{"id":21054739,"url":"https://github.com/papermtn/lil-pwny","last_synced_at":"2025-03-17T16:12:52.367Z","repository":{"id":138165715,"uuid":"231802069","full_name":"PaperMtn/lil-pwny","owner":"PaperMtn","description":"Fast offline auditing of Active Directory passwords using Python.","archived":false,"fork":false,"pushed_at":"2024-08-14T19:15:03.000Z","size":273,"stargazers_count":163,"open_issues_count":2,"forks_count":24,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-03-02T13:11:41.183Z","etag":null,"topics":["haveibeenpwned","hibp","ntlm-hashes","password-audit","password-safety"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/PaperMtn.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-01-04T17:29:20.000Z","updated_at":"2025-02-18T02:40:24.000Z","dependencies_parsed_at":null,"dependency_job_id":"4b1a5a4f-f05f-4a51-8b13-0728f3f3c411","html_url":"https://github.com/PaperMtn/lil-pwny","commit_stats":null,"previous_names":[],"tags_count":6,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PaperMtn%2Flil-pwny","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PaperMtn%2Flil-pwny/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PaperMtn%2Flil-pwny/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PaperMtn%2Flil-pwny/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/PaperMtn","download_url":"https://codeload.github.com/PaperMtn/lil-pwny/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":244066189,"owners_count":20392406,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["haveibeenpwned","hibp","ntlm-hashes","password-audit","password-safety"],"created_at":"2024-11-19T16:17:02.517Z","updated_at":"2025-03-17T16:12:52.335Z","avatar_url":"https://github.com/PaperMtn.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cimg src=\"https://i.imgur.com/Q0pPSjN.png\" width=\"450\"\u003e\n\n# Lil Pwny\n![Python 2.7 and 3 compatible](https://img.shields.io/pypi/pyversions/lil-pwny)\n![PyPI version](https://img.shields.io/pypi/v/lil-pwny.svg)\n![License: MIT](https://img.shields.io/pypi/l/lil-pwny.svg)\n\nFast offline auditing of Active Directory passwords using Python.\n\n## About Lil Pwny\nLil Pwny is a Python application to perform an offline audit of NTLM hashes of users' passwords, recovered from Active Directory, against known compromised passwords from Have I Been Pwned. Results will be output in JSON format containing the username, matching hash (can be obfuscated), and how many times the matching password has been seen in HIBP\n\nMore information about Lil Pwny can be found [on my blog](https://papermtn.co.uk/category/tools/lil-pwny/)\n\n## Features\n\n- **Custom Password Auditing**: Ability to provide a list of your own custom passwords to check AD users against. This allows you to check user passwords against passwords relevant to your organisation that you suspect people might be using. \n  - Pass a .txt file with the plaintext passwords you want to search for, these are then NTLM hashed and AD hashes are then compared with this as well as the HIBP hashes.\n- **Detect Duplicates**: Return a list of accounts using the same passwords. Useful for finding users using the same password for their administrative and standard accounts.\n- **Username as Password**: Detect users that are using their username, or variations of it, as their password.\n- **Obfuscated Output**: Obfuscate hashes in output, for if you don't want to handle or store live user NTLM hashes.\n\n### Custom Password List Enhancement\nLil Pwny provides the functionality to enhance your custom password list by adding commonly used variants of your custom passwords. These include:\n- Passwords with common 'leetspeak' substitutions (e.g. `P@ssw0rd`)\n- Uppercase versions of the password, and uppercase first characters (e.g. `PASSWORD`, `Password`)\n- Passwords with common special characters appended or prepended (e.g. `password!`, `!password`)\n- Passwords padded with common alphanumeric characters, special characters and repetitions of themselves to make them meet a given minimum length (e.g. `password123!`, `!passwordabc`, `passwordpassword`)\n  - You pass your desired minimum password length to Lil Pwny when selecting the custom list enhancement option\n- Passwords with dates appended starting from the year 1950 up to 10 years from today's date (e.g. `password1950`, `password2034`)\n\nA custom password list of 100 plaintext passwords generates 49848660 variations.\n\n### Usernames in Passwords\nLil Pwny looks for users that are using variations of their username as their password.\n\nIt converts the users username into the following formats:\n\n- All uppercase\n- All lowercase\n- Remove dot \".\"\n- camelCase (E.g. johnSmith)\n- PascalCase (E.g. JohnSmith)\n\nThese are then converted to NTLM hashes, and audited against the AD hashes\n\n## Resources\nThis application has been developed to make the most of multiprocessing in Python, with the aim of it working as fast as possible on consumer level hardware.\n\nBecause it uses multiprocessing, the more cores you have available, the faster Lil Pwny should run. I have still had very good results with a low number of logical cores:\n- Test env of ~8500 AD accounts and HIBP list of 613,584,246 hashes:\n    - 6 logical cores - 0:05:57.640813\n    - 12 logical cores - 0:04:28.579201\n\n## Output\nLil Pwny will output results as either to stdout:\n\n\u003cimg src=\"./images/stdout-screenshot.png\" width=\"675\"\u003e\n\nor JSON:\n\n```json\n{\"localtime\": \"2021-00-00 00:00:00,000\", \"level\": \"NOTIFY\", \"source\": \"Lil Pwny\", \"match_type\": \"hibp\", \"detection_data\": {\"username\": \"RICKON.STARK\", \"hash\": \"32ED87BDB5FDC5E9CBA88547376818D4\", \"matches_in_hibp\": \"24230577\", \"obfuscated\": \"True\"}}\n```\nYou can redirect the JSON output of Lil Pwny to file:\n```commandline\nlil-pwny -ad ... \u003e lil-pwny-results.json \n```\n\nThis JSON formatted logging can be easily ingested in to a SIEM or other log analysis tool, and can be fed to other scripts or platforms for automated resolution actions.\n\n## Installation\nInstall via pip\n```bash\npip install lil-pwny\n```\n\n## Usage\nLil-pwny will be installed as a global command, use as follows:\n\n```\nusage: lil-pwny [-h] -hibp HIBP [-v] [-c CUSTOM] [-custom-enhance CUSTOM_ENHANCE] -ad AD_HASHES [-d] [-output {file,stdout,json}] [-o] [--verbose]\n\nFast offline auditing of Active Directory passwords using Python\n\noptions:\n  -h, --help            show this help message and exit\n  -hibp HIBP, --hibp HIBP\n                        The .txt file containing HIBP NTLM hashes\n  -v, --version         show program's version number and exit\n  -c CUSTOM, --custom CUSTOM\n                        .txt file containing additional custom passwords to check for\n  -custom-enhance CUSTOM_ENHANCE, --custom-enhance CUSTOM_ENHANCE\n                        generate an enhanced custom password list based on the provided custom password list. Must be used with -c/--custom flag. The enhanced list will stored in memory and not\n                        written to disk. Provide the minimum length of the passwords you want. Default is 8\n  -ad AD_HASHES, --ad-hashes AD_HASHES\n                        The .txt file containing NTLM hashes from AD users\n  -d, --duplicates      Output a list of duplicate password users\n  -output {file,stdout,json}, --output {file,stdout,json}\n                        Where to send results\n  -o, --obfuscate       Obfuscate hashes from discovered matches by hashing with a random salt\n  --verbose             Turn on verbose logging\n\n```\n\nExample:\n```bash\nlil-pwny -hibp ~/hibp_hashes.txt -ad ~/ad_user_hashes.txt -c ~/custom_passwords.txt -output stdout -do\n```\n\n\n\n## Getting input files\n### Step 1: Get an IFM AD database dump\n\nOn a domain controller use `ntdsutil` to generate an IFM dump of your AD domain. Run the following in an elevated PowerShell window:\n\n```bash\nntdsutil\nactivate instance ntds\nifm\ncreate full **output path**\n```\n\n### Step 2: Recover NTLM hashes from this output\n\nTo recover the NTLM hashes from the AD IFM data, the Powershell module [DSInternals](https://github.com/MichaelGrafnetter/DSInternals) is required.\n\nOnce installed, use the SYSTEM hive in the IFM data to recover the hashes in the format `usernme:hash` and save them to the file `ad_ntlm_hashes.txt`\n\n```bash\n$bootKey = Get-BootKey -SystemHivePath '.\\registry\\SYSTEM'\nGet-ADDBAccount -All -DBPath '.\\Active Directory\\ntds.dit' -BootKey $bootKey | Format-Custom -View HashcatNT | Out-File ad_ntlm_hashes.txt -Encoding ASCII\n```\n\n### Step 3: Download the latest HIBP hash file\nThe file can be downloaded from the HIBP API using a .net utility  [here](https://github.com/HaveIBeenPwned/PwnedPasswordsDownloader)\n\n### Optional Step: Filter unwanted AD accounts\nThe PowerShell script in the [scripts](./scripts/Filter-ADUsers) directory can be used to remove unwanted accounts from the IFM output before processing. These include:\n\n- Disabled accounts\n- Computer accounts\n\n\n## Resources\n- [ntdsutil \u0026 IFM](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc732530(v=ws.11))\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpapermtn%2Flil-pwny","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpapermtn%2Flil-pwny","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpapermtn%2Flil-pwny/lists"}