Password policy enforcement and Cracker dictionaries

In article <e9idnfpR_qE7goXcRVn-tQ@adelphia.com>, Subba Rao wrote:

>I have been assigned the responsibility to do vulnerability assessment
>on some *nix systems. Once of the vulnerability I am looking for is
>password composition. I want to run a password cracker against the
>/etc/shadow file. The password cracker "John the Ripper" was
>recommended to me for it's speed. When I tried to run it against my own
>/etc/shadow, the cracker kept going even after 3 hours. It did not
>crack the password so I had to interrupt the cracker. Where can I find
>some password dictionary files to use for this audit? Are the
>dictionary files free or commercial?
>
>Thank you in advance for any help.

http://www.cryptocd.org/

ftp.ox.ac.uk:/pub/wordlists

Wen I run john with a large dictionary it takes about 9 days.

--
Elvis Notargiacomo master AT barefaced DOT cheek
http://www.notatla.org.uk/goen/
If its message contained filing-cabinets in annex, for
security reasons same sao automatically extinguished.

Subba Rao <castellan2004-mail@SPAMBUSTER.yahoo.com> wrote in
news:e9idnfpR_qE7goXcRVn-tQ@adelphia.com:

> Hi,
>
> I have been assigned the responsibility to do vulnerability assessment
> on some *nix systems. Once of the vulnerability I am looking for is
> password composition. I want to run a password cracker against the
> /etc/shadow file. The password cracker "John the Ripper" was
> recommended to me for it's speed. When I tried to run it against my own
> /etc/shadow, the cracker kept going even after 3 hours.

Break it up. Create a partial file of 50 entries at a time and do that. Try
to gauge it so that it runs about a day. That way you can spend the next
day contacting the people who need the lecture while it runs the next
batch. Thats better than waiting a week and then doing everyone

There are alot of files. There is "the 100 most common passwords", the
dictionary file off of your server (on mine its at /usr/share/dict/words),
then you need a date file from 1950 to present, there is also file of
common pet names, and then the jargon file of computer terms.

Gandalf Parker

Hi,

I have been assigned the responsibility to do vulnerability assessment
on some *nix systems. Once of the vulnerability I am looking for is
password composition. I want to run a password cracker against the
/etc/shadow file. The password cracker "John the Ripper" was
recommended to me for it's speed. When I tried to run it against my own
/etc/shadow, the cracker kept going even after 3 hours. It did not
crack the password so I had to interrupt the cracker. Where can I find
some password dictionary files to use for this audit? Are the
dictionary files free or commercial?

Thank you in advance for any help.
--
SR
castellan2004-mail@SPAMBUSTER.yahoo.com
Please remove SPAMBUSTER to reply via email.

In comp.security.unix Subba Rao <castellan2004-mail@spambuster.yahoo.com> wrote:
> Hi,

> I have been assigned the responsibility to do vulnerability assessment
> on some *nix systems. Once of the vulnerability I am looking for is
> password composition. I want to run a password cracker against the
> /etc/shadow file. The password cracker "John the Ripper" was
> recommended to me for it's speed. When I tried to run it against my own
> /etc/shadow, the cracker kept going even after 3 hours. It did not
> crack the password so I had to interrupt the cracker. Where can I find
> some password dictionary files to use for this audit? Are the
> dictionary files free or commercial?

If you think it will get "all the passwords" in 3 hours you are clueless.

Depending on number of users, speed of machine it could take month or more.


--
Peter Håkanson
IPSec Sverige ( At Gothenburg Riverside )
Sorry about my e-mail address, but i'm trying to keep spam out,
remove "icke-reklam" if you feel for mailing me. Thanx.

Subba Rao <castellan2004-mail@SPAMBUSTER.yahoo.com> wrote:

> Where can I find
> some password dictionary files to use for this audit?

http://sourceforge.net/projects/wordlist/
--
Fun things to slip into your budget
Does that line item say 'Personal Massage System' Oops, it's supposed to be
'Message'. Go ahead and sign the authorization, Boss; I'll correct it later.
(Iike Hell I will)

all mail refused wrote:
> In article <e9idnfpR_qE7goXcRVn-tQ@adelphia.com>, Subba Rao wrote:
>
>
>>I have been assigned the responsibility to do vulnerability assessment
>>on some *nix systems. Once of the vulnerability I am looking for is
>>password composition. I want to run a password cracker against the
>>/etc/shadow file. The password cracker "John the Ripper" was
>>recommended to me for it's speed. When I tried to run it against my own
>>/etc/shadow, the cracker kept going even after 3 hours. It did not
>>crack the password so I had to interrupt the cracker. Where can I find
>>some password dictionary files to use for this audit? Are the
>>dictionary files free or commercial?
>>
>>Thank you in advance for any help.
>
>
> http://www.cryptocd.org/
>
> ftp.ox.ac.uk:/pub/wordlists
>
> Wen I run john with a large dictionary it takes about 9 days.
>

Thank you to everyone who replied. If I don't use any dictionary, will
the password cracker (john) keep trying combinations based on it's
algorithm (brute force)? Does it strictly need a password dictionary to
crack password? I have downloaded the files from the above site and ran
the cracker using all the files. The files are pretty big but "john"
finished them in a few minutes without cracking the password.

Thank you once again.
--
SR
castellan2004-mail@SPAMBUSTER.yahoo.com
Please remove SPAMBUSTER to reply via email.