RE: Password Audit tools

["Jarmon, Don R" <Don.Jarmon () Intergraph com>]

This is one of my favorite tool suites: http://www.oxid.it/cain.html.  There
are several good articles related to using Pass phases instead of passwords.

Don Jarmon
CISSP, SCSE, SCP
Sr. Technical Consultant, Solutions Group
Intergraph Corporation (NASDAQ:INGR)
Mail Stop 17C1
170 Graphics Drive, Madison, AL 35758 USA
P 1.256.730.2366 F 1.256.730.4145
Don.Jarmon(at)Intergraph.com, solutions.intergraph.com

-----Original Message-----
From: Dan Connelly [mailto:connellyd () gmail com] 
Sent: Tuesday, December 14, 2004 6:25 AM
To: Jeffrey M. Miller CISSP
Cc: pen-test () securityfocus com
Subject: Re: Password Audit tools

Internet Scanner does a good job of enumerating accounts on a Windows
Domain(using netbios and null sessions) but if you tried to brute
force/dictionary every account that it found the scan would take a
VERY long time to complete.  If you are trying to pw crack through a
service (ftp,telnet,http...), use hydra otherwise use LC or John the
Ripper.
BTW, Nessus also does a good job enumerating accounts, and its free ;)
Dan




On Mon, 13 Dec 2004 19:10:29 -0600, Jeffrey M. Miller CISSP
<jmiller () acumeninfosec com> wrote:
> I've used Internet Security Scanner from ISS and really like it's
> ability to pull users from NT domains and test common passwords, such
> as username=password, password=password, etc.
>
> I've considered purchasing the consultant version of l0phtcrack LC5.
>
> Has anyone used LC5 and can anyone compare it to ISS?  Also are there
> any OpenSource tools that can do these sorts of checks?
>
> Thanks
>
> J_