RE: [ActiveDir] Password Lookup
Title: Message Ryan, If you're asking this because you're doing a security/password strength analysis sweep, you can use a couple of different tools to do this (all of which will rely on administrative privileges to AD). Tools like PWDUMP2 have been updated to pull password hashes from the active directory, which can then be used with tools like LC4 and John the Ripper to do the actual dictionary attacks. pwdump2 http://razor.bindview.com/tools/desc/pwdump2_readme.html John the Ripper http://www.openwall.com/john/ LC4 http://www.atstake.com/research/lc/ http://www.atstake.com/research/lc/download.html samdump http://www.atstake.com/research/lc/dist/samdump.zip Hope this helps, Richard From: Robbie Allen Sent: Tuesday, August 05, 2003 10:27 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Password Lookup I don't believe MS does, but there are a few scripts/tools on the net that can be used to do it. Have you enabled password complexity, which prevents the use of dictionary passwords? Do you have account lockout enabled? It is much harder (i.e. time consuming)to perform dictionary attacks against AD if account lockout is turned on. Robbie Allen http://www.rallenhome.com/ -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 10:15 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Password LookupDoes anyone know if Microsoft provides provisions for doing dictionary lookups on passwords? Thanks!Ryan McDonaldSystems AdministratorThe Bankers Bank
RE: [ActiveDir] Password Lookup
Title: Message Hi Robbie, I'm not aware that Windows 2000 password complexity switch prevents the use of dictionary words. That certainly has not been the case here. Please let me know if there is some "special" switch to prevent dictionary words and what dictionary it uses. Thanks! Mike Thommes Argonne National Laboratory -Original Message-From: Robbie Allen [mailto:[EMAIL PROTECTED]Sent: Tuesday, August 05, 2003 9:27 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Password Lookup I don't believe MS does, but there are a few scripts/tools on the net that can be used to do it. Have you enabled password complexity, which prevents the use of dictionary passwords? Do you have account lockout enabled? It is much harder (i.e. time consuming)to perform dictionary attacks against AD if account lockout is turned on. Robbie Allen http://www.rallenhome.com/ -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 10:15 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Password LookupDoes anyone know if Microsoft provides provisions for doing dictionary lookups on passwords? Thanks!Ryan McDonaldSystems AdministratorThe Bankers Bank
RE: [ActiveDir] Password Lookup
Title: Message Hi Mike, You can require "complex" passwords bysetting the Domain Security Policy - Account Policies - Password Policy - Password must meet complexity requirements. Here ismore info: http://www.microsoft.com/technet/treeview/default.asp?url=""> After setting password complexity, it only applies when a password is changed (or initially set when a user is created). It does not impact users that are currently usingnon-complex passwords. Regards, Robbie Allen http://www.rallenhome.com/ -Original Message-From: Thommes, Michael M. [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 10:39 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Password Lookup Hi Robbie, I'm not aware that Windows 2000 password complexity switch prevents the use of dictionary words. That certainly has not been the case here. Please let me know if there is some "special" switch to prevent dictionary words and what dictionary it uses. Thanks! Mike Thommes Argonne National Laboratory -Original Message-From: Robbie Allen [mailto:[EMAIL PROTECTED]Sent: Tuesday, August 05, 2003 9:27 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Password Lookup I don't believe MS does, but there are a few scripts/tools on the net that can be used to do it. Have you enabled password complexity, which prevents the use of dictionary passwords? Do you have account lockout enabled? It is much harder (i.e. time consuming)to perform dictionary attacks against AD if account lockout is turned on. Robbie Allen http://www.rallenhome.com/ -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 10:15 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Password LookupDoes anyone know if Microsoft provides provisions for doing dictionary lookups on passwords? Thanks!Ryan McDonaldSystems AdministratorThe Bankers Bank
Re: [ActiveDir] Password Lookup
Ryan, My understanding is that the only way to do this is to hook into the password filter DLL. This is a Win32 DLL that the DC calls whenever a user or administrator initiates a password change, whose job is to verify the quality of the new password. The DLL is your own code, so it can do whatever you want. Some products, including ours, are available to hook into this DLL for basically two purposes: 1) Enforce a stronger password quality ruleset than is possible with WinNT/Win2000/Win2003 natively. 2) Capture the new password, and automatically synchronize it with other passwords the user has elsewhere (e.g., on other domains, other kinds of systems, etc.). I hope this helps! Best regards, -- Idan (http://psynch.com/) On Tue, 5 Aug 2003 [EMAIL PROTECTED] wrote: Does anyone know if Microsoft provides provisions for doing dictionary lookups on passwords? Thanks! Ryan McDonald Systems Administrator The Bankers Bank List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Password Lookup
It'sin the "Domain Security Policy" mmc,under Windows Settings/Security Settings/Account Policies/Password Policy Passwords must meet complexity requirements = Enabled Mike Thommes -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]Sent: Tuesday, August 05, 2003 10:00 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Password LookupWhere can I find the scripts and where can you set the password complexity? ThanksRyan McDonaldSystems AdministratorThe Bankers Bank "Thommes, Michael M." [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 08/05/2003 10:39 AM Please respond to ActiveDir To: [EMAIL PROTECTED] cc: Subject:RE: [ActiveDir] Password LookupHi Robbie, I'm not aware that Windows 2000 password complexity switch prevents the use of dictionary words. That certainly has not been the case here. Please let me know if there is some "special" switch to prevent dictionary words and what dictionary it uses. Thanks! Mike Thommes Argonne National Laboratory -Original Message-From: Robbie Allen [mailto:[EMAIL PROTECTED]Sent: Tuesday, August 05, 2003 9:27 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Password LookupI don't believe MS does, but there are a few scripts/tools on the net that can be used to do it. Have you enabled password complexity, which prevents the use of dictionary passwords? Do you have account lockout enabled? It is much harder (i.e. time consuming) to perform dictionary attacks against AD if account lockout is turned on. Robbie Allen http://www.rallenhome.com/ -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 10:15 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Password LookupDoes anyone know if Microsoft provides provisions for doing dictionary lookups on passwords? Thanks!Ryan McDonaldSystems AdministratorThe Bankers Bank
RE: [ActiveDir] Password Lookup
Password complexity is enabled thru the Domain GPO. It is an on or off function, not configurable. It curtails the success of dictionary hacks by requiring 3 out of the following 4 in all user's passwords - Uppercase, lowercase, numbers, special characters. It also will not allow the password to contain the username. [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 08/05/2003 11:00 AM Please respond to ActiveDir To: [EMAIL PROTECTED] cc: Subject: RE: [ActiveDir] Password Lookup Where can I find the scripts and where can you set the password complexity? Thanks Ryan McDonald Systems Administrator The Bankers Bank Thommes, Michael M. [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 08/05/2003 10:39 AM Please respond to ActiveDir To:[EMAIL PROTECTED] cc: Subject:RE: [ActiveDir] Password Lookup Hi Robbie, I'm not aware that Windows 2000 password complexity switch prevents the use of dictionary words. That certainly has not been the case here. Please let me know if there is some special switch to prevent dictionary words and what dictionary it uses. Thanks! Mike Thommes Argonne National Laboratory -Original Message- From: Robbie Allen [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 9:27 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Password Lookup I don't believe MS does, but there are a few scripts/tools on the net that can be used to do it. Have you enabled password complexity, which prevents the use of dictionary passwords? Do you have account lockout enabled? It is much harder (i.e. time consuming) to perform dictionary attacks against AD if account lockout is turned on. Robbie Allen http://www.rallenhome.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 10:15 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Password Lookup Does anyone know if Microsoft provides provisions for doing dictionary lookups on passwords? Thanks! Ryan McDonald Systems Administrator The Bankers Bank
Re: [ActiveDir] Password Lookup
Title: Message Then go thru sets of 50 and require them to change thier password. - Original Message - From: Robbie Allen To: '[EMAIL PROTECTED]' Sent: Tuesday, August 05, 2003 8:04 AM Subject: RE: [ActiveDir] Password Lookup Hi Mike, You can require "complex" passwords bysetting the Domain Security Policy - Account Policies - Password Policy - Password must meet complexity requirements. Here ismore info: http://www.microsoft.com/technet/treeview/default.asp?url=""> After setting password complexity, it only applies when a password is changed (or initially set when a user is created). It does not impact users that are currently usingnon-complex passwords. Regards, Robbie Allen http://www.rallenhome.com/ -Original Message-From: Thommes, Michael M. [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 10:39 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Password Lookup Hi Robbie, I'm not aware that Windows 2000 password complexity switch prevents the use of dictionary words. That certainly has not been the case here. Please let me know if there is some "special" switch to prevent dictionary words and what dictionary it uses. Thanks! Mike Thommes Argonne National Laboratory -Original Message-From: Robbie Allen [mailto:[EMAIL PROTECTED]Sent: Tuesday, August 05, 2003 9:27 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Password Lookup I don't believe MS does, but there are a few scripts/tools on the net that can be used to do it. Have you enabled password complexity, which prevents the use of dictionary passwords? Do you have account lockout enabled? It is much harder (i.e. time consuming)to perform dictionary attacks against AD if account lockout is turned on. Robbie Allen http://www.rallenhome.com/ -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 10:15 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Password LookupDoes anyone know if Microsoft provides provisions for doing dictionary lookups on passwords? Thanks!Ryan McDonaldSystems AdministratorThe Bankers Bank