As the number of data breaches continue to rise, safeguarding your Active Directory (AD) passwords from compromise is more important than ever. Lil-Pwny not only allows you to audit your AD passwords against the well-known Have I Been Pwned (HIBP) database, but it also offers a powerful custom password auditing feature. This helps you protect against both external and internal threats.
The custom passwords feature of Lil Pwny lets you audit your Active Directory for accounts using passwords that are:
- Context specific or related to your company
- Known to be exposed internally (Example: posted on Slack)
- Known to be commonly used (Example: IT set all new starters passwords to
PumpkinCollectCartoon, and don’t force password changes on first login)
You can use this to create a list of passwords and phrases that are tailored to your company, but may not be in the HIBP password list. These passwords can also take into account any password policies you have in place.
In this post, i’ll show you how you can use some of the same tools that attackers use to generate a tailored custom password list, and find those risky passwords before they do. We’re going to use the tool cewl , and the custom password list enhancement feature of Lil Pwny
I’ll be revisiting my Westeros Inc dataset to give context to these examples. The Westeros Inc Active Directory is configured with the following password policy:
- 12 Character password minimum
- Complexity requirements are disabled (no special characters, which is ironic considering most of the characters in GoT were ruined in the end.)
Step 1: Create your list with known exposed passwords
First of all, let’s create a starting list of basic passwords. These are the ones that match the criteria above (known exposed, commonly used, company specific).
For Westeros Inc, we know that IT has a bad habit of using the same password for new starters: InTheNameOfTheKing301. Some users don’t change this password, meaning we have multiple users using this commonly known password. This opens us up to attackers being able to pivot to accounts using the same password once one account is compromised.
We also have the commonly used company-specific phrases that people tend to use in passwords. We can assume that some uses may try to create a password using the company name, so westeros gets added. There will be other examples of company specific phrases as well, these should be added to your list.
Now we have a basic custom password list that we’ve put together manually with our known examples:custom_password_list.txt:
InTheNameOfTheKing301 westeros westeros.inc WinterIsComing
Step 2: Use cewl to trawl sites for more passwords
We want to generate even more tailored passwords. To do this, we will use CeWL
CeWL is a tool used to crawl a given website and gather words into a custom wordlist. In our case, we will use it to generate a list with phrases tailored to our company.
Key Features of CeWL
- Depth Control: Allows you to specify how many levels deep to crawl. The default is 2. On larger sites, you may need to set this lower.
- Word Filtering: Can filter out short words and non-alphabetic characters.
- Minimum Word Length: You can set the minimum characters a word should have, to generate only passwords that match password requirements. (Note, because of what we’re going to do later, i’m not going to set this to 12, even though that is the password policy for Westeros Inc.)
CeWL comes installed on Kali and ParrotOS. Installation instructions are on GitHub if you need to install it on your OS.
Applying this in practice
Returning to Westeros Inc, we can use the site A Wiki of Ice and Fire to play the part of our company website. There is the main page for Westeros, and we can also use sub-pages:
We can apply this example to our real world corporate domain. The Westeros homepage can be the equivalent of a corporate website. The subpages can be seen as the homepages/wiki sites of various teams or business units in the company.
Creating the wordlist
Let’s use CeWL to create our tailored wordlist. We’re going to start building our basic command:
cewl -m 5 -d 1 --lowercase <<URL>>
This uses the following options:
- Depth of 1, we don’t want to follow all of the links due to time constraints
- Maximum word length of 5 (I know the password character limit is 12, but we will visit this again in step 3).
- Output everything to lowercase (again, will become clear in step 3)
Running this against https://awoiaf.westeros.org/index.php/Westeros already gives us some tailored output:
However, depending on the site that we’re scraping, there can be non ASCII characters, which can cause issues:
To solve this, it is best to grep through the output of CeWL and then use Regex to filter out non ASCII characters. This output can then be appended to our custom_password_list.txt file:
cewl -m 5 -d 1 --lowercase <<URL>> | grep -E '^[A-Za-z]+$' >> custom_password_list.txt
We can now run this over all of our URLs, each time adding the results to our custom word list.
The last step we can take is to remove any duplicate entries from our file using awk:
awk '!seen[$0]++' custom_password_list.txt > temp && mv temp custom_password_list.txt
Step 3: Use Lil Pwny to enhance this list
We’ve now got a text file containing tailored words and phrases that users in our domain might be using for their passwords. In this last step, we’re going to use the custom password list enhancement feature of Lil Pwny 3.1.0 and above to generate some variants of our custom passwords.
How it works
When used with the --custom-enhance option, Lil Pwny takes the custom password list you provide, as well as the minimum password length, and generates more variations on the passwords you have provided with:
- Passwords with common ‘leetspeak’ substitutions (e.g.
P@ssw0rd) - Uppercase versions of the password, and uppercase first characters (e.g.
PASSWORD,Password) - Passwords with common special characters appended or prepended (e.g.
password!,!password) - Passwords padded with common alphanumeric characters, special characters and repetitions of themselves to make them meet a given minimum length (e.g.
password123!,!passwordabc,passwordpassword) - You pass your desired minimum password length to Lil Pwny when selecting the custom list enhancement option
- Passwords with dates appended starting from the year 1950 up to 10 years from today’s date (e.g.
password1950,password2034)
This list is then used to audit against your AD hashes.
Applying this in practice
Let’s run Lil Pwny with our wordlist we’ve generated. Our minimum password length is 12, so we’ll use --custom-enhance 12 :
lil-pwny -ad .\ad_ntlm_hashes.txt -hibp .\hibp_ntlm_hashes.txt -c .\custom_password_list.txt --custom-enhance 12 -d
Lil Pwny is going through our custom password list and creating variants for each one. The number of variants will vary based on the length of the password, and the number of ‘leetspeak’ substitutable passwords.
We can see matches for passwords that have been generated for use from the basic words in our list:
Targ4ry3n?andT@rg@ry3n!from the wordtargaryenwinteriscoming2024fromwinteriscoming
Conclusion
We’ve seen how, by starting off with a standard list based on context specific phrases related to your company, and then using tools like CeWL and functionality built into Lil Pwny, you can create a really rich custom password list to audit against your Active Directory accounts.
This gives you the best chance of finding as many weak and easily guessable passwords in your domain as possible, before the bad guys do (if you can find them, so can they!). The good news is, by using the same tools and techniques, we can find them and action them first. Make sure you follow up on the findings of running Lil Pwny by educating users on good password management, and getting weak passwords rotated ASAP.
For more information on Lil Pwny, check out the GitHub repository, or you can read the other articles i’ve written about Lil Pwny and AD password auditing in general here.
