Lil Pwny Rides Again: Streamline Your Active Directory Password Audits with the New 3.2.0 Update

Lil Pwny Rides Again: Streamline Your Active Directory Password Audits with the New 3.2.0 Update
Generated by DALL·E - (2024)

I’m excited to announce the release of Lil Pwny 3.2.0, featuring powerful new enhancements to the Active Directory password auditing tool. This update brings significant improvements and new features.

Following NIST’s recommendation in Section 5.1.1.2 of their Digital Identity Guidelines, Lil Pwny allows you to audit NTLM hashes from your Active Directory domain against the entire Have I Been Pwned (HIBP) password dataset, without sending your sensitive data offsite or through an API.

Check out the latest features and updates in Lil Pwny 3.2.0 below.

New stdout output

ASCII art makes applications better, that’s just science…

Stdout output has had a facelift to make it easier to read, and just nicer in general. Its now colourised and (plus 100% more ASCII art).

Other aspects of logging has been improved; results are returned as they are discovered instead of at the end, and there is now a debugging logging level.

For searching against a custom password list, the plaintext password is now returned in the output (if the —obfuscate option hasn’t been set). So you know what passwords are being used instead of getting a hash.

Custom Password List Enhancement

Lil Pwny has always allowed you to enter a custom list of plaintext passwords, this lets you audit your Active Directory for accounts using passwords that are:

  • Context specific or related to your company
  • Known to be exposed internally (Example: posted in messaging services)
  • Known to be commonly used (Example: IT set all new starters passwords to the same password, and don’t force password changes on first login)

Lil Pwny 3.2.0 adds the functionality to enhance your custom password list by generating commonly used variants of your custom passwords. These include:

  • Passwords with common ‘leetspeak’ substitutions (e.g. P@ssw0rd)
  • Uppercase versions of the password, and uppercase first characters (e.g. PASSWORD, Password)
  • Passwords with common special characters appended or prepended (e.g. password!, !password)
  • Passwords padded with common alphanumeric characters, special characters and repetitions of themselves to make them meet a given minimum length (e.g. password123!, !passwordabc, passwordpassword)
  • You pass your desired minimum password length to Lil Pwny when selecting the custom list enhancement option
  • Passwords with dates appended starting from the year 1950 up to 10 years from today’s date (e.g. password1950, password2034)

A custom password list of 100 plaintext passwords generates 49848660 variations (there is no exact science to the number of variations you will get, as it depends on the password length and the number of leetspeak replaceable characters in the string).

Looking at this in practice, I’ve created custom list with three words or phrases likely to be used in passwords for my Westeros AD domain:

Running this with the —custom-enhance option has created around 5.4 million variations, and converted these to NTLM hashes to search against the hashes of our users. It has found a number of passwords in these variations:

Passwords Targ4ry3n?, T@rg@ry3n! and winteriscoming2024 are variants that have been generated from the password list, and we’ve found some accounts using them.

This lets you find even more potentially weak passwords in your domain that can be easily guessed by malicious actors.

Find users with their username as their password

Robert was having problems remembering his password, so he set it to his username

Lil Pwny will now find users that have their passwords set as their username, or a variant of it.

It converts each users’ username into the following formats:

  • All uppercase
  • All lowercase
  • Remove dot “.”
  • camelCase (E.g. johnSmith)
  • PascalCase (E.g. JohnSmith)

Then it NTLM hashes these and audits them against the Active Directory user hashes.

These users are prime targets for getting their account compromised. You can now find them in your domain, and provide some training on better password management.

Filter Active Directory output

A PowerShell script has been included in the directory scripts/Filter-ADUsers/ in the repository that you can use to filter the following out from the IFM export from Active Directory:

  • Disabled accounts
  • Computer accounts

This saves you from processing accounts that aren’t useful.

Note: You will need to have Remote Server Administrative Tools (RSAT) added from optional features in Windows to use the ActiveDirectory PowerShell module.

Get Lil Pwny

You can install Lil Pwny from PyPI, or from source from the GitHub repository.

If you have any issues, or ideas for future features, please raise something via GitHub.

You can read the other articles i’ve written about Lil Pwny and AD password auditing in general here