Penetration Testing mailing list archives
Re: Password Auditing
From: "rajat swarup" <rajats () gmail com>
Date: Sun, 6 May 2007 16:19:42 -0400
On 5/4/07, Mike Gibson <micheal.gibson () gmail com> wrote: > Can anyone recommend a good password auditing tool. Basically I want > to identify weak passwords on my servers (Windows, Linux, Unix). > Ideally this would be done by a tool that could remotely fetch the > local password database and then attempt to brute force the passwords > and prepare a report in a central location.
I would suggest using pwdump6 to dump the password hashes into a file for Windows XP SP2 onwards. Once you have that you could let john the ripper run in incremental mode (for good efficiency). John the ripper is primarily a unix pwd cracking util but with the help of pwdump you can use it to crack windows passwords. L0pht is also good .. but the best password cracking is done by rcrack (http://www.antsight.com/zsl/rainbowcrack/). However, you need to have a good set of hashes to work from. Getting that is another exercise all together....however, one of the best set of rainbow tables can be obtained from http://www.freewebs.com/rainbowtables/downloads.htm (alphanumeric 32 symbols LM Hashes). Another solution is to use the Ophcrack Live CD (http://ophcrack.sourceforge.net/) if you can afford to reboot the windows system that you want to audit it should be able to crack alphanumeric passwords pretty quickly. HTH, Rajat Swarup http://rajatswarup.blogspot.com/ ------------------------------------------------------------------------ This List Sponsored by: Cenzic Are you using SPI, Watchfire or WhiteHat? Consider getting clear vision with Cenzic See HOW Now with our 20/20 program! http://www.cenzic.com/c/2020 ------------------------------------------------------------------------
Current thread:
- Password Auditing Mike Gibson (May 04)
- RE: Password Auditing Beauchamp, Brian (May 04)
- RE: Password Auditing John Babio (May 04)
- Re: Password Auditing Manuel Arostegui Ramirez (May 04)
- RE: Password Auditing Ken Kousky (May 05)
- Re: Password Auditing kevin (May 04)
- Re: Password Auditing Nico Golde (May 04)
- Re: Password Auditing crazy frog crazy frog (May 06)
- Re: Password Auditing rajat swarup (May 07)
- Re: Password Auditing Christine Kronberg (May 07)
- <Possible follow-ups>
- RE: Password Auditing Brungardt, Jill (May 04)
- Re: Password Auditing kevin.horvath (May 07)