Penetration Testing mailing list archives

Re: password auditing

From: Ross Del Duca <delducra () mac com>
Date: Tue, 17 Nov 2009 07:56:50 -0800

This was routine, quarterly practice at a previous employer.  My solution to address the security implications was to 
modify Jack the Ripper to *NOT* display the discovered passwords.  I wasn't really interested in the passwords 
themselves - just some relative comparison of "crackability."  Thus my audits output was just a list of of usernames.  
With this list, password changes were enforced for the select users, and a follow up audit was performed only on this 
list.

Ross Del Duca
Help me ride to find a cure for diabetes!
Visit my page at http://main.diabetes.org/goto/RossDelDuca
Or my team's page at http://main.diabetes.org/goto/TeamRedSacramento

 
On Monday, November 16, 2009, at 10:43PM, "Derek Robson" <robsonde () gmail com> wrote:

I have been asked by my manager to setup a password audit.

I plan on using john-the-ripper (unix passwords)
the basic idea is that we want a list of users that have weak
passwords, gut feeling is that a large number of staff have an old
default password.

we intend to just hit it with a 200K word dictionary, and see what we get.


the next step is run this every month and email users that have weak
passwords asking them to "please change your password"


the question is about the security we setup around the box we run JtR
on and the data we find.
should this be done on a non-networked box?
could this be done on an secure networked box, one that only a few
(about 7) trusted staff have login for?

any other tips?

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------

Current thread:

RE: password auditing, (continued)
- RE: password auditing McGhee, Eddie (Nov 17)
  - Re: password auditing Kevin L. Shaw, CISSP, GCIH (Nov 17)
  - RE: password auditing Harris, Michael C. (Nov 17)
    - Re: password auditing Tracy Reed (Nov 17)
- RE: password auditing John Perea (Nov 17)
  - Re: password auditing Robert Portvliet (Nov 17)
- Re: password auditing Robert Portvliet (Nov 17)
  - Message not available
    - Re: password auditing Robert Portvliet (Nov 17)
- RE: password auditing Bakshi, Narinder (FIN) (Nov 17)
- Re: password auditing Meta Junkie (Nov 17)
- Re: password auditing Ross Del Duca (Nov 17)
- Re: password auditing Haris Pilton (Nov 17)
- Re: password auditing R. DuFresne (Nov 17)
  - Re: password auditing Derek Robson (Nov 17)
    - Re: password auditing JoePete (Nov 19)
    - Re: password auditing DaKahuna (Nov 23)
- Message not available
  - Re: password auditing Derek Robson (Nov 17)
    - Re: password auditing Kevin L. Shaw, CISSP, GCIH (Nov 19)
- Re: password auditing Anders Thulin (Nov 19)