Re: Using brute force to test Sendmail passwords.

[Stefan Marx <marx.s () gmx net>]

Hi,

you can use crack or john (John the Ripper) to check the password file.
They will brute force the hashes give back the used passwords, although
they take their time.

An alternative way is to use pam (Pluggable Authentication Modules) and
the module pam_cracklib. This can be configured to check the password
against any given policy, when it is entered initially or changed. Can
be a hassle even against sysadmins, when configured too paranoid ;-)

Regards,

Stefan

> i'm implementing a password security policy for all mail users on a
> sendmail server (redhat 7.3), and i need to know if all users DID follow
> the insructions (min lenght = 5, not only A-Z chars, etc). My question is:
> is there a way to pick the passwords file to make some brute force test,
> automatically? (any tool?) (any other way to test them?)



---------------------------------------------------------------------------
Captus Networks 
Are you prepared for the next Sobig & Blaster? 
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans 
 - Precisely Define and Implement Network Security 
 - Automatically Control P2P, IM and Spam Traffic 
FIND OUT NOW -  FREE Vulnerability Assessment Toolkit 
http://www.captusnetworks.com/ads/42.htm
----------------------------------------------------------------------------