RE: policy-based password cracker

Depending upon the specific policies, you may not save a significant amount
of time by limiting the brute-force attack. For instance, consider a policy
that required at least one upper, one lower and one number in all passwords.
Let's first assume that the possible character set for passwords is
upper/lower/number. For four character passwords, 19% of the possible
password checks can be eliminated due to the policy. For five character
passwords, only 9% would be eliminated and the percentage would continue to
drop as the length increases. If the possible character set included
upper/lower/number/special characters, the policy would only eliminate 3% of
the possible 4 character passwords and 1% of the possible 5 character
passwords. Since the vast majority of the time for a brute-force attack is
spent on the largest length checked and since the number of tests that can
be eliminated due to the policy declines with length, I suspect that
limiting the brute-force attack due to policy might only be worthwhile for
some highly specific policies.

Also, most brute-force attacks are very fast. One would need to test the
speed of eliminating a password vs. the speed of testing a password. If you
needed code to determine whether a password passed the policy, the overhead
of this code on all passwords might eliminate any savings vs. just testing
all of the passwords. This would have to be benchmarked on a case-by-case
and policy-by-policy basis. Obviously, if the password testing is against a
remote server/resource and the testing is slow, then the savings of not
testing even a small number of passwords would more than make up for the
overhead in the code. However, brute-force attacks against remote and slow
servers is not very practical to begin with.

Bob Weiss
Password Crackers, Inc.

-----Original Message-----
From: Chris Costantino [mailto:clckct@xxxxxxxxx]
Sent: Thursday, December 01, 2005 12:50 PM
To: pen-test@xxxxxxxxxxxxxxxxx
Subject: policy-based password cracker

Hi all,

I am looking for a brute-force password cracker that can be configured based
on password policies. For example, I am trying to audit a system that I
know the security policy on (min/max pw length, complexity rules, etc) What
I want is to only brute-force passwords that fit that policy. Obviously,
min and max is not the issue, but I can not seem to find anything that will
only test passwords that meet complexity requirements (lowercase alpha,
uppercase alpha, number). Something that generates this into a rainbow
table would be even better.....

Anyone aware of such a tool?

Thanks in advance,
Chris



__________________________________________
Yahoo! DSL - Something to write home about.
Just $16.99/mo. or less.
dsl.yahoo.com


----------------------------------------------------------------------------
--
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for
vulnerabilities to SQL injection, Cross site scripting and other web attacks
before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
----------------------------------------------------------------------------
---



------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

Relevant Pages

  • RE: policy-based password cracker
    ... I don't think the issue here is saving time....it is testing policy ... Since the vast majority of the time for a brute-force attack ... most brute-force attacks are very fast. ... Audit your website security with Acunetix Web Vulnerability Scanner: ...
    (Pen-Test)
  • RE: VmWare and Pen-test Learning
    ... Setup a tftp server on your client machine. ... Use John the Ripper to crack the passwords. ... (dictionary attacks, brute force, single mode). ... Download FREE whitepaper on how a managed service can help ...
    (Pen-Test)
  • RE: Whitespace in passwords - now alt+xxx
    ... Subject: Whitespace in passwords ... 60 possible characters and the password is 7 characters long. ... >> Check your website for vulnerabilities to SQL injection, ... >> scripting and other web attacks before hackers do! ...
    (Pen-Test)
  • RE: Rainbow Tables
    ... Subject: Rainbow Tables ... Fortunatly for this project we are only doing LM passwords, ... Audit your website security with Acunetix Web Vulnerability Scanner: ... Up to 75% of cyber attacks are launched on shopping carts, ...
    (Pen-Test)
  • Re: Locking down database accounts
    ... Personally it sounds to me that your company has established a policy and is ... But bottom line if you have to use SQL Server logins and passwords, ... Whether it's an encrypted flat file or an encrypted XML file, ...
    (microsoft.public.sqlserver.security)