From: rajat swarup (rajats@gmail.com)
Date: Sun May 06 2007 - 16:19:42 EDT
> On 5/4/07, Mike Gibson <micheal.gibson@gmail.com> wrote:
> > Can anyone recommend a good password auditing tool. Basically I want
> > to identify weak passwords on my servers (Windows, Linux, Unix).
> > Ideally this would be done by a tool that could remotely fetch the
> > local password database and then attempt to brute force the passwords
> > and prepare a report in a central location.
I would suggest using pwdump6 to dump the password hashes into a file
for Windows XP SP2 onwards. Once you have that you could let john the
ripper run in incremental mode (for good efficiency). John the ripper
is primarily a unix pwd cracking util but with the help of pwdump you
can use it to crack windows passwords. L0pht is also good .. but the
best password cracking is done by rcrack
(http://www.antsight.com/zsl/rainbowcrack/). However, you need to
have a good set of hashes to work from. Getting that is another
exercise all together....however, one of the best set of rainbow
tables can be obtained from
http://www.freewebs.com/rainbowtables/downloads.htm (alphanumeric 32
symbols LM Hashes).
Another solution is to use the Ophcrack Live CD
(http://ophcrack.sourceforge.net/) if you can afford to reboot the
windows system that you want to audit it should be able to crack
alphanumeric passwords pretty quickly.
HTH,
Rajat Swarup
http://rajatswarup.blogspot.com/
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!
http://www.cenzic.com/c/2020
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:46 EDT