Home page logo

pen-test logo Penetration Testing mailing list archives

Re: Password Auditing
From: "rajat swarup" <rajats () gmail com>
Date: Sun, 6 May 2007 16:19:42 -0400

On 5/4/07, Mike Gibson <micheal.gibson () gmail com> wrote:
> Can anyone recommend a good password auditing tool. Basically I want
> to identify weak passwords on my servers (Windows, Linux, Unix).
> Ideally this would be done by a tool that could remotely fetch the
> local password database and then attempt to brute force the passwords
> and prepare a report in a central location.

I would suggest using pwdump6 to dump the password hashes into a file
for Windows XP SP2 onwards.  Once you have that you could let john the
ripper run in incremental mode (for good efficiency).  John the ripper
is primarily a unix pwd cracking util but with the help of pwdump you
can use it to crack windows passwords.  L0pht is also good .. but the
best password cracking is done by rcrack
(http://www.antsight.com/zsl/rainbowcrack/).  However, you need to
have a good set of hashes to work from.  Getting that is another
exercise all together....however, one of the best set of rainbow
tables can be obtained from
http://www.freewebs.com/rainbowtables/downloads.htm (alphanumeric 32
symbols LM Hashes).
Another solution is to use the Ophcrack Live CD
(http://ophcrack.sourceforge.net/) if you can afford to reboot the
windows system that you want to audit it should be able to crack
alphanumeric passwords pretty quickly.

Rajat Swarup


This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]