Home page logo

pen-test logo Penetration Testing mailing list archives

Re: password auditing
From: "Kevin L. Shaw, CISSP, GCIH" <kshaw () eeenterprisesinc com>
Date: Wed, 18 Nov 2009 01:25:36 -0500


"an hour or two" is not going to give you a sufficient assessment.
Going through your 200K word dictionary a single time will probably take
longer than that.  I would recommend a couple of things based on your
latest note, as well as this comment - without first an enforceable
policy in place; this is really like putting the cart before the horse.
However; I understand the reason why you are doing this so good luck -
but you *must not* let it be a two hour run that is unrealistic.

First, don't use this "200K" dictionary you mentioned.  You are looking
for default passwords?  Find and/or create a list of default passwords
for the software (and hardware I know there are some interesting
"legacy" electronics out there) you have in place at your organization.
Use this; and run all the usernames and variations of usernames as part
of the attack.  I might even recommend finding the names of people's
children and pets as easily as you can or over the internet - Facebook,
etc. - just like a regular penetration test/attack -and putting these in
the dictionary.  If it is publicly accessible it is game.

Second, run this for a week.  An attack of this sort will last more than
two hours.  Running the option to hide the cracked passwords is a good
idea.  You will probably not need to demonstrate 'password z' was
cracked in x minutes; I'm assuming they just want a number, so leave the
laptop physically locked up for those few days and regularly examine the
status.  I would be inclined in this situation to report that status to
management at least once daily in case, after dozens of passwords are
easily cracked, they decide to start putting a sound policy in place
right away.

Sorry this is long winded I'm up a lot longer than usual.  Good luck
with this task it seems like you have a little support from some people
and some hostility from others (two hours??).


Derek Robson wrote:
thanks to everyone for such a big responce.

many of you have pointed me to questions of our policy...
many of you have talked about haveing password quality inforced when
they are set....

we have no real policy around passwords, we have no standards, we do
no quality testing.
we dont force users to change passwords, some have had the same
password for many years.
some still have the default password.

this project is to get some real data about our passwords, so we can
help managers get some policy and some standards in place.

at this stage we are looking at doing a one time cracking session.
this will be done on a non-networked laptop.
we will only crack for an hour or two.
the only results we will take off the laptop is a percentage of users
who's passwords we could crack.

this will only be done after I have the OK from my manager, the two
managers above him and the head of IT.

thanks for the good input it has given me lots to think about.

This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]