L0phtcrack 5

Hey guys n gals, does anyone know of a program that is similar to LC5 that will allow someone to scan there internal network for weak passwords with being able to create some sort of ruleset to define "weak".

Essentially, this user I have wants to:

1. Have a min and max length password
2. Have no special characters in the 1st and last character
3. Contains no dictionary words in the password

They are trying to do a system audit on their machines to determine who needs to change their passwords. Its a govt. client, so that probably explains the weird rules.

For what OS? I know MS has a GINA plugin that will allow you to add some restrictions to what passwords are allowed (atleast 4 letters and 3 digits, no dictionary words, part of the username in the password i.e.).

If you're looking for something to crack hashes I think JohnTheRipper (unix passwd cracker) can also crack LM hashes. Another option is to go for Rainbow crack. Read the exellent tutorial by 3rr0r here

although you can use a program such as John the Ripper (with extensions)
http://www.openwall.com/john/

I dont advise to do that.
You need a password quality program, not a password cracker program. A program that will show you a report with users and the text like "guessed" or "cracked" but NOT the password in clear text. Im, as client, really dislike a test that really show the password. It is not necessary to prove if the password is weak

Or you can suggest to your customer to use a product like this:
http://www.littlecatz.com/defender_info.html (never tested this although)

Kudos to cacosapo, thanks for that info. I have suggested the client to use this program. I will let you know what turns up.

From 3rrors report
http://sarcaprj.wayreth.eu.org/

Cain and Abel is a pretty good one too...except that it might be picked up as a Trojan.

Like SirDice said, making restrictions on what kind of passwords that could be used is also a good step into more secure passwords.