This is one of my favorite tool suites: http://www.oxid.it/cain.html. There
are several good articles related to using Pass phases instead of passwords.
Don Jarmon
CISSP, SCSE, SCP
Sr. Technical Consultant, Solutions Group
Intergraph Corporation (NASDAQ:INGR)
Mail Stop 17C1
170 Graphics Drive, Madison, AL 35758 USA
P 1.256.730.2366 F 1.256.730.4145
Don.Jarmon(at)Intergraph.com, solutions.intergraph.com
-----Original Message-----
From: Dan Connelly [mailto:connellyd (at) gmail (dot) com [email concealed]]
Sent: Tuesday, December 14, 2004 6:25 AM
To: Jeffrey M. Miller CISSP
Cc: pen-test (at) securityfocus (dot) com [email concealed]
Subject: Re: Password Audit tools
Internet Scanner does a good job of enumerating accounts on a Windows
Domain(using netbios and null sessions) but if you tried to brute
force/dictionary every account that it found the scan would take a
VERY long time to complete. If you are trying to pw crack through a
service (ftp,telnet,http...), use hydra otherwise use LC or John the
Ripper.
BTW, Nessus also does a good job enumerating accounts, and its free ;)
Dan
On Mon, 13 Dec 2004 19:10:29 -0600, Jeffrey M. Miller CISSP
<jmiller (at) acumeninfosec (dot) com [email concealed]> wrote:
> I've used Internet Security Scanner from ISS and really like it's
> ability to pull users from NT domains and test common passwords, such
> as username=password, password=password, etc.
>
> I've considered purchasing the consultant version of l0phtcrack LC5.
>
> Has anyone used LC5 and can anyone compare it to ISS? Also are there
> any OpenSource tools that can do these sorts of checks?
>
> Thanks
>
> J_
>
>
are several good articles related to using Pass phases instead of passwords.
Don Jarmon
CISSP, SCSE, SCP
Sr. Technical Consultant, Solutions Group
Intergraph Corporation (NASDAQ:INGR)
Mail Stop 17C1
170 Graphics Drive, Madison, AL 35758 USA
P 1.256.730.2366 F 1.256.730.4145
Don.Jarmon(at)Intergraph.com, solutions.intergraph.com
-----Original Message-----
From: Dan Connelly [mailto:connellyd (at) gmail (dot) com [email concealed]]
Sent: Tuesday, December 14, 2004 6:25 AM
To: Jeffrey M. Miller CISSP
Cc: pen-test (at) securityfocus (dot) com [email concealed]
Subject: Re: Password Audit tools
Internet Scanner does a good job of enumerating accounts on a Windows
Domain(using netbios and null sessions) but if you tried to brute
force/dictionary every account that it found the scan would take a
VERY long time to complete. If you are trying to pw crack through a
service (ftp,telnet,http...), use hydra otherwise use LC or John the
Ripper.
BTW, Nessus also does a good job enumerating accounts, and its free ;)
Dan
On Mon, 13 Dec 2004 19:10:29 -0600, Jeffrey M. Miller CISSP
<jmiller (at) acumeninfosec (dot) com [email concealed]> wrote:
> I've used Internet Security Scanner from ISS and really like it's
> ability to pull users from NT domains and test common passwords, such
> as username=password, password=password, etc.
>
> I've considered purchasing the consultant version of l0phtcrack LC5.
>
> Has anyone used LC5 and can anyone compare it to ISS? Also are there
> any OpenSource tools that can do these sorts of checks?
>
> Thanks
>
> J_
>
>
[ reply ]