Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Windows Account Password Guessing with WinScanX

From: Reed Arvin <reedarvin () gmail com>
Date: Mon, 4 Jan 2010 21:27:13 -0700
Original article:
http://windowsaudit.com/winscanx/windows-account-password-guessing-with-winscanx/
WinScanX download (free): http://windowsaudit.com/
Watch the video: http://www.youtube.com/watch?v=i9ZI7A-IpDw

One of the most dangerous things you can do with WinScanX is lockout a
Windows account password using the Guess Windows Passwords option
recklessly. The account lockout threshold value should always be taken
into consideration before attempting to guess Windows account
passwords.


Prerequisites to Windows account password guessing:

For Windows account password guessing to occur you must have a list of
valid user accounts from the remote host to guess passwords against.
When WinScanX enumerates these user accounts they are stored in a file
in the UserCache directory named <hostname>.users. There are three
different options WinScanX can use to generate user cache files for
Windows password guessing, all of which are safe:

- Get User Information
- Get User Information via RA Bypass
- Guess SNMP Community Strings

If the appropriate options are selected, WinScanX will attempt to
enumerate a list of valid user account the normal way, using a
Restrict Anonymous bypass method, or by guessing a valid SNMP
community string (if the SNMP service is available).


Review the account lockout threshold:

It is very important to review the account lockout threshold on the
remote host before performing Windows account password checking. Run
WinScanX with the Get Account Policy Info option selected to retrieve
the account lockout threshold. Machines where accounts do not lockout
are the safest to guess passwords against.


Review the dictionary.input file:

The dictionary.input file is the file that lists the passwords that
will be attempted for each valid Windows account. By default there are
two passwords attempted for each Windows account:

<lcusername> – the username in lowercase
<blank> – a blank or null password

Feel free to add as many passwords to this file as you wish. A
password of “password” is also common. Remember that every password in
this list will be attempted against every valid Windows account.


Initiating Windows account password guessing:

If you’ve obtained a user cache file from the remote host and verified
that you’re comfortable with the account lockout threshold set on the
remote host, then you are ready to start the Windows account password
guessing process. Select the Guess Windows Passwords option in the
WinScanX GUI and click Start Scan.

When the scan is complete, check the Reports folder for the
GuessedWindowsPasswords.txt file. You may also want to review the
ConnectErrorLog.txt file to ensure you have not accidentally locked
out any Windows account passwords.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: