Re: Password Cracking Service on Domain Controllers

From: bkml (bkml@att.net)
Date: Fri Oct 10 2003 - 10:11:11 EDT

• Next message: Golombek Kamil | BDO IT a.s.: "General stress tool for SMTP"
• Previous message: James Fields: "Re: dcom on wyse WinCE systems"
• In reply to: Jeff Bollinger: "Password Cracking Service on Domain Controllers"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Jeff,

I haven't used it, but have kept my eye on it for the last few years. It
certainly sounds like a decent solution if you want more control over
password complexity during user selection.

I don't think it is a service (just my understanding, not definite). They
probably just wrote an extension to the msgina.dll so they could support
additional complexity checking. If that was the case, there is probably no
way for someone to know this change was made unless the password change
dialog window is significantly different.

Here's a link to another modified gina:
http://ntsecurity.nu/toolbox/ - See StrongPass, not FakeGINA. ;)

----
Bruce K. Marshall - bruce_marshall@ins.com - 913-484-7233
      International Network Services (INS) - Kansas City

              "The knowledge behind the network."

----- Original Message -----
From: "Jeff Bollinger" <jeff01@email.unc.edu>
To: <pen-test@securityfocus.com>
Sent: Thursday, October 09, 2003 7:34 AM
Subject: Password Cracking Service on Domain Controllers

> Has anyone ever used Avatier's Password Bouncer?
>
> http://www.avatier.com/products/PasswordBouncer/
>
> It seems to be a service you can install on a domain controller that
> will actively check user passwords and prevent them from entering weak
> ones. It's supposedly much stricter than the built-in password policies
> and passfilt.dll.
>
> > # Reject passwords that contain common words using a 300,000-word
English wordlist.
> > # Reject passwords that contain common names using a 4,000-word proper
name wordlist.
> > # Reject passwords that contain specific names or phrases using a custom
wordlist that includes wildcard support.
> > # Enforce the use of upper and lower case characters (mixed case).
> > # Enforce the use and position of special characters.
> > # Enforce the use and position of numeric characters.
> > # Reject passwords that contain palindromes (i.e. radar or bob).
> > # Enforce password length, minimum, and maximum.
> > # Reject passwords with repeating sequences.
>
>
> This is more of an administration/preventative tool rather than an
> active cracking tool like l0phtcrack, but I'm wondering if anyone knows
> how well this tool works, or if there are others like it that can be
> installed as a service/daemon? Is it possible to determine remotely if
> this service is running?
>
> Thanks,
> Jeff

---------------------------------------------------------------------------
Tired of constantly searching the web for the latest exploits?
Tired of using 300 different tools to do one job?
Get CORE IMPACT and get some rest.
www.coresecurity.com/promos/sf_ept2
----------------------------------------------------------------------------

• Next message: Golombek Kamil | BDO IT a.s.: "General stress tool for SMTP"
• Previous message: James Fields: "Re: dcom on wyse WinCE systems"
• In reply to: Jeff Bollinger: "Password Cracking Service on Domain Controllers"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:41 EDT