Whittle is a versatile tool designed for refining large wordlists into more manageable and targeted subsets, ideal for password audits and security testing. Even by just whittling away passwords that don't meet Microsoft's password complexity requirements, we can cut out a lot of unnecessary compute time when hash cracking in AD environments.
- Filters passwords by minimum and maximum length
- Enforces Microsoft's Password Complexity Requirements
- Allows for the filtering of passwords containing user-specific information (samAccountName & displayName) - see the above link.
- Verbose output for detailed processing information
- Efficient processing suitable for large wordlists like rockyou.txt
python whittle.py -c -w /path/to/wordlist.txt -o /path/to/output.txt
python whittle.py -m 8 -M 12 -w /path/to/wordlist.txt -o /path/to/output.txt
Enforce Microsoft's Password Complexity Requirements, alongside the samAccountName and displayName of a target
python whittle.py -c --sam-account jdoe --display-name "John Doe" -w /path/to/wordlist.txt -o /path/to/output.txt
python whittle.py -v -w /path/to/wordlist.txt -o /path/to/output.txt
With no output file, contents will be output to stdout. Verbose statistics use stderr so output can be piped / redirected.
python whittle.py -c -v -w /path/to/wordlist.txt | some-other-command
usage: whittle.py [-h] [-m MINIMUM_LENGTH] [-M MAXIMUM_LENGTH] [-c] [--sam-account SAM_ACCOUNT [SAM_ACCOUNT ...]]
[--display-name DISPLAY_NAME [DISPLAY_NAME ...]] -w WORDLIST [-o OUTPUT] [-v] [-t THREADS]
[--encoding ENCODING]
░▒▓█▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓████████▓▒░▒▓████████▓▒░▒▓█▓▒░ ░▒▓████████▓▒░
░▒▓█▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░ ░▒▓█▓▒░ ░▒▓█▓▒░ ░▒▓█▓▒░ ░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░ ░▒▓█▓▒░ ░▒▓█▓▒░ ░▒▓█▓▒░ ░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓████████▓▒░▒▓█▓▒░ ░▒▓█▓▒░ ░▒▓█▓▒░ ░▒▓█▓▒░ ░▒▓██████▓▒░
░▒▓█▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░ ░▒▓█▓▒░ ░▒▓█▓▒░ ░▒▓█▓▒░ ░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░ ░▒▓█▓▒░ ░▒▓█▓▒░ ░▒▓█▓▒░ ░▒▓█▓▒░
░▒▓█████████████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░ ░▒▓█▓▒░ ░▒▓█▓▒░ ░▒▓████████▓▒░▒▓████████▓▒░
A tool to refine big wordlists - because sometimes less is more.
options:
-h, --help show this help message and exit
-m, --minimum-length MINIMUM_LENGTH
Minimum password length (default: 7)
-M, --maximum-length MAXIMUM_LENGTH
Maximum password length
-c, --complexity-check
Enforce Microsoft's password complexity requirements
--sam-account SAM_ACCOUNT [SAM_ACCOUNT ...]
User samAccountName(s) if known
--display-name DISPLAY_NAME [DISPLAY_NAME ...]
Windows display name(s) if known
-w, --wordlist WORDLIST
Path to wordlist
-o, --output OUTPUT Path for processed wordlist - prints to stdout by default
-v, --verbose Increase output verbosity
-t, --threads THREADS
Number of processing threads (default: CPU core count)
--encoding ENCODING Force specific character encoding (e.g., utf-8, latin1)
Whittle is designed with speed and efficiency in mind, as it is intended for larger wordlists. Computationally inexpensive checks such as password length restrictions are made first, which also happened to be the highest factor of rejection.
Current testing showed effecient processing of rockyou.txt, using a system with 64GB DDR5 and a Ryzen 9 7950X3D:
python whittle.py -w rockyou.txt -m 6 -M 12 -c -v -o filtered.txt
Using character encoding: utf-8
Using 32 threads with chunk size of 100000
Passwords processed: 14344391/14344391 (100.0%) | Memory: 35.5MB (Peak: 43.0MB)
Total Passwords Processed: 14344391
Passwords Accepted: 780469
Passwords Rejected: 13563922
Processing Time: 6.38 seconds
Peak Memory Usage: 43.0MB
Output File: filtered.txt
New File Size: 7.31MB
git clone https://github.com/hzoid/whittle.git
Install the required Python module using the requirements.txt file:
pip3 install -r requirements.txt