Legitimate Pentest Tool or a Hacker's Weapon? DonPwner — A New Active Directory Hacking Tool
The open-source utility has sparked heated debates among security professionals.
A new tool called DonPwner has been published in the public domain. It's a utility for analyzing credentials and automating attacks on role-based Active Directory infrastructures, built upon the DonPAPI database and designed to facilitate authorized testing tasks. The tool is aimed at performing mass password checks with controlled delays, generating targeted dictionaries from the database, and comparing data with credential dumps. This makes the project useful for security auditors while simultaneously highlighting the dual-use problems of such solutions.
The repository contains scripts for extracting lists, integration modules for NetExec (formerly CrackMapExec), and helper commands for safe password "spraying" with delay and jitter parameters, which help reduce the risk of account lockouts and lower the visibility of the activity. Notable features include the automatic removal of successfully authenticated accounts from subsequent rounds and an option to compare hashes from secretsdump to check for matches with found secrets.
The project is distributed under a non-commercial license requiring attribution and restricting commercial use—the author explicitly states the necessity of obtaining permissions before using the tool in external networks. The documentation authors emphasize the educational and testing purpose of the code and warn about the legal consequences of misuse.
Its publication has sparked a discussion about the balance between the usefulness of such tools for pentesters and the risk of their use by malicious actors. Therefore, security teams advise closely monitoring access to such repositories and using these tools strictly within authorized frameworks.
DonPwner remains an example of dual-use software—simultaneously a tool for improving network resilience and a potential vector for abuse if the license requirements and rules of use are ignored.
