Penetration Testing mailing list archives
Re: password auditing
From: Robert Portvliet <robert.portvliet () gmail com>
Date: Tue, 17 Nov 2009 10:54:36 -0500
I definitely agree regarding enforcing password complexity rules, but he wants to crack Unix passwords so rainbow tables will be of no use due to salts being in use. In regards to John's default cracking behavior, it goes as follows (from http://www.openwall.com/john/doc/EXAMPLES.shtml) 2. Now, let's assume you've got a password file, "mypasswd", and want to crack it. The simplest way is to let John use its default order of cracking modes: john mypasswd This will try "single crack" mode first, then use a wordlist with rules, and finally go for "incremental" mode. Please refer to MODES (http://www.openwall.com/john/doc/MODES.shtml) for more information on these modes. On Tue, Nov 17, 2009 at 10:32 AM, Matt Gardenghi <mtgarden () gmail com> wrote:
Well, for starters, I would just enable password complexity and solve the problem. If you want to actually crack them once or twice (at least to demonstrate the threat), I would simply dump the passwords from AD. Still, one user is all that is necessary, though two working together would grant accountability. JtR starts with the password list and then switches to brute force. Add all cracked passwords to your list for the future. But I would just grab a rainbow tables..... Much faster. End of the day, not sure why you would crack passwords. Enable complexity up front. Matt On Tue, Nov 17, 2009 at 8:20 AM, Robert Portvliet <robert.portvliet () gmail com> wrote:Yes, you could do this on an isolated box, no need to be on the network... If you're going to do this on a monthly basis, I would take the cracked passwords from each session (found in the john.pot file) and add them to your wordlist for the next month (guard that with your life), make sure to delete the john.pot file after every cracking session. Make sure you get written permission from your manager to do password cracking, you may be violating company policy otherwise. On Tue, Nov 17, 2009 at 1:43 AM, Derek Robson <robsonde () gmail com> wrote:I have been asked by my manager to setup a password audit. I plan on using john-the-ripper (unix passwords) the basic idea is that we want a list of users that have weak passwords, gut feeling is that a large number of staff have an old default password. we intend to just hit it with a 200K word dictionary, and see what we get. the next step is run this every month and email users that have weak passwords asking them to "please change your password" the question is about the security we setup around the box we run JtR on and the data we find. should this be done on a non-networked box? could this be done on an secure networked box, one that only a few (about 7) trusted staff have login for? any other tips? ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org -------------------------------------------------------------------------- Matt Gardenghi
------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- password auditing Derek Robson (Nov 17)
- Re: password auditing James Bensley (Nov 17)
- RE: password auditing McGhee, Eddie (Nov 17)
- Re: password auditing Kevin L. Shaw, CISSP, GCIH (Nov 17)
- RE: password auditing Harris, Michael C. (Nov 17)
- Re: password auditing Tracy Reed (Nov 17)
- RE: password auditing John Perea (Nov 17)
- Re: password auditing Robert Portvliet (Nov 17)
- Re: password auditing Robert Portvliet (Nov 17)
- Message not available
- Re: password auditing Robert Portvliet (Nov 17)
- Message not available
- RE: password auditing Bakshi, Narinder (FIN) (Nov 17)
- Re: password auditing Meta Junkie (Nov 17)
- Re: password auditing Ross Del Duca (Nov 17)
- Re: password auditing Haris Pilton (Nov 17)
- Re: password auditing R. DuFresne (Nov 17)
- Re: password auditing Derek Robson (Nov 17)
- Re: password auditing JoePete (Nov 19)
- Re: password auditing DaKahuna (Nov 23)
- Re: password auditing Derek Robson (Nov 17)
- Re: password auditing Derek Robson (Nov 17)
- Re: password auditing Kevin L. Shaw, CISSP, GCIH (Nov 19)