j-j.co.za

A few months back I discovered that our service desk had become a little “lazy” and were no longer using the defined process (identify user, randomly generate new password, set to change on first use) and were now handing out weak passwords without requiring the users to change them.

In order to assess the extent of the problem I wanted to do a test against the domain to see how wide-spread the problem was. I Google’d around a bit to try to identify a tool which could perform the exercise for me, but didn’t really find anything that looked suitable. I knew that I didn’t want to grab the hashes and do an off-line attack , but wanted instead to do it “live” against the domain, both to avoid the responsibility of having a copy of all the hashes (risk of is too high and as Head of Infosec I didn’t want that on my head)  and also to test the alertness of the security operations centre in detecting the attack.

My criterion was simple, find a tool that given a file of usernames and a file of passwords would test the usernames with the given passwords.

Read the rest of this entry »