Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: windows 2003 server

from [Salvador.Manaois] Network Security [Permanent Link]
Subject: RE: windows 2003 server
Date: Mon, 19 Mar 2007 19:44:45 +0800 
If your main goal is to gauge the "strength" of your organization's
password policy and _not_ how to break into the win2003 server, then you
should try to dump a copy of the SAM file onto a password-cracker.
Remotely checking the password strength may require you to try
brute-forcing a session to the server (but then again, if the invalid
login threshold setting and the account lockout policy are defined, you
may find this exercise frustratingly time-consuming). =)

...badz...
Salvador Manaois III

-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of Chris Parker
Sent: Saturday, March 17, 2007 7:16 AM
To: pen-test@securityfocus.com
Subject: Re: windows 2003 server

Nicolas RUFF wrote:

I have a win2003 server that I have been asked to test its password 
policy.  I am new to this and was wondering what would be the best 
approach to gain access?  It is in my local network and will be 
segregated from the rest of the network for testing.  I would be 
using a remote machine to log in and not locally.  What would be your

suggestions?


Password policy can be found in Administrative Tools/[Local | Domain] 
Security Policy.

What do you mean by "testing password policy" ?

Why do you need to gain access ? You'd better ask for an 
administrative account and dump the SAM file into a password cracker

(like LCP).


Given the default security policy of W2003 (anonymous account 
enumeration blocked, password length over 7 and mixed characters 
required), your chances to break in remotely without any additional 
information are near zero.

Regards,
- Nicolas RUFF


First, we are trying to lock down our servers.  I came into this after
they had these server up for a few years, so you can see my work is cut
out for me.  I just wanted the best ways to test to make sure most users
cannot get where they are not suppose to be.  Current password policy is
8 characters, upper lower number.

thanks
Chris Parker

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=7016
00000008bOW
------------------------------------------------------------------------

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: TCP stack smashing, Mathew Rowley
Next by Date:  Re: TCP stack smashing, crazy frog crazy frog
Previous by Thread:  Re: windows 2003 server, Chris Parker
Next by Thread:  Re: windows 2003 server, crazy frog crazy frog
Indexes:  [Date] [Thread] [Top] [All Lists]