Penetration Testing mailing list archives

RE: password auditing

From: "McGhee, Eddie" <Eddie.McGhee () ncr com>
Date: Tue, 17 Nov 2009 08:57:33 -0500

I would 100% do this on a non networked machine, not worth the risk to loose every user/pass combo you manage to crack. 

In theory it obviously could be done on a network machine but if it is not needed then don't do it. If you have a 
genuine reason to need to be able to do it while the machine is networked by all means go ahead but lock the shit out 
of it and don't give access to anyone to it but yourself, 7 trusted employees is 6 too many imo. 

It only takes one person to screw everyone.
-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Derek Robson
Sent: 17 November 2009 06:43
To: pen-test () securityfocus com
Subject: password auditing

I have been asked by my manager to setup a password audit.

I plan on using john-the-ripper (unix passwords) the basic idea is that we want a list of users that have weak 
passwords, gut feeling is that a large number of staff have an old default password.

we intend to just hit it with a 200K word dictionary, and see what we get.


the next step is run this every month and email users that have weak passwords asking them to "please change your 
password"


the question is about the security we setup around the box we run JtR on and the data we find.
should this be done on a non-networked box?
could this be done on an secure networked box, one that only a few (about 7) trusted staff have login for?

any other tips?

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

Current thread:

password auditing Derek Robson (Nov 17)
- Re: password auditing James Bensley (Nov 17)
- RE: password auditing McGhee, Eddie (Nov 17)
  - Re: password auditing Kevin L. Shaw, CISSP, GCIH (Nov 17)
  - RE: password auditing Harris, Michael C. (Nov 17)
    - Re: password auditing Tracy Reed (Nov 17)
- RE: password auditing John Perea (Nov 17)
  - Re: password auditing Robert Portvliet (Nov 17)
- Re: password auditing Robert Portvliet (Nov 17)
  - Message not available
    - Re: password auditing Robert Portvliet (Nov 17)
- RE: password auditing Bakshi, Narinder (FIN) (Nov 17)
- Re: password auditing Meta Junkie (Nov 17)
- Re: password auditing Ross Del Duca (Nov 17)

(Thread continues...)