Re: Password Audit tools
From: GuidoZ (uberguidoz_at_gmail.com)
Date: 12/20/04
- Previous message: Andrew Bagrin: "Wireless SSID discovery"
- In reply to: John Forristel (SunGard-Chico): "RE: Password Audit tools"
- Next in thread: Altheide, Cory B. (IARC): "RE: Password Audit tools"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 20 Dec 2004 03:13:39 -0500 To: "John Forristel (SunGard-Chico)" <John.Forristel@sungardbi-tech.com>
> If you have the time and disk space, Rainbow Crack is another very fast
> cracker. It creates tables of possible hashes based on the parameters
> you set, such as "lower-case, numeric". It takes about 640 megs for
> letters and numbers. It takes about 200 GIGS for special and alt chars.
>
> When you crack, it is incredibly fast because the work is already done
Something to add to this - frequently when doing pen-tests, you'll
find that weak passwords are only alphanumeric. Generating the rainbow
tables and popping them onto a CD or large USB thumb drive (or usb
hdd) works wonders. Then you can take them with and crack passwords
on the spot in minutes. (RainbowCrack will also run from a USB drive.)
-- Peace. ~G On Tue, 14 Dec 2004 09:30:35 -0800, John Forristel (SunGard-Chico) <John.Forristel@sungardbi-tech.com> wrote: > > If you have the time and disk space, Rainbow Crack is another very fast > cracker. It creates tables of possible hashes based on the parameters > you set, such as "lower-case, numeric". It takes about 640 megs for > letters and numbers. It takes about 200 GIGS for special and alt chars. > > When you crack, it is incredibly fast because the work is already done. > > > -----Original Message----- > From: Dan Connelly [mailto:connellyd@gmail.com] > Sent: Tuesday, December 14, 2004 4:25 AM > To: Jeffrey M. Miller CISSP > Cc: pen-test@securityfocus.com > Subject: Re: Password Audit tools > > Internet Scanner does a good job of enumerating accounts on a Windows > Domain(using netbios and null sessions) but if you tried to brute > force/dictionary every account that it found the scan would take a > VERY long time to complete. If you are trying to pw crack through a > service (ftp,telnet,http...), use hydra otherwise use LC or John the > Ripper. > BTW, Nessus also does a good job enumerating accounts, and its free ;) > Dan > > On Mon, 13 Dec 2004 19:10:29 -0600, Jeffrey M. Miller CISSP > <jmiller@acumeninfosec.com> wrote: > > I've used Internet Security Scanner from ISS and really like it's > > ability to pull users from NT domains and test common passwords, such > > as username=password, password=password, etc. > > > > I've considered purchasing the consultant version of l0phtcrack LC5. > > > > Has anyone used LC5 and can anyone compare it to ISS? Also are there > > any OpenSource tools that can do these sorts of checks? > > > > Thanks > > > > J_ > > > > > >
- Previous message: Andrew Bagrin: "Wireless SSID discovery"
- In reply to: John Forristel (SunGard-Chico): "RE: Password Audit tools"
- Next in thread: Altheide, Cory B. (IARC): "RE: Password Audit tools"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
