Penetration Testing mailing list archives

Re: password auditing

From: Robert Portvliet <robert.portvliet () gmail com>
Date: Tue, 17 Nov 2009 10:54:36 -0500

I definitely agree regarding enforcing password complexity rules, but
he wants to crack Unix passwords so rainbow tables will be of no use
due to salts being in use.

In regards to John's default cracking behavior, it goes as follows
(from http://www.openwall.com/john/doc/EXAMPLES.shtml)


2. Now, let's assume you've got a password file, "mypasswd", and want
to crack it. The simplest way is to let John use its default order of
cracking modes:

        john mypasswd

This will try "single crack" mode first, then use a wordlist with
rules, and finally go for "incremental" mode. Please refer to MODES
(http://www.openwall.com/john/doc/MODES.shtml) for more information on
these modes.





On Tue, Nov 17, 2009 at 10:32 AM, Matt Gardenghi <mtgarden () gmail com> wrote:

Well, for starters, I would just enable password complexity and solve the
problem.  If you want to actually crack them once or twice (at least to
demonstrate the threat), I would simply dump the passwords from AD.  Still,
one user is all that is necessary, though two working together would grant
accountability.

JtR starts with the password list and then switches to brute force.  Add all
cracked passwords to your list for the future.  But I would just grab a
rainbow tables.....  Much faster.

End of the day, not sure why you would crack passwords.  Enable complexity
up front.

Matt

On Tue, Nov 17, 2009 at 8:20 AM, Robert Portvliet
<robert.portvliet () gmail com> wrote:


Yes, you could do this on an isolated box, no need to be on the network...

If you're going to do this on a monthly basis, I would take the
cracked passwords from each session (found in the john.pot file) and
add them to your wordlist for the next month (guard that with your
life), make sure to delete the john.pot file after every cracking
session.

Make sure you get written permission from your manager to do password
cracking, you may be violating company policy otherwise.






On Tue, Nov 17, 2009 at 1:43 AM, Derek Robson <robsonde () gmail com> wrote:

I have been asked by my manager to setup a password audit.

I plan on using john-the-ripper (unix passwords)
the basic idea is that we want a list of users that have weak
passwords, gut feeling is that a large number of staff have an old
default password.

we intend to just hit it with a 200K word dictionary, and see what we
get.


the next step is run this every month and email users that have weak
passwords asking them to "please change your password"


the question is about the security we setup around the box we run JtR
on and the data we find.
should this be done on a non-networked box?
could this be done on an secure networked box, one that only a few
(about 7) trusted staff have login for?

any other tips?

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review
Board

Prove to peers and potential employers without a doubt that you can
actually do a proper penetration test. IACRB CPT and CEPT certs require a
full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review
Board

Prove to peers and potential employers without a doubt that you can
actually do a proper penetration test. IACRB CPT and CEPT certs require a
full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------




--
Matt Gardenghi


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

Current thread:

password auditing Derek Robson (Nov 17)
- Re: password auditing James Bensley (Nov 17)
- RE: password auditing McGhee, Eddie (Nov 17)
  - Re: password auditing Kevin L. Shaw, CISSP, GCIH (Nov 17)
  - RE: password auditing Harris, Michael C. (Nov 17)
    - Re: password auditing Tracy Reed (Nov 17)
- RE: password auditing John Perea (Nov 17)
  - Re: password auditing Robert Portvliet (Nov 17)
- Re: password auditing Robert Portvliet (Nov 17)
  - Message not available
    - Re: password auditing Robert Portvliet (Nov 17)
- RE: password auditing Bakshi, Narinder (FIN) (Nov 17)
- Re: password auditing Meta Junkie (Nov 17)
- Re: password auditing Ross Del Duca (Nov 17)
- Re: password auditing Haris Pilton (Nov 17)
- Re: password auditing R. DuFresne (Nov 17)
  - Re: password auditing Derek Robson (Nov 17)
    - Re: password auditing JoePete (Nov 19)
    - Re: password auditing DaKahuna (Nov 23)
- Message not available
  - Re: password auditing Derek Robson (Nov 17)
    - Re: password auditing Kevin L. Shaw, CISSP, GCIH (Nov 19)

(Thread continues...)