Categories
Infrastructure

Cracking Windows Domain Passwords for Password Analysis

There’s no doubt that domain accounts with weak passwords can be a serious concern for companies, there are a few ways you can protect yourself against issues like this. The first is to set a domain and local account lockout policy and the second is to enforce password complexity. However if your users are using “Password1” as their password, neither of these steps will protect you.

Categories
Infrastructure

Custom Rules for John the Ripper

Whilst Hashcat is often provable faster than John the Ripper, John is still my favourite. I find it simple to use, fast and the jumbo community patch (which I recommend highly) comes packed with hash types making it a versatile tool.

One of the features of these tools, which is often unknown or at least under appreciated is the ability to create custom “rules” for teaching the tool how to dynamically generate potential passwords. Since Microsoft implemented “Password Complexity” and this was enforced around the globe, user have made the jump from a password of: password, to the [sarcasm] much more secure [/sarcasm]: Password1.

Categories
Infrastructure

Custom Rules for John the Ripper: Examples

Why not copy and paste the following into your /etc/john.conf and try them out! Got a suggestion for a rule? Leave a comment! They can then be called with ‐‐rules=Try, ‐‐rules=TryHarder and ‐‐rules=BeBrutal! You can find an explanation of how these rules are built here.