Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Highlighting weak password dangers

from [Simon W. Hall] Network Security [Permanent Link]
Subject: RE: Highlighting weak password dangers
Date: Wed, 24 Jan 2007 20:15:19 +0100 
1.
The Administrators account does not have a lockout policy!
You can just run passwords after passwords on it.
http://technet2.microsoft.com/WindowsServer/en/library/4639940c-74b3-46c8-b4
97-cdb7666f1e461033.mspx?mfr=true
Rename the administrators account... (security by obscurity)
That will help a bit for outside threats.

2.
To my knowledge, there is no good way to do a password audit on a windoze
box.
Unless you are going down the rainbow tables path, breaking hashes.
Set up a good password policy, that way you ensure passwords meet a minimum
requirement.
Make your users change passwords after the policy is in place.

Simon

-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] On
Behalf Of WALI
Sent: Wednesday, January 24, 2007 6:16 PM
To: security-basics@securityfocus.com
Subject: Highlighting weak password dangers



I want to highlight the danger of using weak passwords on servers and users 
admin desktops. I have tested TSgrinder with a basic dictionary Brute Force 
to access Remote Desktop exploit on both servers and desktops. The problem 
here is that when connected to domain, the Account Lockout feature disables 
the account quite soon. I can only show the exploit on machines not 
connected to the domain where Domain Security policy doesn't flow down.

What are other interesting and intriguing ways to present this problem? I 
also need a system to do Passwords Audit on my domain and make then 'secure 
password' policy compliance.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  EMC/Dantz Retrospect Backup, andrews
Next by Date:  Is ophcrack online cracker offline forever?, Mary Hendrix
Previous by Thread:  Highlighting weak password dangers, WALI
Next by Thread:  RE: Highlighting weak password dangers, Scott Ramsdell
Indexes:  [Date] [Thread] [Top] [All Lists]