Password Strength Testing

[cb122]

Hi,

First off, please excuse the naivety of this question, but pen test isn't an area of expertise. However, my question is, are you aware of any free tools (ideally that dont need installing on a system - so command prompt applications) whereby I need to check a list of domain usernames against a list of 3 passwords to get some of the report of any accounts whose password is one of my list of 3.

I know you can dump hashes from domain controllers with pwdump etc and check them offline with tools like Cain and Ophcrack but I dont really want to do that as the scope is to just test a pre-defined set of accounts, not the capacity to check every account.

Any free little command line tools that can help and I can download for free would be excellent.

[cd1zz]

Hashcat is command line http://hashcat.net/hashcat/

If you want something short and sweet you can use python and py2exe it. Just add a for loop to this:

import hashlib,binascii
hash = hashlib.new('md4', "thisismyhashvalue".encode('utf-16le')).digest()
print binascii.hexlify(hash)

[ajohnson]

Hashcat is command line http://hashcat.net/hashcat/

If you want something short and sweet you can use python and py2exe it. Just add a for loop to this:

import hashlib,binascii
hash = hashlib.new('md4', "thisismyhashvalue".encode('utf-16le')).digest()
print binascii.hexlify(hash)

Wow, it's difficult to follow that up with a response that doesn't make you look like a noob...

I was just going to say, since you're only checking three passwords, it might be easiest to perform an online SMB-based attack using something like Hydra or Medusa. The performance gains of dumping the hashes and running an offline attack would probably be negligible with so few passwords.

You could run that from a Linux VM and not be required to install anything anywhere in a host system. You would have to be careful about account lockout though. If you're using the common threshold of three invalid login attempts, either bump that up a bit or space out the guesses a little.

[cb122]

Hashcat is command line http://hashcat.net/hashcat/

If you want something short and sweet you can use python and py2exe it. Just add a for loop to this:

import hashlib,binascii
hash = hashlib.new('md4', "thisismyhashvalue".encode('utf-16le')).digest()
print binascii.hexlify(hash)

Many thanks. If say you had to audit a number of domain users, and you no account lockout is in operation, what password rules/values would you try? Password=Username is an obvious one, but what would your strategy be?

[cd1zz]

If you only have three tries, trim this list down:

password
Password1
Companyname1
Currentmonth2013 (or 2012)
Currentseason2013 (or 2012)

[cb122]

Thank you for your help its appreciated.