Shulou(Shulou.com)06/01 Report--

This article introduces the relevant knowledge of "how to install Lil-Pwny". In the operation of actual cases, many people will encounter such a dilemma, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

Lil-Pwny

Lil-Pwny is a multi-functional active directory password audit tool, which is based on Python programming language, and can help researchers to conduct security audit of active directory passwords through a variety of processing methods.

Lil-Pwny is a Python application that can perform offline security audits of NTLM hashes of user passwords and recover active Directory passwords based on previously cracked passwords (Have I Been Pwned-HIBP) by testers. As long as the user name of any account matches the one in the HIBP list, the result will be returned to a .txt file.

Extra function

Support researchers to use their own password dictionaries / lists to detect target active directory users, which will allow researchers to detect user passwords against the target organization or user they are interested in, where the tool will compare NTLM hashes, active Directory hashes, and HIBP hashes.

Return a list of accounts that use the same password, which helps researchers find users who use the same password to identify administrator accounts and standard accounts.

Lil-Pwny supports running on a high resource infrastructure to take full advantage of the multiprocessing nature of the Python language. The tool can be run on desktop-level hardware devices, and the more computing cores are used, the faster the security audit.

Tool installation

Most researchers can use pip to install Lil-Pwny:

Pip install lil-pwny tool installation

Lil-Pwny can be installed as a global command, using the following methods:

Usage: lil-pwny [- h]-hibp HIBP [- an A]-ad AD_HASHES [- d] [- m] [- o OUTPUT] optional arguments:-hibp,-- hibp-path The HIBP .txt file of NTLM hashes-a,-- a .txt file containing additional passwords to check for-ad,-- ad-hashes The NTLM hashes from of AD users-d,-- find-duplicates Output a list of duplicate password users-m -- memory Load HIBP hash list into memory (over 24GB RAM required)-o,-- out-path Set output path. The Uses working dir when not set tool uses a sample lil-pwny-hibp ~ / hibp_hashes.txt-ad ~ / ad_ntlm_hashes.txt-a ~ / additional_passwords.txt-o ~ / Desktop/Output-m-d

Use the-m option to load the HIBP hash into memory, which increases the speed of password search. Note that this feature requires the device to have at least 24GB available memory.

The first step in getting the input file: get an export backup of the IFM active directory database

Use ntdsutil on a domain controller to generate an IFM export of the active directory domain. Open the PowerShell command line window with administrator privileges and run the following command:

Ntdsutilactivate instance ntdsifmcreate full * * output path** step 2: restore the HTLM hash based on the output of the previous step

Recover the NTLM hash from the active Directory IFM data, which requires the PowerShell module DSInternals.

After installing the module, use the SYSTEM hive entry in the IFM data to recover the password hash, the data format is "user name: hash", and the recovered data will be stored in the ad_ntlm_hashes.txt file. The relevant commands are as follows:

$bootKey = Get-BootKey-SystemHivePath'.\ registry\ SYSTEM'Get-ADDBAccount-All-DBPath'.\ Active Directory\ ntds.dit'-BootKey $bootKey | Format-Custom-View HashcatNT | Out-File ad_ntlm_hashes.txt-Encoding ASCII "how to install Lil-Pwny" ends here. Thank you for reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.