Lil Pwny – Auditing Active Directory passwords using multiprocessing in Python.
Lil Pwny is a Python software to accomplish an offline audit of NTLM hashes of users’ passwords, recovered from Energetic Directory, from known compromised passwords from Have I Been Pwned. The usernames of any accounts matching HIBP will be returned in a .txt file
There are also supplemental characteristics:
- Capacity to deliver a listing of your individual passwords to verify Advertisement people in opposition to. This allows you to check user passwords against passwords appropriate to your organisation that you suspect persons could be employing. These are NTLM hashed, and Ad hashes are then in contrast with this as nicely as the HIBP hashes.
- Return a listing of accounts utilizing the identical passwords. Valuable for acquiring end users employing the exact same password for their administrative and regular accounts.
Much more info about Lil Pwny can be found on my blog site
Recommendations
This application was developed to preferably operate on significant resource infrastructure to make the most of Python multiprocessing. It will operate on desktop-level hardware, but the extra cores you use, the faster the audit will operate.
Set up
Set up via pip
pip put in lil-pwny
Usage
Lil-pwny will be put in as a international command, use as follows:
usage: lil-pwny [-h] -hibp HIBP [-a A] -advertisement Ad_HASHES [-d] [-m] [-o OUTPUT]
optional arguments:
-hibp, --hibp-path The HIBP .txt file of NTLM hashes
-a, --a .txt file containing further passwords to verify for
-advert, --ad-hashes The NTLM hashes from of Advertisement consumers
-d, --uncover-duplicates Output a list of copy password users
-m, --memory Load HIBP hash listing into memory (above 24GB RAM
needed)
-o, --out-route Established output path. Takes advantage of performing dir when not established
Instance:
lil-pwny -hibp ~/hibp_hashes.txt -advert ~/advert_ntlm_hashes.txt -a ~/further_passwords.txt -o ~/Desktop/Output -m -d
use of the -m flag will load the HIBP hashes into memory, which will allow for a lot quicker looking. Observe this will have to have at least 24GB of obtainable memory.
Getting input information
Move 1: Get an IFM Advertisement databases dump
On a domain controller use ntdsutil to generate an IFM dump of your Advert domain. Operate the adhering to in an elevated PowerShell window:
ntdsutil
activate occasion ntds
ifm
generate full **output path**
Phase 2: Recover NTLM hashes from this output
To recuperate the NTLM hashes from the Advert IFM data, the Powershell module DSInternals is needed.
The moment put in, use the Procedure hive in the IFM facts to get well the hashes in the format usernme:hash and conserve them to the file ad_ntlm_hashes.txt
$bootKey = Get-BootKey -SystemHivePath '.registrySYSTEM'
Get-ADDBAccount -All -DBPath '.Active Directoryntds.dit' -BootKey $bootKey | Format-Custom -Check out HashcatNT | Out-File ad_ntlm_hashes.txt -Encoding ASCII
Step 3: Obtain the most current HIBP hash file
The file can be downloaded from here
The most current variation of the hash file contains all over 551 million hashes.
Methods
https://github.com/PaperMtn/lil-pwny
The article Lil Pwny – Auditing Lively Listing passwords employing multiprocessing in Python. appeared first on Hakin9 – IT Safety Journal.
