Skip to main content

Credential validation tool for Active Directory Domain Services.

Project description

CredWolf

Credential validation tool for Active Directory Domain Services.

CI Python 3.11+ License: Apache 2.0 Docs

InstallationQuick startUsageCLI referenceDocumentationContributing

CredWolf tests username and secret combinations (passwords, NT hashes, Kerberos keys, or ticket files) against a domain controller and reports which credentials are valid. It also supports username enumeration via Kerberos to discover valid AD accounts without causing login attempts. It is designed for authorized penetration testing, red team engagements, and security audits where you need to verify whether recovered or suspected credentials are active.

Full documentation

Features

  • NTLM + Kerberos - validate credentials over SMB, LDAP, LDAPS, and Kerberos pre-authentication (UDP/TCP)
  • Every secret type - passwords, NT hashes (bare + LM:NT), RC4 keys, AES128 keys, AES256 keys, and ticket files (ccache/kirbi with auto-detection)
  • Username enumeration - discover valid AD accounts via Kerberos without triggering login failures or lockouts; ASREProastable accounts flagged automatically
  • Username case correction - when using Kerberos AES authentication, the KDC returns the correct username casing in the salt. CredWolf detects this and uses the corrected name in all output
  • 88+ credential permutations - every meaningful combination of user sources, secret sources, encryption types, and transports
  • Paired files - user:password, user:hash, and user:key files for pre-matched credential testing
  • Machine-parseable output - domain/user:secret@type format, easy to grep or pipe
  • Safety-first errors - clock skew stops execution immediately, per-user skip on unknown/revoked principals, detailed account status detection
  • Rate limiting - --delay, --jitter, and --max-lockouts to avoid triggering lockout policies
  • Validation only - no post-authentication activity by design

Supported protocols

Protocol Transport Secret types
NTLM SMB (default), LDAP, LDAPS Password, NT hash
Kerberos UDP (default), TCP Password, RC4 key, AES128 key, AES256 key, ticket (ccache/kirbi)
Username enumeration UDP (default), TCP None required

Example

Validate a recovered password against a domain controller over SMB:

$ credwolf -d evil.corp ntlm --dc-ip 10.0.0.1 -u Administrator -p 'Password1!'
[+] evil.corp/Administrator:Password1!@password

Installation

Install with uv:

uv tool install git+https://github.com/StrongWind1/CredWolf
# or, from PyPI:
uv tool install credwolf

The cw command is also installed as a shorthand for credwolf.

See the installation guide for source and Docker options.

Quick start

# Validate a password over SMB
$ credwolf -d evil.corp ntlm --dc-ip 10.0.0.1 -u Administrator -p 'Password1!'
[+] evil.corp/Administrator:Password1!@password

# Validate an NT hash (pass-the-hash)
$ credwolf -d evil.corp ntlm --dc-ip 10.0.0.1 -u Administrator --hash 7facdc498ed1680c4fd1448319a8c04f
[+] evil.corp/Administrator:7facdc498ed1680c4fd1448319a8c04f@nt_hash

# Validate an AES256 key over Kerberos (pass-the-key)
$ credwolf -d evil.corp kerberos --kdc-ip 10.0.0.1 -u Administrator --aes256-key 9b12da6a4bdc263c1ac8f6302dc071e6e84321a263fa48784534b1ae43db2925 --transport tcp
[+] evil.corp/Administrator:9b12da6a4bdc263c1ac8f6302dc071e6e84321a263fa48784534b1ae43db2925@aes256_key

# Enumerate valid usernames (no login attempts, no lockout risk)
$ credwolf -d evil.corp userenum --kdc-ip 10.0.0.1 -U users.txt
[+] evil.corp/Administrator
[+] evil.corp/svc_backup - no_preauth (ASREProastable)
[*] Enumeration complete: 2/5 users found

See the full usage guide and CLI reference for all options.

Development

git clone https://github.com/StrongWind1/CredWolf.git
cd CredWolf
uv sync                        # install dev dependencies
make check                     # run lint + typecheck + tests

See CONTRIBUTING.md for contribution guidelines.

Credits

Built on Impacket. Inspired by CrackMapExec, Kerbrute, smartbrute, and SprayHound.

Related tools

Other projects in this collection:

  • AD-SecretGen - derive AD password hashes and Kerberos keys from a password
  • NTDSWolf - offline NTDS.dit parser and credential extractor
  • KerbWolf - Kerberos roasting and hash extraction toolkit
  • Kerberos - Kerberos in Active Directory: protocol, security, and attacks

Disclaimer

CredWolf is intended for authorized penetration testing, red team engagements, and security audits only. You must have explicit written permission from the system owner before testing credentials against any Active Directory environment. Unauthorized access to computer systems is illegal. The authors are not responsible for any misuse or damage caused by this tool.

License

Apache License 2.0

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

credwolf-1.1.0.tar.gz (1.8 MB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

credwolf-1.1.0-py3-none-any.whl (35.6 kB view details)

Uploaded Python 3

File details

Details for the file credwolf-1.1.0.tar.gz.

File metadata

  • Download URL: credwolf-1.1.0.tar.gz
  • Upload date:
  • Size: 1.8 MB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for credwolf-1.1.0.tar.gz
Algorithm Hash digest
SHA256 9a18187cf0b0e15f488f3abe8ee35efd99343182e4b8567aef0a78ea0dc7dc05
MD5 44f2b5b465f25bdaf355ec990dcfd68e
BLAKE2b-256 0970214b8bda356f39460d3b62e57b73b3c5761d305d73e5640a471f0c203797

See more details on using hashes here.

Provenance

The following attestation bundles were made for credwolf-1.1.0.tar.gz:

Publisher: publish.yml on StrongWind1/CredWolf

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file credwolf-1.1.0-py3-none-any.whl.

File metadata

  • Download URL: credwolf-1.1.0-py3-none-any.whl
  • Upload date:
  • Size: 35.6 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for credwolf-1.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 306beeafa878f21cba2b83f8f54272ed975b84b80e7fd64747587dea66d8ab24
MD5 99bb2d4a365dbb1c336c1e99041371bb
BLAKE2b-256 7d95df9272a7812aaa0c071ab8aa077dac282169bace060c3fe62428c51d71e6

See more details on using hashes here.

Provenance

The following attestation bundles were made for credwolf-1.1.0-py3-none-any.whl:

Publisher: publish.yml on StrongWind1/CredWolf

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page