Right - anyone interested in Password auditing?

Discussion in 'Computer Security' started by zebulebu, Aug 8, 2006.

  1. zebulebu

    zebulebu Terabyte Poster

    3,748
    330
    187
    Having been a security consultant whilst contracting, I find nothing focuses an organisation's attention quicker than being able to crack 99% of their passwords with nothing more than a DVD, access to the SAM and ten hours...

    If anyone's interested in this side of security I can point you in the right direction for a couple of fabulous tools.

    Of course, this post comes with the caveat that this should ONLY ever be done with the express consent of your employer - otherwise you're likely to find yourself in P45sville in very short order...

    In my current role I was met with astonished looks from my boss when I showed him the results of my initial audit - and equally stunned responses when I told him that putting this right would take about thirty seconds (plus, of course, the months and months of stress on the helpdesk from users continually forgetting their 'New And Improved' password and needing it reset - but we won't go into that :twisted: )
     
    Certifications: A few
    WIP: None - f*** 'em
  2. mattwest

    mattwest Megabyte Poster

    514
    8
    62
    Hey there,

    If you dont mind recommending some tools for this kind of thing that would be appreciated, always useful to have an arsenal so to speak!

    :twisted: :blink
     
    Certifications: See my signature...
    WIP: Maybe re-certify my CCNA
  3. Mr.Cheeks

    Mr.Cheeks 1st ever Gold Member! Gold Member

    5,373
    89
    190
    Add me to the list too please... you can pm me the details if you like...
     
  4. simongrahamuk
    Honorary Member

    simongrahamuk Hmmmmmmm?

    6,205
    136
    199
    A third 'Yes Please' from me too! :biggrin
     
  5. Nelix
    Honorary Member

    Nelix Gigabyte Poster

    1,416
    3
    82
    Me too please, as I am about to start a new job and one of the things on the job spec was security related, this information would be most beneficial. PM or email me

    Thanks
     
    Certifications: A+, 70-210, 70-290, 70-291, 74-409, 70-410, 70-411, 70-337, 70-347
    WIP: 70-346
  6. Sayed

    Sayed Bit Poster

    17
    1
    3
    Count me in too please! Ill give our network security admin guys a lil lesson :biggrin
     
  7. zebulebu

    zebulebu Terabyte Poster

    3,748
    330
    187
    OK - here goes.

    The method I usually use is pretty easy, but requires some initial groundwork to be laid.

    Firstly, you need to lay your hands on a copy of RainbowCrack - you can get it here.

    Take a read through the documentation - there's also a couple of demonstration vids on the site. As the blurb states, a traditional brute-forcing tool can take months, years, or longer to crack passwords, as it tries each individual password in the SAM in turn. RainbowCrack takes all the gruntwork out of this by precomputing hash tables to run checks against. Whilst it can be time-consuming to precompute the tables, the beauty of using this approach is that, once run against a SAM after the precomputed tables have been drummed up, cracking passwords is exponentially quicker and yields a much higher success rate.

    You will need to decide how complex the character set you want to use is before you precompute your hash tables. There are literally thousands of different character sets you could choose, but you can break them down into three 'real world' types:

    Alphabetical (upper & lower case letters)
    Alphanumeric (alphabetical + numerals 0-9)
    Alphanumeric + Character (as alphanumeric but with !@#$%^&*()-_+= added to the set)

    Nowadays, most places have a password policy that requires alphanumeric passwords over six characters in length. This would be a decent place to start - as you can see, the precimputed tables for this character set take up about 3Gb - which fits neatly onto a DVD.

    Now this is where the time-consuming element comes into play. If you read through the documentation, precomputing the tables themselves is actually pretty straightforward. However, it does take some time. Precomputing mine on an old PIII Deskpro with 512MB Ram I had knocking around on my LAN took around eight days - this might sound a long time, but trust me, the benefit is worth it.

    Once you've got your tables all ready to go and have arranged them how the documentation shows, you're ready to go. You will need either unfettered access to the SAM you're running it against (for those not in the know, this requires domain admin credentials), or you'll need to grab the SAM from the PDC using a linux boot disk and run the tool offline. If you've followed my advice and are using this legitimately (i.e. with the express written consent of your employer) then using a domain admin account shouldn't present you with a problem.

    Then, you simply feed the tables into a password cracking tool (I use Cain & Abel - get it here as it simply shits on any other freeware tool out there), pull the SAM details down and away you go.

    To give you an idea of its effectiveness, at my current place we have 4,683 user accounts. I ran it one weekend - net result: 4,621 passwords cracked in just over 14 hours. Thats a 98.7% success rate.

    Obviously, the fatal flaw in using this method is that the character set I use is alphanumeric. If I were to use the alphanumeric + character charset it would take me about 200 days to precompute the tables and I'd need to port them around on an external drive...

    What I use this for mainly is to educate clients as to the need for a reasonable password policy. The sad thing is, the vast majority of places could vastly reduce the risk of people cracking passwords simply be implementing a policy that requires at least one special character in each password. Even more sad is that fact that this is the DEFAULT setting for W2K3 domains, but is usually turned off because the helpdesk can't cope with a barrage of calls from users unable to remember their passwords.

    Lemme know how you get on, and give me a shout if you need any more help :p
     
    Certifications: A few
    WIP: None - f*** 'em
  8. simongrahamuk
    Honorary Member

    simongrahamuk Hmmmmmmm?

    6,205
    136
    199
    Youtube.com? :blink
     
  9. zebulebu

    zebulebu Terabyte Poster

    3,748
    330
    187
    Certifications: A few
    WIP: None - f*** 'em
  10. Boycie
    Honorary Member

    Boycie Senior Beer Tester

    6,281
    85
    174
    Just picked up on this great thread. Thanks :thumbleft
     
    Certifications: MCSA 2003, MCDST, A+, N+, CTT+, MCT
  11. madman045

    madman045 Kilobyte Poster

    272
    3
    49
    Indeed a great thread, I have a few clients that require a full scale audit, so this should come in handy.

    Thanks!
     
    Certifications: 70-270, 70-290, PRINCE2 Foundation, VCA-DCV & VCA-DT
    WIP: MCSA 2008, VCP5-DCV, ITIL V3

Share This Page

Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.