Announcement

Collapse
No announcement yet.

win 2003: testing if the passwords are STRONG... what would be the best practise ?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • win 2003: testing if the passwords are STRONG... what would be the best practise ?

    Hello all,

    I am new to the forum and immediately would like to pop a question...
    I did some searches before posting, so I hope i did not overlook this question if it was asked before !


    Situation : Win 2003 domain controller -active directory (updates,latest service packs)

    This server is online on the public internet with windows remote desktop enabled.
    I was asked to "test" if the passwords are strong as part of a security exercise.
    I have access to the machine.
    There are a number of users with admin rights.
    --> We want to check if their passwords are strong.

    I used to do a similar exercise on linux, where I would copy the password file, (in /etc/ directory) and then run a bruteforce password cracker (e.g. john the ripper) on a seperate machine for a few hours/days. This without interupting service on the main server.

    Now I wonder how to do something similar on win2k3

    Since it is a critical machine, I cannot power down the machine (e.g. and boot from some sort of password recovery software disk), install software like a password cracker (preferably not on this machine itself), or bring the CPU to 100%

    What I would want to do is to copy the "password files" onto another machine, and run a password cracker there.

    I think /winnt/system32/config has the "sam" files containing the hashed passwords ?
    However I cannot copy this file since "file in use"...

    Does anybody know a procedure, or a good way to export the password files and test these (the password strength) on another machine -without disrupting the service on the domain controller.

    Many Thanks,

    Zan

  • #2
    Re: win 2003: testing if the passwords are STRONG... what would be the best practise ?

    DC's don't work with a SAM Datbase.
    You can add an additional DC, and let them sync for example.
    Marcel
    Technical Consultant
    Netherlands
    http://www.phetios.com
    http://blog.nessus.nl

    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"

    Comment


    • #3
      Re: win 2003: testing if the passwords are STRONG... what would be the best practise

      Thanks for the fast answer Marcel, very appreciated

      however, this raises me 3 more questions ...

      1) so the only way is to sync with a second DC (a backup domain controller?) --> I should install a win2k3 machine on VMware on my pc for this purpose, and then install some sort of password cracker on that instance, correct ?
      It will obviously take a lot of work.

      2) Actually besides the DC, the other win2k3 servers in the network, that are a member of the domain, do they have a SAM db with the local accounts ? cause when the DC is down you can still access local acounts..

      3) In a standalone machine (no DC) is there a way to copy the SAM db to another machine for checking, without turning off the machine ... how to solve the "locked file" problem : copy failed, file in use)?
      This SAM db is just a db of Hashed passwords , so john the ripper or another password cracker could do the job once you got the SAM file ?

      thanks !

      Zan
      (een Belg in Bangkok)

      Comment


      • #4
        Re: win 2003: testing if the passwords are STRONG... what would be the best practise ?

        The passwords in AD are NOT stored in the SAM file.

        As far as i know the passwords are stored in the Directory itself and you will not be able to browse to them and read them as i'm sure they are encrypted.

        Thus you will not be able to run bruteforce attacks on the DS.

        You could enforce a good password policy by using GPO's though.

        Comment


        • #5
          Re: win 2003: testing if the passwords are STRONG... what would be the best practise

          Originally posted by zanzan
          Thanks for the fast answer Marcel, very appreciated

          however, this raises me 3 more questions ...

          1) so the only way is to sync with a second DC (a backup domain controller?) --> I should install a win2k3 machine on VMware on my pc for this purpose, and then install some sort of password cracker on that instance, correct ?
          It will obviously take a lot of work.
          Yes, it will take a lot of work. You need some kind of brute force application to check the passwords. As said before, there ar not in a SAM database, but in AD.
          I don't know about john the ripper so i can't tell you how it works with an AD enviroment.

          Originally posted by zanzan
          2) Actually besides the DC, the other win2k3 servers in the network, that are a member of the domain, do they have a SAM db with the local accounts ? cause when the DC is down you can still access local acounts..
          Yes,
          Member servers does have a local SAM Database.

          Originally posted by zanzan
          3) In a standalone machine (no DC) is there a way to copy the SAM db to another machine for checking, without turning off the machine ... how to solve the "locked file" problem : copy failed, file in use)?
          This SAM db is just a db of Hashed passwords , so john the ripper or another password cracker could do the job once you got the SAM file ?
          thanks !
          Zan
          (een Belg in Bangkok)
          [/QUOTE]

          Copy will failed indeed when you going to copy the file from a running machine. You need to reboot the machine and enter the recovery Console. After that, it should be possible to copy the file.
          But why would you want to check the passwords?

          Isn't it much easier to follow the advise from wullieb1 to create a GPO which forces a password policy? (edit the default domain policy for this)

          so whats you goal about this?
          Marcel
          Technical Consultant
          Netherlands
          http://www.phetios.com
          http://blog.nessus.nl

          MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
          "No matter how secure, there is always the human factor."

          "Enjoy life today, tomorrow may never come."
          "If you're going through hell, keep going. ~Winston Churchill"

          Comment

          Working...
          X