Re: Highlighting weak password dangers

[Kenton Smith <listsks () yahoo ca>]

Don't use something that actually tries to login to the account, that's counter productive. Use something like John the 
Ripper that uses the SAM database. Use a dictionary or hybrid attack and fill your custom dictionary with all the 
passwords that aren't allowed based on your password policy. You do have a password policy, right?

Searching for weak passwords should take no time at all. There is no reason for using brute-force for policy 
compliance. As soon as you start brute-forcing you are trying to hack user accounts and I suspect that would be against 
your security policy.

Kenton

----- Original Message ----
From: WALI <hkhasgiwale () gmail com>
To: security-basics () securityfocus com
Sent: Wednesday, January 24, 2007 10:15:46 AM
Subject: Highlighting weak password dangers



I want to highlight the danger of using weak passwords on servers and users 
admin desktops. I have tested TSgrinder with a basic dictionary Brute Force 
to access Remote Desktop exploit on both servers and desktops. The problem 
here is that when connected to domain, the Account Lockout feature disables 
the account quite soon. I can only show the exploit on machines not 
connected to the domain where Domain Security policy doesn't flow down.

What are other interesting and intriguing ways to present this problem? I 
also need a system to do Passwords Audit on my domain and make then 'secure 
password' policy compliance.





__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com