Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: password auditing
From: Robert Portvliet <robert.portvliet () gmail com>
Date: Tue, 17 Nov 2009 08:20:37 -0500

Yes, you could do this on an isolated box, no need to be on the network...

If you're going to do this on a monthly basis, I would take the
cracked passwords from each session (found in the john.pot file) and
add them to your wordlist for the next month (guard that with your
life), make sure to delete the john.pot file after every cracking
session.

Make sure you get written permission from your manager to do password
cracking, you may be violating company policy otherwise.






On Tue, Nov 17, 2009 at 1:43 AM, Derek Robson <robsonde () gmail com> wrote:
I have been asked by my manager to setup a password audit.

I plan on using john-the-ripper (unix passwords)
the basic idea is that we want a list of users that have weak
passwords, gut feeling is that a large number of staff have an old
default password.

we intend to just hit it with a 200K word dictionary, and see what we get.


the next step is run this every month and email users that have weak
passwords asking them to "please change your password"


the question is about the security we setup around the box we run JtR
on and the data we find.
should this be done on a non-networked box?
could this be done on an secure networked box, one that only a few
(about 7) trusted staff have login for?

any other tips?

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------



------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]