Penetration Testing mailing list archives
RE: password auditing
From: "John Perea" <JPerea () contegosecurity com>
Date: Tue, 17 Nov 2009 09:00:40 -0500
If you trust your network and the setup on your JtR box then go ahead, else go offline since it contains sensitive data (potential cracked password) that box is like a pot of gold if someone break in to it. The only concern I guess is that if you have an Account Lockout Policy (I hope you have one =) ), then it might DOS the users and will be pain in a butt. So plan wisely. Also if you're in monitoring logs for password cracking then you will be seeing a lot of logs schedule it well. =) Oh also make sure you have at least written permission to do this via email or paper so at least you have a "Get Out Of Jail Free Card". Good luck and have fun! Cheers! PGP: 53F2 AC13 E1C8 AC0A 165B 17A8 704A F916 82D3 F612 -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Derek Robson Sent: Tuesday, November 17, 2009 1:43 AM To: pen-test () securityfocus com Subject: password auditing I have been asked by my manager to setup a password audit. I plan on using john-the-ripper (unix passwords) the basic idea is that we want a list of users that have weak passwords, gut feeling is that a large number of staff have an old default password. we intend to just hit it with a 200K word dictionary, and see what we get. the next step is run this every month and email users that have weak passwords asking them to "please change your password" the question is about the security we setup around the box we run JtR on and the data we find. should this be done on a non-networked box? could this be done on an secure networked box, one that only a few (about 7) trusted staff have login for? any other tips? ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Confidentiality Warning: This message and any attachments are intended only for the use of the intended recipient(s), are confidential, and may be privileged. If you are not the intended recipient, you are hereby notified that any review, retransmission, conversion to hard copy, copying, circulation or other use of this message and any attachments is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, and delete this message and any attachments from your system. Thank you. Information confidentielle: Le présent message, ainsi que tout fichier qui y est joint, est envoyé à l'intention exclusive de son ou de ses destinataires; il est de nature confidentielle et peut constituer une information privilégiée. Nous avertissons toute personne autre que le destinataire prévu que tout examen, réacheminement, impression, copie, distribution ou autre utilisation de ce message et de tout fichier qui y est joint est strictement interdit. Si vous n'êtes pas le destinataire prévu, veuillez en aviser immédiatement l'expéditeur par retour de courriel et supprimer ce message et tout document joint de votre système. Merci.
------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- password auditing Derek Robson (Nov 17)
- Re: password auditing James Bensley (Nov 17)
- RE: password auditing McGhee, Eddie (Nov 17)
- Re: password auditing Kevin L. Shaw, CISSP, GCIH (Nov 17)
- RE: password auditing Harris, Michael C. (Nov 17)
- Re: password auditing Tracy Reed (Nov 17)
- RE: password auditing John Perea (Nov 17)
- Re: password auditing Robert Portvliet (Nov 17)
- Re: password auditing Robert Portvliet (Nov 17)
- Message not available
- Re: password auditing Robert Portvliet (Nov 17)
- Message not available
- RE: password auditing Bakshi, Narinder (FIN) (Nov 17)
- Re: password auditing Meta Junkie (Nov 17)
- Re: password auditing Ross Del Duca (Nov 17)
- Re: password auditing Haris Pilton (Nov 17)
- Re: password auditing R. DuFresne (Nov 17)
- Re: password auditing Derek Robson (Nov 17)
- Re: password auditing JoePete (Nov 19)
- Re: password auditing Derek Robson (Nov 17)