Penetration Testing mailing list archives
Re: Password Cracking Service on Domain Controllers
From: "bkml" <bkml () att net>
Date: Fri, 10 Oct 2003 09:11:11 -0500
Jeff, I haven't used it, but have kept my eye on it for the last few years. It certainly sounds like a decent solution if you want more control over password complexity during user selection. I don't think it is a service (just my understanding, not definite). They probably just wrote an extension to the msgina.dll so they could support additional complexity checking. If that was the case, there is probably no way for someone to know this change was made unless the password change dialog window is significantly different. Here's a link to another modified gina: http://ntsecurity.nu/toolbox/ - See StrongPass, not FakeGINA. ;) ---- Bruce K. Marshall - bruce_marshall () ins com - 913-484-7233 International Network Services (INS) - Kansas City "The knowledge behind the network." ----- Original Message ----- From: "Jeff Bollinger" <jeff01 () email unc edu> To: <pen-test () securityfocus com> Sent: Thursday, October 09, 2003 7:34 AM Subject: Password Cracking Service on Domain Controllers
Has anyone ever used Avatier's Password Bouncer? http://www.avatier.com/products/PasswordBouncer/ It seems to be a service you can install on a domain controller that will actively check user passwords and prevent them from entering weak ones. It's supposedly much stricter than the built-in password policies and passfilt.dll.# Reject passwords that contain common words using a 300,000-word
English wordlist.
# Reject passwords that contain common names using a 4,000-word proper
name wordlist.
# Reject passwords that contain specific names or phrases using a custom
wordlist that includes wildcard support.
# Enforce the use of upper and lower case characters (mixed case). # Enforce the use and position of special characters. # Enforce the use and position of numeric characters. # Reject passwords that contain palindromes (i.e. radar or bob). # Enforce password length, minimum, and maximum. # Reject passwords with repeating sequences.This is more of an administration/preventative tool rather than an active cracking tool like l0phtcrack, but I'm wondering if anyone knows how well this tool works, or if there are others like it that can be installed as a service/daemon? Is it possible to determine remotely if this service is running? Thanks, Jeff
--------------------------------------------------------------------------- Tired of constantly searching the web for the latest exploits? Tired of using 300 different tools to do one job? Get CORE IMPACT and get some rest. www.coresecurity.com/promos/sf_ept2 ----------------------------------------------------------------------------
Current thread:
- Password Cracking Service on Domain Controllers Jeff Bollinger (Oct 09)
- Re: Password Cracking Service on Domain Controllers bkml (Oct 10)