RE: Password Audit tools

From: Jarmon, Don R (Don.Jarmon@Intergraph.com)
Date: Tue Dec 14 2004 - 12:06:54 EST


This is one of my favorite tool suites: http://www.oxid.it/cain.html. There
are several good articles related to using Pass phases instead of passwords.

Don Jarmon
CISSP, SCSE, SCP
Sr. Technical Consultant, Solutions Group
Intergraph Corporation (NASDAQ:INGR)
Mail Stop 17C1
170 Graphics Drive, Madison, AL 35758 USA
P 1.256.730.2366 F 1.256.730.4145
Don.Jarmon(at)Intergraph.com, solutions.intergraph.com

-----Original Message-----
From: Dan Connelly [mailto:connellyd@gmail.com]
Sent: Tuesday, December 14, 2004 6:25 AM
To: Jeffrey M. Miller CISSP
Cc: pen-test@securityfocus.com
Subject: Re: Password Audit tools

Internet Scanner does a good job of enumerating accounts on a Windows
Domain(using netbios and null sessions) but if you tried to brute
force/dictionary every account that it found the scan would take a
VERY long time to complete. If you are trying to pw crack through a
service (ftp,telnet,http...), use hydra otherwise use LC or John the
Ripper.
BTW, Nessus also does a good job enumerating accounts, and its free ;)
Dan

On Mon, 13 Dec 2004 19:10:29 -0600, Jeffrey M. Miller CISSP
<jmiller@acumeninfosec.com> wrote:
> I've used Internet Security Scanner from ISS and really like it's
> ability to pull users from NT domains and test common passwords, such
> as username=password, password=password, etc.
>
> I've considered purchasing the consultant version of l0phtcrack LC5.
>
> Has anyone used LC5 and can anyone compare it to ISS? Also are there
> any OpenSource tools that can do these sorts of checks?
>
> Thanks
>
> J_
>
>



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:10 EDT