[Fwd: Re: Auditing Active Directory Passwords]

[Patrick Hendrick <phendrick () gmail com>]

Let's try this again to the list and see if gmail will cooperate...

I would recommend using pwdump to pull the hashes and then you have
several options. On the insecure.org <http://insecure.org> site you can
still get access to the LC5 software, or use Ophcrack or Cain and Abel.
All very good tools, but I prefer LC5 - still think it does the best job
for our requirements.

Just my two cents... good luck.

On Feb 6, 2008 5:53 PM, Jesse Rink <jesse-rink () wi rr com
<mailto:jesse-rink () wi rr com>> wrote:

    I have use Cain and Abel and also arpspoof along with kerbsniff and
    kerbcrack for this in audit situations.   Email me offline if you are
    interested.

    JR

    -----Original Message-----
    From: listbounce () securityfocus com
    <mailto:listbounce () securityfocus com>
    [mailto:listbounce () securityfocus com
    <mailto:listbounce () securityfocus com>] On
    Behalf Of k7.fantr () gmail com <mailto:k7.fantr () gmail com>
    Sent: Wednesday, February 06, 2008 4:23 PM
    To: security-basics () securityfocus com
    <mailto:security-basics () securityfocus com>
    Subject: Auditing Active Directory Passwords

    I am looking for advice for auditing the password strength of
    passwords in
    Active Directory. I have used l0phtcrack and other such tools in the
    past
    against local accounts (SAM and System files) but I do not know what
    to use
    for Active Directory.


    I do not want to brute force and lock out everyone's accounts, so I
    would
    prefer an off-line audit.


    I have domain admin credentials.


    I am trying to build a case to turn on complexity requirements by
    showing
    the fact that people do not voluntarily follow the password policy (big
    shock to us, but not to the executive management).


    Any tools that would work in this capacity would be greatly 
appreciated,
    especially open source or low cost ones.