Penetration Testing mailing list archives
RE: policy-based password cracker
From: "Shenk, Jerry A" <jshenk () decommunications com>
Date: Sat, 3 Dec 2005 14:34:27 -0500
I don't think the issue here is saving time....it is testing policy compliance. If the policy stats minimum of 6, then test anything with 5. If it states that it has to also have one number and one letter, then test all pure alpha or pure numeric....etc. -----Original Message----- From: Password Crackers, Inc. [mailto:pwcrack () pwcrack com] Sent: Friday, December 02, 2005 11:54 AM To: pen-test () securityfocus com Subject: RE: policy-based password cracker Depending upon the specific policies, you may not save a significant amount of time by limiting the brute-force attack. For instance, consider a policy that required at least one upper, one lower and one number in all passwords. Let's first assume that the possible character set for passwords is upper/lower/number. For four character passwords, 19% of the possible password checks can be eliminated due to the policy. For five character passwords, only 9% would be eliminated and the percentage would continue to drop as the length increases. If the possible character set included upper/lower/number/special characters, the policy would only eliminate 3% of the possible 4 character passwords and 1% of the possible 5 character passwords. Since the vast majority of the time for a brute-force attack is spent on the largest length checked and since the number of tests that can be eliminated due to the policy declines with length, I suspect that limiting the brute-force attack due to policy might only be worthwhile for some highly specific policies. Also, most brute-force attacks are very fast. One would need to test the speed of eliminating a password vs. the speed of testing a password. If you needed code to determine whether a password passed the policy, the overhead of this code on all passwords might eliminate any savings vs. just testing all of the passwords. This would have to be benchmarked on a case-by-case and policy-by-policy basis. Obviously, if the password testing is against a remote server/resource and the testing is slow, then the savings of not testing even a small number of passwords would more than make up for the overhead in the code. However, brute-force attacks against remote and slow servers is not very practical to begin with. Bob Weiss Password Crackers, Inc. -----Original Message----- From: Chris Costantino [mailto:clckct () yahoo com] Sent: Thursday, December 01, 2005 12:50 PM To: pen-test () securityfocus com Subject: policy-based password cracker Hi all, I am looking for a brute-force password cracker that can be configured based on password policies. For example, I am trying to audit a system that I know the security policy on (min/max pw length, complexity rules, etc) What I want is to only brute-force passwords that fit that policy. Obviously, min and max is not the issue, but I can not seem to find anything that will only test passwords that meet complexity requirements (lowercase alpha, uppercase alpha, number). Something that generates this into a rainbow table would be even better..... Anyone aware of such a tool? Thanks in advance, Chris __________________________________________ Yahoo! DSL - Something to write home about. Just $16.99/mo. or less. dsl.yahoo.com ------------------------------------------------------------------------ ---- -- Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 ------------------------------------------------------------------------ ---- --- ------------------------------------------------------------------------ ------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 ------------------------------------------------------------------------ ------- **DISCLAIMER This e-mail message and any files transmitted with it are intended for the use of the individual or entity to which they are addressed and may contain information that is privileged, proprietary and confidential. If you are not the intended recipient, you may not use, copy or disclose to anyone the message or any information contained in the message. If you have received this communication in error, please notify the sender and delete this e-mail message. The contents do not represent the opinion of D&E except to the extent that it relates to their official business. ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- policy-based password cracker Chris Costantino (Dec 01)
- Re: policy-based password cracker Rembrandt (Dec 01)
- Re: policy-based password cracker thomas springer (Dec 02)
- Re: policy-based password cracker Thierry Zoller (Dec 02)
- Re: policy-based password cracker David Cravshaw (Dec 03)
- RE: policy-based password cracker Password Crackers, Inc. (Dec 03)
- <Possible follow-ups>
- RE: policy-based password cracker Miguel Dilaj (Dec 03)
- RE: policy-based password cracker Shenk, Jerry A (Dec 04)