Using Lil Pwny – Part 2: Running Lil Pwny and Assessing the Output

This post is partially out of date, and should be read in combination with the version 2.0.0 release notes

Now that we have our data from Active Directory, it is time to use Lil Pwny to audit the passwords.

Getting Ready

Installing Lil Pwny is simple from PyPI:

pip install lil-pwny

It can also be built from source, you can get the files from GitHub: https://github.com/PaperMtn/lil-pwny/releases

Finally, you’re going to need the list of NTLM hashes from Have I Been Pwned to compare against. You can get this here: https://haveibeenpwned.com/Passwords

Make sure you download the NTLM format hashes, it doesn’t matter how they are ordered. Also, make sure you have disk space, as this file is big (Over 20GB once extracted). If you’re only downloading it now, it’s probably a good time to get a coffee.

Running Lil Pwny

Once installed, Lil Pwny can be run as a global command from the terminal. Usage is as below:

usage: lil-pwny [-h] -hibp HIBP [-a A] -ad AD_HASHES [-d] [-m] [-o OUTPUT]

optional arguments:
  -hibp, --hibp-path    The HIBP .txt file of NTLM hashes
  -a, --a               .txt file containing additional passwords to check for
  -ad, --ad-hashes      The NTLM hashes from of AD users
  -d, --find-duplicates Output a list of duplicate password users
  -m, --memory          Load HIBP hash list into memory (over 24GB RAM
                        required)
  -o, --out-path        Set output path. Uses working dir when not set

The two required flags are -hibp and -ad, these are the paths to the HIBP file and the list of NTLM hashes from your AD environment respectively.

The rest of the flags are optional:

-a – The path for a .txt file containing additional passwords you want to check for

-d – select whether you want to look for users using the same passwords (duplicates) in your AD output.

-m – Whether you want to load the HIBP hash list into memory. This will allow the search to run quicker, but you will require over 24GB of spare memory. Without this, the file is read at runtime each time it is queried.

-o – Give a path for where you want the output .txt files to be stored. If this isn’t set, the working directory you are currently in is used.

This is what the full command to run Lil Pwny could look like:

lil-pwny -hibp ~/hibp_hashes.txt -ad ~/ad_ntlm_hashes.txt -a ~/additional_pwds.txt -o ~/Desktop/Output -m -d

An Example

Let’s look at an example from a test Active Directory dataset: Westeros Inc.

Each user in Westeros Inc has an account in the domain. Administrators (Lords of each of the Seven Kingdoms) have separate administrative accounts for carrying out admin duties in their areas. Westeros Inc tries to follow best practice, after all.

I’ve got the NTLM hashes of passwords from users from the Westeros domain:

I also have a suspicion that some of Westeros Inc’s users may be using insecure passwords related to the company, which may not be in the HIBP list, so I have created the following file with some passwords of my own to search for:

Finally, I have downloaded the list of HIBP passwords and extracted it. Now it is time to run Lil Pwny:

lil-pwny -hibp ~/hibp_hashes.txt -ad ~/ad_ntlm_hashes.txt -a ~/additional_pwds.txt -d

As well as the passwords matching HIBP, I also want to see the ones matching my custom input list, as well as accounts using duplicate passwords.

Lets have a look at the output files:

Users matching HIBP
Users matching the additional passwords I entered that were specific to Westeros Inc
Users who are using the same passwords as each other

From this we can see that there are 9 users whose passwords have been compromised before and are in the HIBP list, including two admin accounts.

A further two users have matched the easily guessable additional passwords I entered.

Finally, there are some users who are sharing passwords.

From here we can see some clear actions that need to be taken. Robert Baratheon is using the same password for his admin and non-admin account, this password is also known to be compromised as it is in the HIBP list. Addressing this with him is probably the highest priority.

The additional users who have matched HIBP passwords should be alerted and advised to change their passwords, as well as the users who are using easily guessable passwords.

Where do we go from here?

Hopefully Lil Pwny will give you some insight into the strength of passwords being used on your domain.

This data, however, is only useful if you do something with it. Auditing passwords with Lil Pwny needs to be combined with awareness to users who are using HIBP/weak/duplicate passwords.

Of course, this could (and should) be automated. I have found great success in automating this whole process, from data collection to auditing, to happen every month. Emails are then automatically sent to affected users using a Jinja2 HTML email template.