RE: password auditing

["Harris, Michael C." <HarrisMC () health missouri edu>]

Make sure you have permission from the highest possible source, ISO, CIO, chairman of the board the higher the better. 
If being requested by some middle manager you should insist on a letter of permission from a higher authority to cover 
your liability.  The 'C' level executives often get quite emotional when they find out about password scans.  Avoid the 
career defining moment and get appropriate clearance ahead of time.

Do not use a networked box, period.  Do it off line, and in a locked room. Lock the console whenever the auditor does 
not have eyes on the machine, and make sure cached credentials are not allowed and disable all other accounts, only the 
account you set up for the scan can be used.  Guard this process like it is the most precious asset in the building 
because it may discover the password protecting the most precious asset in the building.

Harvest the credential file from an off line source like a back up of a domain controller or global catalog server 
assuming Microsoft domain or similar backup of the credential store if not. 

Add any known and default passwords and whatever is issued for new accounts to the front end of the pattern match so 
they are found in the first couple minutes of the scan.  It makes for good presentation when 14%, or however many 
accounts, are exposed in the first 3 minutes of the scan because they were one offs of a default password and easily 
guessable.

Watch your results more closely at the beginning and document their growth at timed intervals, how many pass discovered 
in; 1 minute, 1 hour, 1 shift (8 hours), 1 day,  3 days, 7 days, 30 days, 60 days, etc for however long you intend to 
let the process run. 

Guard your results, and any output of passwords you take off that machine, keep documented chain of custody 
documentation of the resulting passwords or else be prepared for a 'change all passwords fire drill' when the flash 
drive with the results falls out of your pocket in the parking lot. Yes, things like this happen in spite of your best 
intentions. 

Lastly, be sure to at least 3x over write the drive with random pattern after the audit is complete too.

Mike 


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of McGhee, Eddie
Sent: Tuesday, November 17, 2009 7:58 AM
To: Derek Robson; pen-test () securityfocus com
Subject: RE: password auditing

I would 100% do this on a non networked machine, not worth the risk to loose every user/pass combo you manage to crack. 

In theory it obviously could be done on a network machine but if it is not needed then don't do it. If you have a 
genuine reason to need to be able to do it while the machine is networked by all means go ahead but lock the shit out 
of it and don't give access to anyone to it but yourself, 7 trusted employees is 6 too many imo. 

It only takes one person to screw everyone.
-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Derek Robson
Sent: 17 November 2009 06:43
To: pen-test () securityfocus com
Subject: password auditing

I have been asked by my manager to setup a password audit.

I plan on using john-the-ripper (unix passwords) the basic idea is that we want a list of users that have weak 
passwords, gut feeling is that a large number of staff have an old default password.

we intend to just hit it with a 200K word dictionary, and see what we get.


the next step is run this every month and email users that have weak passwords asking them to "please change your 
password"


the question is about the security we setup around the box we run JtR on and the data we find.
should this be done on a non-networked box?
could this be done on an secure networked box, one that only a few (about 7) trusted staff have login for?

any other tips?



------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------