Metasploit mailing list archives
Re: Password Audit
From: Chao Mu <chao.mu () minorcrash com>
Date: Tue, 7 Dec 2010 11:46:23 -0500
Depending on what passwords you are trying to audit, dump the hashes and crack them offline. Let John rip through all the dictionaries
I agree with Rob here. If you bruteforce online, you are going to bog down the network and (as said) potentially lock users out of their accounts. An offline attack will of course be faster; John is intelligent when it comes to cracking (NT)LM hashes and Bruteforcing SMB online is painfully slow. Do the windows computers belong to one or more domains? On Tue, Dec 7, 2010 at 11:24 AM, Rob Fuller <mubix () room362 com> wrote:
This really should be one of those few times to go outside of Metasploit. The SMBLogin module, depending on how many passwords you try and the threshold you set it may lock out the users. Depending on what passwords you are trying to audit, dump the hashes and crack them offline. Let John rip through all the dictionaries that are stored on SkullSecurity [1], and then let John rip in just brute force mode for about 24 hours. The result of both of those should get you to an awesome baseline. [1] http://www.skullsecurity.org/wiki/index.php/Passwords -- Rob Fuller | Mubix Certified Checkbox Unchecker Room362.com | Hak5.org On Tue, Dec 7, 2010 at 9:14 AM, Peter Fraser <petros.fraser () gmail com> wrote:Hi All I want to do a password audit on my network to make sure users are using fairly complex passwords. Is there a way I can do that in Metasploit? I wasn't able to find the info I needed so far so even a link to where I can find the info would be much appreciated. Thanks. _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- Password Audit Peter Fraser (Dec 07)
- Re: Password Audit Tod Beardsley (Dec 07)
- Re: Password Audit Peter Fraser (Dec 07)
- Re: Password Audit Rob Fuller (Dec 07)
- Re: Password Audit Chao Mu (Dec 07)
- Re: Password Audit chris serafin (Dec 07)
- Re: Password Audit Rob Fuller (Dec 07)
- Re: Password Audit David Young (Dec 07)
- Re: Password Audit Chao Mu (Dec 07)
- Re: Password Audit Rob Fuller (Dec 07)
- Re: Password Audit Kim Guldberg (Dec 09)
- Re: Password Audit Tod Beardsley (Dec 07)