Transversal password cracking with NMAP (without downloading the hashes)

Posted on February 16, 2013

A few months back I discovered that our service desk had become a little “lazy” and were no longer using the defined process (identify user, randomly generate new password, set to change on first use) and were now handing out weak passwords without requiring the users to change them.

In order to assess the extent of the problem I wanted to do a test against the domain to see how wide-spread the problem was. I Google’d around a bit to try to identify a tool which could perform the exercise for me, but didn’t really find anything that looked suitable. I knew that I didn’t want to grab the hashes and do an off-line attack , but wanted instead to do it “live” against the domain, both to avoid the responsibility of having a copy of all the hashes (risk of is too high and as Head of Infosec I didn’t want that on my head)  and also to test the alertness of the security operations centre in detecting the attack.

My criterion was simple, find a tool that given a file of usernames and a file of passwords would test the usernames with the given passwords.

Read the rest of this entry »

New ISACA audit programs: Cloud computing, Crisis mgt, Infosec mgt, Active Directory, Oracle eBusiness #in

Posted on September 02, 2010

ISACA has recently made 5 new audit programs available, 4 in August and one in July, bringing the total number of available programs to 31.

These new audit programs cover :

  • Cloud Computing Management Audit/Assurance Program (Aug 2010)
  • Crisis Management Audit/Assurance Program (Aug 2010)
  • Information Security Management Audit/Assurance Program (Aug 2010)
  • Windows Active Directory Audit Program (20 Aug 2010)
  • Security, Audit and Control Features Oracle E-Business Suite, 3rd Edition – Audit programs and ICQs (July 2010)

They are all available for download on the ISACA knowledge centre website.

ISACA makes the material available at no cost as a benefit of ISACA membership. Anybody wanting to contribute material to share with fellow professionals can send it to ISACA via research@isaca.org.

%d bloggers like this: