Re: password auditing



I definitely agree regarding enforcing password complexity rules, but
he wants to crack Unix passwords so rainbow tables will be of no use
due to salts being in use.

In regards to John's default cracking behavior, it goes as follows
(from http://www.openwall.com/john/doc/EXAMPLES.shtml)


2. Now, let's assume you've got a password file, "mypasswd", and want
to crack it. The simplest way is to let John use its default order of
cracking modes:

john mypasswd

This will try "single crack" mode first, then use a wordlist with
rules, and finally go for "incremental" mode. Please refer to MODES
(http://www.openwall.com/john/doc/MODES.shtml) for more information on
these modes.





On Tue, Nov 17, 2009 at 10:32 AM, Matt Gardenghi <mtgarden@xxxxxxxxx> wrote:
Well, for starters, I would just enable password complexity and solve the
problem.  If you want to actually crack them once or twice (at least to
demonstrate the threat), I would simply dump the passwords from AD.  Still,
one user is all that is necessary, though two working together would grant
accountability.

JtR starts with the password list and then switches to brute force.  Add all
cracked passwords to your list for the future.  But I would just grab a
rainbow tables.....  Much faster.

End of the day, not sure why you would crack passwords.  Enable complexity
up front.

Matt

On Tue, Nov 17, 2009 at 8:20 AM, Robert Portvliet
<robert.portvliet@xxxxxxxxx> wrote:

Yes, you could do this on an isolated box, no need to be on the network...

If you're going to do this on a monthly basis, I would take the
cracked passwords from each session (found in the john.pot file) and
add them to your wordlist for the next month (guard that with your
life), make sure to delete the john.pot file after every cracking
session.

Make sure you get written permission from your manager to do password
cracking, you may be violating company policy otherwise.






On Tue, Nov 17, 2009 at 1:43 AM, Derek Robson <robsonde@xxxxxxxxx> wrote:
I have been asked by my manager to setup a password audit.

I plan on using john-the-ripper (unix passwords)
the basic idea is that we want a list of users that have weak
passwords, gut feeling is that a large number of staff have an old
default password.

we intend to just hit it with a 200K word dictionary, and see what we
get.


the next step is run this every month and email users that have weak
passwords asking them to "please change your password"


the question is about the security we setup around the box we run JtR
on and the data we find.
should this be done on a non-networked box?
could this be done on an secure networked box, one that only a few
(about 7) trusted staff have login for?

any other tips?

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review
Board

Prove to peers and potential employers without a doubt that you can
actually do a proper penetration test. IACRB CPT and CEPT certs require a
full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------



------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review
Board

Prove to peers and potential employers without a doubt that you can
actually do a proper penetration test. IACRB CPT and CEPT certs require a
full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------




--
Matt Gardenghi


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------



Relevant Pages

  • Re: hardware vs. john the ripper
    ... and how your cracking process is structured to address those ... (Some of the add-on modules to john can be ... Crack all the simple ones quickly? ... And what passwords are ...
    (Pen-Test)
  • Re: Target, home depot card security:(
    ... accounts every day, make our passwords harder and harder to crack, ... It has been proven that cracking passwords takes a certain amount of time, I'm not up on how long these days, but changing passwords regularly throws off their ability to crack it before the next change. ... We just have to be more careful and watch our accounts. ...
    (alt.home.repair)
  • Re: yet another fake exploit making rounds
    ... > and let them spin there wheels trying to crack the passwords. ...
    (Vuln-Dev)
  • Re: Is WPA-PSK + TKIP really that easily breakable? I dont think so.
    ... Tom's hardware about how to crack it but I am not particularly confident its *that* insecure if you configure other options and use very long complex passwords. ... Of course intend to go 802.1x when available but this is my current ... But with choice of a good pre-shared key and keeping it a secret should be very secure. ...
    (alt.internet.wireless)
  • Re: password security
    ... store local user accounts/ passwords. ... the network would have a SAM for the domain. ... Client so they can authenticate with NTLM V2. ... the hash with a network sniffer and crack it fairly easily. ...
    (microsoft.public.win2000.security)