'password'에 해당되는 글 16건

  1. 2011.10.24 xSQLScanner 1.2 and Mono Version
  2. 2011.07.26 Minimum Password Length of 15 or more via GPO
  3. 2011.05.25 MysqlPasswordAuditor : Mysql Password Recovery & Auditing
2011. 10. 24. 17:40

xSQLScanner 1.2 and Mono Version

I published at my blog a new tool called xSQLScanner. This program
allow the user audit MS-SQL and My-SQL servers.

Some features:

1 - 6 Vulnerability Audit options;
 1.2 - Test for weak password fast;
 1.3 - Test for wear/user passwords;
 1.4 - Wordlist option;
 1.5 5 - Userlist option;
2 - Portscanner
7 - Range IP Address audit and more.

Now the good news, i made 2 versions. Windows & Linux. The linux
version use the Mono Project, so i compiled mono version
to run under Linux (BackTrack 5 - GNOME).

Here the instructions to install under linux:

1 - get http://www.4shared.com/file/ykeEX3TV/xsqlscan-mono.html
2 - tar -xzvf  xsqlscan.tar.gz
3 - cd xsqlscan
4 - ./xsqlscanw
5 - The program will verify if you have Mono Core files. If already
have, the application will launcher.
5.1 - Answer 'yes' to download the libs and mono core files
6 - Restart the application typing: ./xsqlscanw
7 - Enjoy.

The link for Windows version:

Remember: any bugs, suggestions please contact me.


This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 


From: Rodrigo Matuck <rodrigomatuck () globo com>

Trackback 0 Comment 0
2011. 7. 26. 16:15

Minimum Password Length of 15 or more via GPO

Also known as "How to practice what we preach". I don't know how long I've been telling clients that they need to have a minimum password length of 15 characters to make it so there is no chance LM will be stored (and a cursory bonus that their password won't be close to their original). But I've never tried setting it myself. Well, a client called me out. You can't! (well at least not through the UI )

TL;DR You can edit the GptTmpl.inf file in \\$DOMAIN\SYSVOL\$DOMAIN\Policies\$PolicyGUID\Machine\Microsoft\Windows NT\SecEdit\ and set "MinimumPasswordLength" to whatever you want it to be. (You need to replace any part of the path starting with a $ with the value applicable to your domain and group policy object)

I tested this out myself, and sure enough, once you get up to 14 on the iterator, it jumps back down to 0:

After some googling I came up pretty empty handed (hence the highly SEO'd title of this post). I asked the question on Twitter and got a bunch of different answers, but @RizzyRong's was the first one in that I could try out: (THANK YOU to everyone who shot me answers, I really appreciate it, and to those who shared my curiosity I hope this helps you out)

ADMod is a Joeware tool. Any windows Sys Admin should at the very least know of these tools as Penetration Testers use them to great effect:

RizzyRong's instructions are straight forward and so was the tool:

For copy paste purposes thats: admod -default minpwdlength::15

w00t, done right? Lets check:

We have a winner! Testing out a user:

14 characters…

Cool. This applied to the Default Domain Policy. That's a problem if I want to move this setting around or I don't actually apply the default policy to any objects. I also ran into some file permission errors when trying to set other GPO settings after I ran ADMod: (If anyone knows a better way to operate ADMod to this end please leave a comment below)

Alright, well need definitely need a cleaner and more repeatable / flexible solution. After fixing the file permission issues I noticed that in that file was my setting. I wonder if I can set this manually and have it actually stick. Lets try, we need the GUID, so lets make a policy that we can apply anywhere we want and as many times we want with JUST that minimum password length setting.

GUID acquired. To make Microsoft do most of the work we need to set the minimum password length setting in that policy to 14 or whatever, just so that we don't have to remember file and folder structure for the GPO. Next we go to the location where the policy setting is stored: \\$DOMAIN\SYSVOL\$DOMAIN\Policies\$PolicyGUID\Machine\Microsoft\Windows NT\SecEdit\ (replacing the 2 $DOMAIN instances with our domain name and $PolicyGUID with the GUID we copied from the policy page. If we set the policy to 14 there should be a line in the GptTmpl.inf file (you can open it with Notepad) that says 'MinimumPasswordLength = 14', change that to 15 or whatever you wish as so:

We check back or simply refresh our GPO settings:

Sweet, it's there, again, just to be thorough we test and sure enough it works.

A few quick notes: Your users might complain about a few popups:

Not much you can do about this one, and I doubt your users will care, but this next one might get you a few support calls:

I haven't found a way to make that say anything other than 14 characters (for that matter the 24 previous passwords number is incorrect as well)

If anyone knows how to fix this dialog or disable the previous one I am all ears. Please leave a comment so others can know how as well.

출처 :  Room362

Trackback 1 Comment 0
2011. 5. 25. 18:52

MysqlPasswordAuditor : Mysql Password Recovery & Auditing

About MysqlPasswordAuditor

MysqlPasswordAuditor is the FREE Mysql password recovery and auditing software. Mysql is one of the popular and powerful database software used by most of the web based and server side applications.
If you have ever lost or forgotten your Mysql database password then MysqlPasswordAuditor can help in recovering it easily. It can also help you to audit Mysql database server setup in an corporate environment by discovering the weak password configurations. This makes it one of the must have tool for IT administrators & Penetration Testers. 

MysqlPasswordAuditor is very easy to use with the simple dictionary based password recovery method. By default it includes small password list file, however you can find more password dictionary files at OpenWall collection. You can also use tools like Crunch, Cupp to generate custom password list files on your own and then use it with MysqlPasswordAuditor.

MysqlPasswordAuditor works on wide range of platforms starting from Windows XP to latest operating system Windows 7.

Features of MysqlPasswordAuditor

Here are some of the special features of MysqlPasswordAuditor
  • Free and Simple software to Recover/Audit Mysql Password.
  • Very useful for IT administrators & Penetration Testers
  • Dictionary based Password Recovery method
  • Detailed statistics such as  tested passwords, elapsed time, progress bar is displayed during Audit operation.
  • Simple, easy to use GUI interface
  • Integrated Installer for local Installation & Uninstallation. 

IInstalling MysqlPasswordAuditor

MysqlPasswordAuditor comes with Installer which can help you in local installation & un-installation. It has intuitive setup wizard (as shown in the screenshot below) which guides you through series of steps in completion of installation. At any point of time you can use Uninstaller to remove the software from the system.

Using MysqlPasswordAuditor

MyMysqlPasswordAuditor is GUI application which is easy to use even for beginners.

Here are simple steps
  • Launch MysqlPasswordAuditor on your system from installed location.
  • Enter your Mysql server IP address, port number, username for which to recover the password.
  • Next select or drag & drop the password list file (you can find one in the installed location)
  • Finally click on 'Start Audit' button to start the Mysql Password recovery operation.
  • You will see detailed statistics during password audit operation
  • On success, it will display the recovered password as shown in the screenshot below.
  • Else you will see the failure message and you can then try with bigger password list file. 

Screenshots of MysqlPasswordAuditor

Here are the screenshots of MysqlPasswordAuditor
ScScreenshot 1:MysqlPasswordAuditor is showing the recovered Mysql Password

출처 : securityxploded.com


Trackback 0 Comment 0