RE: Password Cracking Issues

["THOMAS, DEDRIC (ATTCLSMA)" <dt7089 () att com>]

Hey,

Ethically, you should notify them of the fact that they need to strengthen
their Account Management Policies.  You can have them change the password,
and then go forth with your pen-testing.  It would benefit both parties,
they know they can trust you to tell them the right thing, instead of faking
your way through a password hack, even though you know the password.

Just my two cents....

Dedric

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of JAE HO JANG
Sent: Thursday, December 17, 2009 10:08 AM
To: pen-test () securityfocus com
Subject: Password Cracking Issues

Hi,

I am doing Pen-testing of our customer's FW, NetScreen.
But I installed this FW also set password a few months ago so I already knew
the password (they haven't changed).
In this case, what is the best way to do? 
just proceed the password cracking? then report them I managed to find the
password?
or skip password cracking and then advise to reinforce the password policy?

Please advise.
Thanks in advance.

Regards,
Tony


--------------------------------------
Get Disney character's mail address on Yahoo! Mail
http://pr.mail.yahoo.co.jp/disney/

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually
do a proper penetration test. IACRB CPT and CEPT certs require a full
practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------

Attachment: smime.p7s
Description: