|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Kevin L. Shaw, CISSP, GCIH (kshaw
eeenterprisesinc.com)
Date: Wed Nov 18 2009 - 00:25:36 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Derek:
"an hour or two" is not going to give you a sufficient assessment.
Going through your 200K word dictionary a single time will probably take
longer than that. I would recommend a couple of things based on your
latest note, as well as this comment - without first an enforceable
policy in place; this is really like putting the cart before the horse.
However; I understand the reason why you are doing this so good luck -
but you *must not* let it be a two hour run that is unrealistic.
First, don't use this "200K" dictionary you mentioned. You are looking
for default passwords? Find and/or create a list of default passwords
for the software (and hardware I know there are some interesting
"legacy" electronics out there) you have in place at your organization.
Use this; and run all the usernames and variations of usernames as part
of the attack. I might even recommend finding the names of people's
children and pets as easily as you can or over the internet - Facebook,
etc. - just like a regular penetration test/attack -and putting these in
the dictionary. If it is publicly accessible it is game.
Second, run this for a week. An attack of this sort will last more than
two hours. Running the option to hide the cracked passwords is a good
idea. You will probably not need to demonstrate 'password z' was
cracked in x minutes; I'm assuming they just want a number, so leave the
laptop physically locked up for those few days and regularly examine the
status. I would be inclined in this situation to report that status to
management at least once daily in case, after dozens of passwords are
easily cracked, they decide to start putting a sound policy in place
right away.
Sorry this is long winded I'm up a lot longer than usual. Good luck
with this task it seems like you have a little support from some people
and some hostility from others (two hours??).
Kev
Derek Robson wrote:
> thanks to everyone for such a big responce.
>
> many of you have pointed me to questions of our policy...
> many of you have talked about haveing password quality inforced when
> they are set....
>
>
> we have no real policy around passwords, we have no standards, we do
> no quality testing.
> we dont force users to change passwords, some have had the same
> password for many years.
> some still have the default password.
>
>
> this project is to get some real data about our passwords, so we can
> help managers get some policy and some standards in place.
>
>
> at this stage we are looking at doing a one time cracking session.
> this will be done on a non-networked laptop.
> we will only crack for an hour or two.
> the only results we will take off the laptop is a percentage of users
> who's passwords we could crack.
>
> this will only be done after I have the OK from my manager, the two
> managers above him and the head of IT.
>
>
>
> thanks for the good input it has given me lots to think about.
------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board
Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
http://www.iacertification.org
------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]