Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Password Cracking Service on Domain Controllers

From: "bkml" <bkml () att net>
Date: Fri, 10 Oct 2003 09:11:11 -0500
Jeff,

I haven't used it, but have kept my eye on it for the last few years.  It
certainly sounds like a decent solution if you want more control over
password complexity during user selection.

I don't think it is a service (just my understanding, not definite).  They
probably just wrote an extension to the msgina.dll so they could support
additional complexity checking.  If that was the case, there is probably no
way for someone to know this change was made unless the password change
dialog window is significantly different.

Here's a link to another modified gina:
http://ntsecurity.nu/toolbox/ - See StrongPass, not FakeGINA. ;)

---- 
Bruce K. Marshall - bruce_marshall () ins com - 913-484-7233
      International Network Services (INS) - Kansas City

              "The knowledge behind the network."

----- Original Message ----- 
From: "Jeff Bollinger" <jeff01 () email unc edu>
To: <pen-test () securityfocus com>
Sent: Thursday, October 09, 2003 7:34 AM
Subject: Password Cracking Service on Domain Controllers



Has anyone ever used Avatier's Password Bouncer?

http://www.avatier.com/products/PasswordBouncer/

It seems to be a service you can install on a domain controller that
will actively check user passwords and prevent them from entering weak
ones.  It's supposedly much stricter than the built-in password policies
and passfilt.dll.


# Reject passwords that contain common words using a 300,000-word

English wordlist.

# Reject passwords that contain common names using a 4,000-word proper

name wordlist.

# Reject passwords that contain specific names or phrases using a custom

wordlist that includes wildcard support.

# Enforce the use of upper and lower case characters (mixed case).
# Enforce the use and position of special characters.
# Enforce the use and position of numeric characters.
# Reject passwords that contain palindromes (i.e. radar or bob).
# Enforce password length, minimum, and maximum.
# Reject passwords with repeating sequences.



This is more of an administration/preventative tool rather than an
active cracking tool like l0phtcrack, but I'm wondering if anyone knows
how well this tool works, or if there are others like it that can be
installed as a service/daemon?  Is it possible to determine remotely if
this service is running?

Thanks,
Jeff



---------------------------------------------------------------------------
Tired of constantly searching the web for the latest exploits?
Tired of using 300 different tools to do one job?
Get CORE IMPACT and get some rest.
www.coresecurity.com/promos/sf_ept2
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: