Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Password assessment methodology

From: TAS <p0wnsauc3 () gmail com>
Date: Mon, 13 Aug 2012 09:38:03 +0530
It was on the list already. Entire thread available at
http://seclists.org/basics/2011/May/65

Hope that helps.

-
TAS
http://twitter.com/p0wnsauc3

-----Original Message-----
From: Jeremi Gosney <Jeremi.Gosney () motricity com>
Sender: listbounce () securityfocus com
Date: Fri, 13 May 2011 18:09:06
To: wyfr1972 () gmail com<wyfr1972 () gmail com>; Julius
K.<julius_bugs () yahoo com>;
security-basics () securityfocus com<security-basics () securityfocus com>
Subject: RE: How do you conduct a password audit?

Well of course you should have a password complexity policy, but the
point of the audit is to perform some governance to ensure the
effectiveness of the policy. Your requirements might be mixed
alphanum, length greater than 9, with at least one special character,
and you'll still have people selecting passwords like Autumn2008*. The
point of performing the audit is to ensure that your password
complexity policy is as effective as you thought it was when you
implemented it, and to ensure your users are being properly trained on
how to select strong passwords (hopefully you do some sort of
mandatory annual security training for all employees which covers this
topic.)

Management should be supportive. You don't have to phrase it any
certain way; in fact, you should be up-front about your intentions.
The typical verbage I use is something along the lines of: "I will be
conducting a password audit of all AD accounts to test the
effectiveness of the corporate and production password complexity
policies. This will entail dumping all of our password hashes and
using common hash-cracking practices to attempt to break each hash.
The results of the audit will determine whether our policy is strong
and sufficient, or if we should adjust the policy. It will also help
identify those individuals who might need to be re-trained on
selecting strong passwords." Their response should be nothing more
than "right on, let me know how it goes."

So that said, the following is how we typically conduct our password audits.

Preparation. You will need the following:

1. Large, real-world wordlists. Probably no less than 4GB of unique
words / actual plaintexts. The RockYou wordlist is a great foundation
to build upon. Check out
http://www.skullsecurity.org/wiki/index.php/Passwords if you're low on
wordlists.

2. Rainbow tables. LM is completely compromised, so rcracki_mt with
lm_all-space#1-7 from freerainbowtables will be a major win. Up to you
if you want to get NTLM tables as well, they might not be as useful.
Ophcrack is good too, if you can afford the xp_special and/or
vista_special tables.

3. Cracking tools. You'll want pwdump6 to dump hashes from a domain
controller. For cracking the hashes, you'll want john the ripper
(jtr), oclHashcat (oclhc), oclHashcat+ (oclhc+), and maskprocessor
(mp). You'll also want a copy of PACK to help perform some analysis.
You'll also need some l33t-ass Bash scripting or Powershell skills for
manipulating wordlists and plaintext lists.

4. Hardware. Faster it is, less time you have to wait. We use a Phenom
II X6 1090T with 4x Radeon HD 5870s. Pretty beastly for hash cracking,
and cost less than $2k to procure. If you can get budget for such a
box, it'll be worth it.

Procedure overview:

1. Dump all the hashes with pwdump6 as domain admin against domain
controller. Use some awk magic to split out the LM and NTLM hashes
from the pwdump file (some tools accept pdwump format, some don't.)

2. Kick off your rainbow table lookups, because these will take a
while. Whenever they finish, record how many hashes were in the
rainbow tables (for LM, should be all of them.)

3. Run jtr in single mode against the pwdump file. It'll run super
quick, and you'll probably be surprised how many hashes you get.

4. Run a dictionary attack against each hashtype using either oclhc+
or jtr. Record how many of the passwords were found directly in your
wordlists, as this is a great statistic.

4. Run a hybrid attack with oclhc+ using your wordlists + mangling
rules (found in the rules/ directory of oclhc+). Record how many
hashes were permutations of words in your wordlists. This is another
great statistic because most people think if they append numbers or
characters to a word or replace letters with numbers it magically
makes their password strong -- this will instantly prove them
otherwise.

5. You should have a decent amount of plaintexts now. Create a
wordlist based on all the plaintexts you have, and maybe mangle up and
transform the plaintexts a bit to expand the wordlist, then run them
back through oclhc+ with your mangling rules. This should crack most
of the *_history hashes, identifying all of those individuals who only
change one or two characters of their password when it expires.

6. Run PACK's dictstat.py against your plaintexts to generate some
statistics. Use the advanced mask statistics to start brute forcing
the most used patterns. These masks plug right into oclhc.

7. Create a .chr file for jtr based on the plaintexts you've cracked,
too, and kick off an incremental mode against all of your hashes using
this .chr file.

8. As you collect more plaintexts while your rainbow table lookups and
brute force attacks run, do some manual analysis as well. You should
be able to write your own rules file for oclhc+ based on patterns
you've identified in your plaintexts. You might also find some words
through brute force and rainbow table lookups that you didn't have in
your word list. Loop back to step 5 and repeat.

With the statistics you've collected from cracking (hashes in
dictionaries, hashes in rainbow tables, hashes that were permutations
of dictionary words, users who only change one or two characters when
their password expires, etc) plus the statistics generated from PACK,
plus with your own manual analysis of the plaintexts (including what
the most used passwords were, and what you think the weakest passwords
were that matched your complexity policy), you should be able to come
up with some pretty conclusive results. Depending on the audience, you
might want to make a PowerPoint presentation with graphs and such, or
you might just want a plain report with raw stats.

This isn't an all-inclusive methodology, but it's a good overview.
I've found this process to be quite effective.

Hope that helps!
Jeremi

________________________________________
From: listbounce () securityfocus com [listbounce () securityfocus com] on
behalf of Julius K. [julius_bugs () yahoo com]
Sent: Friday, May 13, 2011 9:25 AM
To: security-basics () securityfocus com
Subject: RE: How do you conduct a password audit?

It might be very time consuming to conduct such audits. I think a better
approach is to set up a password creation policy that dictates the types of
characters that must exist in a password, and the rules governing the patterns,
e.g. do not use numbers that follow each other or passwords u have used before.

Plus couple that with a password expiration policy.
And then go have a kit kat bar! :)

But I do like the idea of a cron job scanning the shadow file.

________________________________________
From: listbounce () securityfocus com [listbounce () securityfocus com] on
behalf of wyfr1972 () gmail com [wyfr1972 () gmail com]
Sent: Friday, May 13, 2011 4:47 AM
To: security-basics () securityfocus com
Subject: How do you conduct a password audit?

Hi folks,

I have many questions on this.  I've learnt a lot from SecBasics, but
now I have a few questions of my own.  I want to carry out a password
audit for my company, but I'm not sure how to proceed.

Firstly, how do I broach the subject with management? Are there are
standards/methodologies online that I can use to back up my request to
management?

Then, how do you conduct the audit? We have a mix of devices
Windows/Solaris/Unix/Checkpoint/Cisco/network printers/etc.

How do I phase the work for best effect?  How do I present my findings?

Thanks for your advice and help in advance.

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an
SSL certificate.  We look at how SSL works, how it benefits your
company and how your customers can tell if a site is secure. You will
find out how to test, purchase, install and use a thawte Digital
Certificate on your Apache web server. Throughout, best practices for
set-up are highlighted to help you ensure efficient ongoing management
of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------



------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an
SSL certificate.  We look at how SSL works, how it benefits your
company and how your customers can tell if a site is secure. You will
find out how to test, purchase, install and use a thawte Digital
Certificate on your Apache web server. Throughout, best practices for
set-up are highlighted to help you ensure efficient ongoing management
of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1



On 10 August 2012 22:18, Anwar Khan <anwarrhce () gmail com> wrote:

Dear List,

only one reply so far to this query, I'm really in need of this.

Please share your expertise about what is the best approach for
password assessment in an internal VAPT.

Rgds,
Anwar

On Mon, Aug 6, 2012 at 6:58 PM, Mike S <mikeofmany () gmail com> wrote:


Don't forget comparison checks of the hashes if there is anything in
the policy about not reusing passwords. Especially between different
accounts like admin level versus daily.



On Mon, Aug 6, 2012 at 5:35 AM, akshar kanak <akshar.kanak1 () gmail com> wrote:

Hi
  I am not an expert in pentesting , i am just giving my suggestion
and i am not sure to waht extent it might be applicable .  you can try
to crack the passwords using the tools like "ophcrack"  for windows
and "john the ripper "  for linux to check for the strength of the
password . An internal survey can be conducted to check  for the
length of the password , special chars used  by the people while they
are creating any password .

you can request the people  to create dummy password and then you can
try to break it .
it will give you an insight into how people choose their password .

thanks and regards
Akshar



On Mon, Aug 6, 2012 at 12:16 AM, Anwar Khan <anwarrhce () gmail com> wrote:

Dear All,

Please help me on doing the password assessment in internal penetration testing.
how you should do the password quality assessment according issaf and osstm.

I have read the document of issaf and osstm but the approach to do
that is missing in that.

Please advice.

Thanks in advance.

Rgds,
Anwar

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL 
works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to 
test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best 
practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and 
digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------



------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, 
how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, 
purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for 
set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital 
certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------





--
Mike of Many Stories, Ideas, and Ramblings
Game Chef 2009, 2010
NaNoWriMo 2008, 2009

http://mikeofmanystories.blogspot.com/ - writings
http://mikeofmany.wordpress.com/ - personal bloggery





--
Regards,
Anwar
+91-915-806-9094

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, 
how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, 
purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for 
set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital 
certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------



------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: