Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Highlighting weak password dangers

from [Kenton Smith] Network Security [Permanent Link]
Subject: Re: Highlighting weak password dangers
Date: Wed, 24 Jan 2007 15:40:01 -0800 (PST) 
Don't use something that actually tries to login to the account, that's counter 
productive. Use something like John the Ripper that uses the SAM database. Use 
a dictionary or hybrid attack and fill your custom dictionary with all the 
passwords that aren't allowed based on your password policy. You do have a 
password policy, right?

Searching for weak passwords should take no time at all. There is no reason for 
using brute-force for policy compliance. As soon as you start brute-forcing you 
are trying to hack user accounts and I suspect that would be against your 
security policy.

Kenton

----- Original Message ----
From: WALI <hkhasgiwale@gmail.com>
To: security-basics@securityfocus.com
Sent: Wednesday, January 24, 2007 10:15:46 AM
Subject: Highlighting weak password dangers



I want to highlight the danger of using weak passwords on servers and users 
admin desktops. I have tested TSgrinder with a basic dictionary Brute Force 
to access Remote Desktop exploit on both servers and desktops. The problem 
here is that when connected to domain, the Account Lockout feature disables 
the account quite soon. I can only show the exploit on machines not 
connected to the domain where Domain Security policy doesn't flow down.

What are other interesting and intriguing ways to present this problem? I 
also need a system to do Passwords Audit on my domain and make then 'secure 
password' policy compliance.





__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Port 8081 mystery, Steven Nixon
Next by Date:  RE: Encryption Key Management System, Jaime A. Diaz
Previous by Thread:  Getting cookies, Mac Mohan
Next by Thread:  re: Highlighting weak password dangers, Kenton Smith
Indexes:  [Date] [Thread] [Top] [All Lists]