.

Password Strength Testing

<<

cb122

Newbie
Newbie

Posts: 20

Joined: Tue Jan 15, 2013 8:54 am

Post Tue Jan 15, 2013 9:14 am

Password Strength Testing

Hi,

First off, please excuse the naivety of this question, but pen test isn't an area of expertise. However, my question is, are you aware of any free tools (ideally that dont need installing on a system - so command prompt applications) whereby I need to check a list of domain usernames against a list of 3 passwords to get some of the report of any accounts whose password is one of my list of 3.

I know you can dump hashes from domain controllers with pwdump etc and check them offline with tools like Cain and Ophcrack but I dont really want to do that as the scope is to just test a pre-defined set of accounts, not the capacity to check every account.

Any free little command line tools that can help and I can download for free would be excellent.
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Tue Jan 15, 2013 10:13 am

Re: Password Strength Testing

Hashcat is command line http://hashcat.net/hashcat/

If you want something short and sweet you can use python and py2exe it. Just add a for loop to this:

import hashlib,binascii
hash = hashlib.new('md4', "thisismyhashvalue".encode('utf-16le')).digest()
print binascii.hexlify(hash)
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Tue Jan 15, 2013 11:27 pm

Re: Password Strength Testing

cd1zz wrote:Hashcat is command line http://hashcat.net/hashcat/

If you want something short and sweet you can use python and py2exe it. Just add a for loop to this:

import hashlib,binascii
hash = hashlib.new('md4', "thisismyhashvalue".encode('utf-16le')).digest()
print binascii.hexlify(hash)


Wow, it's difficult to follow that up with a response that doesn't make you look like a noob...

I was just going to say, since you're only checking three passwords, it might be easiest to perform an online SMB-based attack using something like Hydra or Medusa. The performance gains of dumping the hashes and running an offline attack would probably be negligible with so few passwords.

You could run that from a Linux VM and not be required to install anything anywhere in a host system. You would have to be careful about account lockout though. If you're using the common threshold of three invalid login attempts, either bump that up a bit or space out the guesses a little.
The day you stop learning is the day you start becoming obsolete.
<<

cb122

Newbie
Newbie

Posts: 20

Joined: Tue Jan 15, 2013 8:54 am

Post Wed Jan 16, 2013 5:23 am

Re: Password Strength Testing

cd1zz wrote:Hashcat is command line http://hashcat.net/hashcat/

If you want something short and sweet you can use python and py2exe it. Just add a for loop to this:

import hashlib,binascii
hash = hashlib.new('md4', "thisismyhashvalue".encode('utf-16le')).digest()
print binascii.hexlify(hash)


Many thanks. If say you had to audit a number of domain users, and you no account lockout is in operation, what password rules/values would you try? Password=Username is an obvious one, but what would your strategy be?
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Wed Jan 16, 2013 9:21 am

Re: Password Strength Testing

If you only have three tries, trim this list down:

password
Password1
Companyname1
Currentmonth2013 (or 2012)
Currentseason2013 (or 2012)
<<

cb122

Newbie
Newbie

Posts: 20

Joined: Tue Jan 15, 2013 8:54 am

Post Wed Jan 16, 2013 9:59 am

Re: Password Strength Testing

Thank you for your help its appreciated.

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 2 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software