Hi Jeffrey,
Well, it's plenty of password auditing tools out there that will save you
money. On the other hand, LC5 has the fastest LM engine.
If time isn't an issue, and you wish to save money, go for John the Ripper
(http://www.openwall.com/), or my preferred "advanced" tool: Lepton's
Crack (http://freshmeat.net/lcrack/). Both of them can run on Linux,
Windows via Cygwin (lcrack), DOS/Windows CLI (JtR), and even VC++ (lcrack,
development branch).
The algorithms supported vary, but you'll have LM and NTLM at least (JtR
requires patching, and for lcrack you've to use the development branch, at
least until Lepton and myself have the time to port the LM stuff into the
stable one).
If you want a Windows GUI tool, go for Cain (http://www.oxid.it/). It's a
pity that it requires administrative access to run, even if you don't plan
to do network sniffing.
An extra link for the same price (be sure to visit it):
http://www.nestonline.com/lcrack/lcexp1.html
If you want, I can email you a paper I wrote about password cracking using
a cluster (I know: I've to put it on a web!).
Cheers,
Miguel Dilaj (Nekromancer)
Vice-President of IT Security Research, OISSG
"Jeffrey M.Miller CISSP" <jmiller@acumeninfosec.com>
14/12/2004 01:10
To: pen-test@securityfocus.com
cc: (bcc: Miguel Dilaj/PH/Novartis)
Subject: Password Audit tools
I've used Internet Security Scanner from ISS and really like it's
ability to pull users from NT domains and test common passwords, such
as username=password, password=password, etc.
I've considered purchasing the consultant version of l0phtcrack LC5.
Has anyone used LC5 and can anyone compare it to ISS? Also are there
any OpenSource tools that can do these sorts of checks?
Thanks
J_
