Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

RE: password auditing

From: "John Perea" <JPerea () contegosecurity com>
Date: Tue, 17 Nov 2009 09:00:40 -0500
If you trust your network and the setup on your JtR box then go ahead,
else go offline since it contains sensitive data (potential cracked
password) that box is like a pot of gold if someone break in to it.

The only concern I guess is that if you have an Account Lockout Policy
(I hope you have one =) ), then it might DOS the users and will be pain
in a butt. So plan wisely. Also if you're in monitoring logs for
password cracking then you will be seeing a lot of logs schedule it
well. =)
 
Oh also make sure you have at least written permission to do this via
email or paper so at least you have a "Get Out Of Jail Free Card".

Good luck and have fun!
Cheers!

PGP: 53F2 AC13 E1C8 AC0A 165B  17A8 704A F916 82D3 F612

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Derek Robson
Sent: Tuesday, November 17, 2009 1:43 AM
To: pen-test () securityfocus com
Subject: password auditing

I have been asked by my manager to setup a password audit.

I plan on using john-the-ripper (unix passwords)
the basic idea is that we want a list of users that have weak
passwords, gut feeling is that a large number of staff have an old
default password.

we intend to just hit it with a 200K word dictionary, and see what we
get.


the next step is run this every month and email users that have weak
passwords asking them to "please change your password"


the question is about the security we setup around the box we run JtR
on and the data we find.
should this be done on a non-networked box?
could this be done on an secure networked box, one that only a few
(about 7) trusted staff have login for?

any other tips?

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review
Board

Prove to peers and potential employers without a doubt that you can
actually do a proper penetration test. IACRB CPT and CEPT certs require
a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------




Confidentiality Warning: This message and any attachments are intended only for the use of the intended recipient(s), 
are confidential, and may be privileged. If you are not the intended recipient, you are hereby notified that any 
review, retransmission, conversion to hard copy, copying, circulation or other use of this message and any attachments 
is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, 
and delete this message and any attachments from your system. Thank you.

Information confidentielle: Le présent message, ainsi que tout fichier qui y est joint, est envoyé à l'intention 
exclusive de son ou de ses destinataires; il est de nature confidentielle et peut constituer une information 
privilégiée. Nous avertissons toute personne autre que le destinataire prévu que tout examen, réacheminement, 
impression, copie, distribution ou autre utilisation de ce message et de tout fichier qui y est joint est strictement 
interdit. Si vous n'êtes pas le destinataire prévu, veuillez en aviser immédiatement l'expéditeur par retour de 
courriel et supprimer ce message et tout document joint de votre système. Merci.


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: