Penetration Testing mailing list archives
RE: password auditing
From: "Harris, Michael C." <HarrisMC () health missouri edu>
Date: Tue, 17 Nov 2009 08:59:29 -0600
Make sure you have permission from the highest possible source, ISO, CIO, chairman of the board the higher the better. If being requested by some middle manager you should insist on a letter of permission from a higher authority to cover your liability. The 'C' level executives often get quite emotional when they find out about password scans. Avoid the career defining moment and get appropriate clearance ahead of time. Do not use a networked box, period. Do it off line, and in a locked room. Lock the console whenever the auditor does not have eyes on the machine, and make sure cached credentials are not allowed and disable all other accounts, only the account you set up for the scan can be used. Guard this process like it is the most precious asset in the building because it may discover the password protecting the most precious asset in the building. Harvest the credential file from an off line source like a back up of a domain controller or global catalog server assuming Microsoft domain or similar backup of the credential store if not. Add any known and default passwords and whatever is issued for new accounts to the front end of the pattern match so they are found in the first couple minutes of the scan. It makes for good presentation when 14%, or however many accounts, are exposed in the first 3 minutes of the scan because they were one offs of a default password and easily guessable. Watch your results more closely at the beginning and document their growth at timed intervals, how many pass discovered in; 1 minute, 1 hour, 1 shift (8 hours), 1 day, 3 days, 7 days, 30 days, 60 days, etc for however long you intend to let the process run. Guard your results, and any output of passwords you take off that machine, keep documented chain of custody documentation of the resulting passwords or else be prepared for a 'change all passwords fire drill' when the flash drive with the results falls out of your pocket in the parking lot. Yes, things like this happen in spite of your best intentions. Lastly, be sure to at least 3x over write the drive with random pattern after the audit is complete too. Mike -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of McGhee, Eddie Sent: Tuesday, November 17, 2009 7:58 AM To: Derek Robson; pen-test () securityfocus com Subject: RE: password auditing I would 100% do this on a non networked machine, not worth the risk to loose every user/pass combo you manage to crack. In theory it obviously could be done on a network machine but if it is not needed then don't do it. If you have a genuine reason to need to be able to do it while the machine is networked by all means go ahead but lock the shit out of it and don't give access to anyone to it but yourself, 7 trusted employees is 6 too many imo. It only takes one person to screw everyone. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Derek Robson Sent: 17 November 2009 06:43 To: pen-test () securityfocus com Subject: password auditing I have been asked by my manager to setup a password audit. I plan on using john-the-ripper (unix passwords) the basic idea is that we want a list of users that have weak passwords, gut feeling is that a large number of staff have an old default password. we intend to just hit it with a 200K word dictionary, and see what we get. the next step is run this every month and email users that have weak passwords asking them to "please change your password" the question is about the security we setup around the box we run JtR on and the data we find. should this be done on a non-networked box? could this be done on an secure networked box, one that only a few (about 7) trusted staff have login for? any other tips? ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- password auditing Derek Robson (Nov 17)
- Re: password auditing James Bensley (Nov 17)
- RE: password auditing McGhee, Eddie (Nov 17)
- Re: password auditing Kevin L. Shaw, CISSP, GCIH (Nov 17)
- RE: password auditing Harris, Michael C. (Nov 17)
- Re: password auditing Tracy Reed (Nov 17)
- RE: password auditing John Perea (Nov 17)
- Re: password auditing Robert Portvliet (Nov 17)
- Re: password auditing Robert Portvliet (Nov 17)
- Message not available
- Re: password auditing Robert Portvliet (Nov 17)
- Message not available
- RE: password auditing Bakshi, Narinder (FIN) (Nov 17)
- Re: password auditing Meta Junkie (Nov 17)
- Re: password auditing Ross Del Duca (Nov 17)
- Re: password auditing Haris Pilton (Nov 17)
- Re: password auditing R. DuFresne (Nov 17)