Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: user default password checking tool

from [Mario A. Spinthiras] Network Security [Permanent Link]
Subject: Re: user default password checking tool
Date: Sun, 24 Sep 2006 16:58:16 +0300
Josh Parker wrote: 
If you are in an Windows 2003/2000 domain enviroment, you can simply
setup option on the acount to Force a user to change there password
upon the next login. To keep the user from using the same password,
you can set Password History to remember the last password, (the last
3 passwords is a good recomendation) You can also set it to require
complex passwords when they change there password. You can also set
the password age, so they have to change it after a sertain amount of
days.

Hope that helps

JOsh

On 9/14/06, vijay shetti <vijay.shetti@gmail.com> wrote: 
hello all!!

In my company when we create a new user he is given an initial
password.But then he is told to change the password.The password is
initial of the employee name followed by 123..
for vijay shetti it willl be vs123...

We have a domain based environment.I want to check now how many users
have not changed their initial password using some tool that gives me
list of usernames whose password has 123 in the end.


We follow the same procedure for creating outlook mail password.If
there is any tool/script that also helps me find out this then it will
greatly help me.


Waiting for your reply,
Pavan.

--------------------------------------------------------------------------- 

This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------




--------------------------------------------------------------------------- 

This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------



Implementing such a tool wouldn't be the best of options unless the tool knows each user account by name. If it doesn't to check 123 in a password your looking at brute forcing. I do not know how a domain stores passwords but id like to think M$ has taken the big leap of encryption. (forgive me im micro$oft ignorant).

If I were to do it id do something like this :

Create a script that logs on to the domain controller , gets a list of users , and their names. E.G

Mario Spinthiras      login: mario.s   pass: xj1KZH0VAw4ko

Then my script would break the name into an array , take the first array entry and grab its leftmost character , i.e array[0] would be Mario , so we take left(mario,0) which would mean M.

Then do the same with the Surname , in order to get "S".

Then add them together in a string like this with a trailing 123 = MS123

Then try to auth it with the encrypted password you have. If it matches , then the user must change his/her password.

If it does not match , then the user has changed his/her password.

Simply loop this on all accounts and it should be fine. Use VBS or something. Perl should help too.

Its as simple as it sounds.


Many Thanks,
Mario A. Spinthiras

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Good SPAM filter for Outlook for use in a small non-profite ORG, Mario A. Spinthiras
Next by Date:  RE: The VA Stolen Laptop - Lessons Learned, Pranav Lal
Previous by Thread:  Re: user default password checking tool, Terry Lowery
Next by Thread:  Re: user default password checking tool, Ahmouda
Indexes:  [Date] [Thread] [Top] [All Lists]