From: Shenk, Jerry A (jshenk@decommunications.com)
Date: Sat Dec 03 2005 - 14:34:27 EST
I don't think the issue here is saving time....it is testing policy
compliance. If the policy stats minimum of 6, then test anything with
5. If it states that it has to also have one number and one letter,
then test all pure alpha or pure numeric....etc.
-----Original Message-----
From: Password Crackers, Inc. [mailto:pwcrack@pwcrack.com]
Sent: Friday, December 02, 2005 11:54 AM
To: pen-test@securityfocus.com
Subject: RE: policy-based password cracker
Depending upon the specific policies, you may not save a significant
amount
of time by limiting the brute-force attack. For instance, consider a
policy
that required at least one upper, one lower and one number in all
passwords.
Let's first assume that the possible character set for passwords is
upper/lower/number. For four character passwords, 19% of the possible
password checks can be eliminated due to the policy. For five character
passwords, only 9% would be eliminated and the percentage would continue
to
drop as the length increases. If the possible character set included
upper/lower/number/special characters, the policy would only eliminate
3% of
the possible 4 character passwords and 1% of the possible 5 character
passwords. Since the vast majority of the time for a brute-force attack
is
spent on the largest length checked and since the number of tests that
can
be eliminated due to the policy declines with length, I suspect that
limiting the brute-force attack due to policy might only be worthwhile
for
some highly specific policies.
Also, most brute-force attacks are very fast. One would need to test
the
speed of eliminating a password vs. the speed of testing a password. If
you
needed code to determine whether a password passed the policy, the
overhead
of this code on all passwords might eliminate any savings vs. just
testing
all of the passwords. This would have to be benchmarked on a
case-by-case
and policy-by-policy basis. Obviously, if the password testing is
against a
remote server/resource and the testing is slow, then the savings of not
testing even a small number of passwords would more than make up for the
overhead in the code. However, brute-force attacks against remote and
slow
servers is not very practical to begin with.
Bob Weiss
Password Crackers, Inc.
-----Original Message-----
From: Chris Costantino [mailto:clckct@yahoo.com]
Sent: Thursday, December 01, 2005 12:50 PM
To: pen-test@securityfocus.com
Subject: policy-based password cracker
Hi all,
I am looking for a brute-force password cracker that can be configured
based
on password policies. For example, I am trying to audit a system that I
know the security policy on (min/max pw length, complexity rules, etc)
What
I want is to only brute-force passwords that fit that policy.
Obviously,
min and max is not the issue, but I can not seem to find anything that
will
only test passwords that meet complexity requirements (lowercase alpha,
uppercase alpha, number). Something that generates this into a rainbow
table would be even better.....
Anyone aware of such a tool?
Thanks in advance,
Chris
__________________________________________
Yahoo! DSL - Something to write home about.
Just $16.99/mo. or less.
dsl.yahoo.com
------------------------------------------------------------------------
----
--
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on
your
website. Up to 75% of cyber attacks are launched on shopping carts,
forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers
are
futile against web application hacking. Check your website for
vulnerabilities to SQL injection, Cross site scripting and other web
attacks
before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
------------------------------------------------------------------------
----
---
------------------------------------------------------------------------
------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on
your
website. Up to 75% of cyber attacks are launched on shopping carts,
forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers
are
futile against web application hacking. Check your website for
vulnerabilities
to SQL injection, Cross site scripting and other web attacks before
hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
------------------------------------------------------------------------
-------
**DISCLAIMER
This e-mail message and any files transmitted with it are intended for the use of the individual or entity to which they are addressed and may contain information that is privileged, proprietary and confidential. If you are not the intended recipient, you may not use, copy or disclose to anyone the message or any information contained in the message. If you have received this communication in error, please notify the sender and delete this e-mail message. The contents do not represent the opinion of D&E except to the extent that it relates to their official business.
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:14 EDT