Skip to content
Script to output stats around weak passwords and password re-use from an NtdsAudit (pwdump) file
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


pwdumpstats is a python script to generate statistics from a pwdump file, including around the use of duplicate passwords. It can also read passwords cracked using John the Ripper or hashcat, to show the most common weak passwords in use.

Although it will work with any pwdump file (or even a simpler username:hash file), it is best used with the output of NtdsAudit, which will allow it to output more stats, such as those related to inactive and administrative accounts.

Comments and pull requests are welcome.


pwdumpstats will try and find John's pot file (which contains the cracked passwords) by looking in the $JOHN environment variable. If this isn't set, you can manually pass the pot file to it with --pot. It also supports pot files in from hashcat, and potentially other tools as long as they use the same formatting.

usage: [options] <pwdumpfile>

optional arguments:
  -h, --help                            Show help text
  -f FILTER_FILE, --filter FILTER_FILE  Filter users
  -H, --history                         Include password history hashes
  -s, --show                            Show full password re-use output
  -a, --admins                          List admins
  -A, --cracked-admins                  List cracked admin accounts
  -n, --noncomplex                      List users with non-complex passwords
  -E, --empty                           List users with empty passwords
  -c, --cracked                         Only print cracked hashes
  -d, --domain                          Print domains
  -D, --disabled                        Include disabled accounts
  -p POT_FILE, --pot POT_FILE           Specify pot file (john or hashcat format)
  -m, --mask                            Mask passwords and hashes in output
  -l, --lm                              Show accounts with LM hashes

Example Output

$ pwdump.txt

# Statistics #

Users:                  7359
LM Hashes (current):    360 (4.89%)
LM Hashes (history):    0
History hashes:         0
Total hashes:           7359

Cracked passwords:      5857 (79.59%)
Non-complex passwords:  494 (6.71%)
Empty passwords:        0

Duplicate passwords:    1509 (20.51%)
Highest duplicate:      167 (2.27%)
Top 20 passwords:       747 (10.15%)

Username as password:   23 (0.31%)

Total admin accounts:   99
Cracked admin passwords 68 (68.69%)
Administrators:         99
Domain Admins:          61

Top 20 hashes

310     64F12CDDAA88057E06A81B54E73B949B        Password1
131     30C3F921B4A69289FE7E752E0E3BAEAB        Monday10
49      31D6CFE0D16AE931B73C59D7E0C089C0        [empty]
38      DA7A992199887B5652528077CDD049CC        October2017
35      A4258E2B5D7D7FBB04531A89177B5E22        November2017
You can’t perform that action at this time.