preferably run on large resource infrastructure to make the most of Python multiprocessing. It will operate on desktop amount components, but the additional cores you use, the faster the audit will run.
Installation
Put in via pip
pip set up lil-pwnyUse
Lil-pwny will be set up as a global command, use as follows:
usage: lil-pwny [-h] -hibp HIBP [-a A] -advertisement Ad_HASHES [-d] [-m] [-o OUTPUT]
optional arguments:
-hibp, --hibp-route The HIBP .txt file of NTLM hashes
-a, --a .txt file that contains more passwords to verify for
-ad, --advertisement-hashes The NTLM hashes from of Ad users
-d, --obtain-duplicates Output a list of duplicate password people
-m, --memory Load HIBP hash checklist into memory (over 24GB RAM
expected)
-o, --out-route Set output route. Uses doing work dir when not setCase in point:
lil-pwny -hibp ~/hibp_hashes.txt -advert ~/advert_ntlm_hashes.txt -a ~/added_passwords.txt -o ~/Desktop/Output -m -duse of the -m flag will load the HIBP hashes into memory, which will allow for for more quickly seeking. Take note this will need at the very least 24GB of obtainable memory.
Having enter data files
Stage 1: Get an IFM Ad databases dump
On a domain controller use ntdsutil to crank out an IFM dump of your Advertisement area. Operate the following in an elevated PowerShell window:
ntdsutil
activate occasion ntds
ifm
make comprehensive **output route**Step 2: Recover NTLM hashes from this output
To get well the NTLM hashes from the Ad IFM knowledge, the Powershell module DSInternals is essential.
After put in, use the Process hive in the IFM facts to recover the hashes in the structure usernme:hash and help save them to the file advertisement_ntlm_hashes.txt
$bootKey = Get-BootKey -SystemHivePath '.registrySYSTEM'
Get-ADDBAccount -All -DBPath '.Active Directoryntds.dit' -BootKey $bootKey | Structure-Tailor made -Perspective HashcatNT | Out-File ad_ntlm_hashes.txt -Encoding ASCIIStage 3: Obtain the latest HIBP hash file
The file can be downloaded from in this article
The most up-to-date version of the hash file consists of all around 551 million hashes.
Methods
