Security Basics mailing list archives
Re: Password assessment methodology
From: TAS <p0wnsauc3 () gmail com>
Date: Mon, 13 Aug 2012 09:38:03 +0530
It was on the list already. Entire thread available at http://seclists.org/basics/2011/May/65 Hope that helps. - TAS http://twitter.com/p0wnsauc3 -----Original Message----- From: Jeremi Gosney <Jeremi.Gosney () motricity com> Sender: listbounce () securityfocus com Date: Fri, 13 May 2011 18:09:06 To: wyfr1972 () gmail com<wyfr1972 () gmail com>; Julius K.<julius_bugs () yahoo com>; security-basics () securityfocus com<security-basics () securityfocus com> Subject: RE: How do you conduct a password audit? Well of course you should have a password complexity policy, but the point of the audit is to perform some governance to ensure the effectiveness of the policy. Your requirements might be mixed alphanum, length greater than 9, with at least one special character, and you'll still have people selecting passwords like Autumn2008*. The point of performing the audit is to ensure that your password complexity policy is as effective as you thought it was when you implemented it, and to ensure your users are being properly trained on how to select strong passwords (hopefully you do some sort of mandatory annual security training for all employees which covers this topic.) Management should be supportive. You don't have to phrase it any certain way; in fact, you should be up-front about your intentions. The typical verbage I use is something along the lines of: "I will be conducting a password audit of all AD accounts to test the effectiveness of the corporate and production password complexity policies. This will entail dumping all of our password hashes and using common hash-cracking practices to attempt to break each hash. The results of the audit will determine whether our policy is strong and sufficient, or if we should adjust the policy. It will also help identify those individuals who might need to be re-trained on selecting strong passwords." Their response should be nothing more than "right on, let me know how it goes." So that said, the following is how we typically conduct our password audits. Preparation. You will need the following: 1. Large, real-world wordlists. Probably no less than 4GB of unique words / actual plaintexts. The RockYou wordlist is a great foundation to build upon. Check out http://www.skullsecurity.org/wiki/index.php/Passwords if you're low on wordlists. 2. Rainbow tables. LM is completely compromised, so rcracki_mt with lm_all-space#1-7 from freerainbowtables will be a major win. Up to you if you want to get NTLM tables as well, they might not be as useful. Ophcrack is good too, if you can afford the xp_special and/or vista_special tables. 3. Cracking tools. You'll want pwdump6 to dump hashes from a domain controller. For cracking the hashes, you'll want john the ripper (jtr), oclHashcat (oclhc), oclHashcat+ (oclhc+), and maskprocessor (mp). You'll also want a copy of PACK to help perform some analysis. You'll also need some l33t-ass Bash scripting or Powershell skills for manipulating wordlists and plaintext lists. 4. Hardware. Faster it is, less time you have to wait. We use a Phenom II X6 1090T with 4x Radeon HD 5870s. Pretty beastly for hash cracking, and cost less than $2k to procure. If you can get budget for such a box, it'll be worth it. Procedure overview: 1. Dump all the hashes with pwdump6 as domain admin against domain controller. Use some awk magic to split out the LM and NTLM hashes from the pwdump file (some tools accept pdwump format, some don't.) 2. Kick off your rainbow table lookups, because these will take a while. Whenever they finish, record how many hashes were in the rainbow tables (for LM, should be all of them.) 3. Run jtr in single mode against the pwdump file. It'll run super quick, and you'll probably be surprised how many hashes you get. 4. Run a dictionary attack against each hashtype using either oclhc+ or jtr. Record how many of the passwords were found directly in your wordlists, as this is a great statistic. 4. Run a hybrid attack with oclhc+ using your wordlists + mangling rules (found in the rules/ directory of oclhc+). Record how many hashes were permutations of words in your wordlists. This is another great statistic because most people think if they append numbers or characters to a word or replace letters with numbers it magically makes their password strong -- this will instantly prove them otherwise. 5. You should have a decent amount of plaintexts now. Create a wordlist based on all the plaintexts you have, and maybe mangle up and transform the plaintexts a bit to expand the wordlist, then run them back through oclhc+ with your mangling rules. This should crack most of the *_history hashes, identifying all of those individuals who only change one or two characters of their password when it expires. 6. Run PACK's dictstat.py against your plaintexts to generate some statistics. Use the advanced mask statistics to start brute forcing the most used patterns. These masks plug right into oclhc. 7. Create a .chr file for jtr based on the plaintexts you've cracked, too, and kick off an incremental mode against all of your hashes using this .chr file. 8. As you collect more plaintexts while your rainbow table lookups and brute force attacks run, do some manual analysis as well. You should be able to write your own rules file for oclhc+ based on patterns you've identified in your plaintexts. You might also find some words through brute force and rainbow table lookups that you didn't have in your word list. Loop back to step 5 and repeat. With the statistics you've collected from cracking (hashes in dictionaries, hashes in rainbow tables, hashes that were permutations of dictionary words, users who only change one or two characters when their password expires, etc) plus the statistics generated from PACK, plus with your own manual analysis of the plaintexts (including what the most used passwords were, and what you think the weakest passwords were that matched your complexity policy), you should be able to come up with some pretty conclusive results. Depending on the audience, you might want to make a PowerPoint presentation with graphs and such, or you might just want a plain report with raw stats. This isn't an all-inclusive methodology, but it's a good overview. I've found this process to be quite effective. Hope that helps! Jeremi ________________________________________ From: listbounce () securityfocus com [listbounce () securityfocus com] on behalf of Julius K. [julius_bugs () yahoo com] Sent: Friday, May 13, 2011 9:25 AM To: security-basics () securityfocus com Subject: RE: How do you conduct a password audit? It might be very time consuming to conduct such audits. I think a better approach is to set up a password creation policy that dictates the types of characters that must exist in a password, and the rules governing the patterns, e.g. do not use numbers that follow each other or passwords u have used before. Plus couple that with a password expiration policy. And then go have a kit kat bar! :) But I do like the idea of a cron job scanning the shadow file. ________________________________________ From: listbounce () securityfocus com [listbounce () securityfocus com] on behalf of wyfr1972 () gmail com [wyfr1972 () gmail com] Sent: Friday, May 13, 2011 4:47 AM To: security-basics () securityfocus com Subject: How do you conduct a password audit? Hi folks, I have many questions on this. I've learnt a lot from SecBasics, but now I have a few questions of my own. I want to carry out a password audit for my company, but I'm not sure how to proceed. Firstly, how do I broach the subject with management? Are there are standards/methodologies online that I can use to back up my request to management? Then, how do you conduct the audit? We have a mix of devices Windows/Solaris/Unix/Checkpoint/Cisco/network printers/etc. How do I phase the work for best effect? How do I present my findings? Thanks for your advice and help in advance. ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------ ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 On 10 August 2012 22:18, Anwar Khan <anwarrhce () gmail com> wrote:
Dear List, only one reply so far to this query, I'm really in need of this. Please share your expertise about what is the best approach for password assessment in an internal VAPT. Rgds, Anwar On Mon, Aug 6, 2012 at 6:58 PM, Mike S <mikeofmany () gmail com> wrote:Don't forget comparison checks of the hashes if there is anything in the policy about not reusing passwords. Especially between different accounts like admin level versus daily. On Mon, Aug 6, 2012 at 5:35 AM, akshar kanak <akshar.kanak1 () gmail com> wrote:Hi I am not an expert in pentesting , i am just giving my suggestion and i am not sure to waht extent it might be applicable . you can try to crack the passwords using the tools like "ophcrack" for windows and "john the ripper " for linux to check for the strength of the password . An internal survey can be conducted to check for the length of the password , special chars used by the people while they are creating any password . you can request the people to create dummy password and then you can try to break it . it will give you an insight into how people choose their password . thanks and regards Akshar On Mon, Aug 6, 2012 at 12:16 AM, Anwar Khan <anwarrhce () gmail com> wrote:Dear All, Please help me on doing the password assessment in internal penetration testing. how you should do the password quality assessment according issaf and osstm. I have read the document of issaf and osstm but the approach to do that is missing in that. Please advice. Thanks in advance. Rgds, Anwar ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 -------------------------------------------------------------------------- Mike of Many Stories, Ideas, and Ramblings Game Chef 2009, 2010 NaNoWriMo 2008, 2009 http://mikeofmanystories.blogspot.com/ - writings http://mikeofmany.wordpress.com/ - personal bloggery-- Regards, Anwar +91-915-806-9094 ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Password assessment methodology Anwar Khan (Aug 06)
- Re: Password assessment methodology akshar kanak (Aug 06)
- Re: Password assessment methodology Mike S (Aug 06)
- Re: Password assessment methodology Anwar Khan (Aug 10)
- Re: Password assessment methodology TAS (Aug 13)
- Re: Password assessment methodology Mike S (Aug 06)
- Re: Password assessment methodology akshar kanak (Aug 06)