Kieran:
So, how long do you want to sit there manually typing that password until you find it?
You say you have a vbscript... Post it... I'd love to see how long I think it would take for you to crack a hallfway decent password.
Printable View
Kieran:
So, how long do you want to sit there manually typing that password until you find it?
You say you have a vbscript... Post it... I'd love to see how long I think it would take for you to crack a hallfway decent password.
Yes, in VB you can create a script that can walk through a number of known passwords to test an account. I've used similar types of things to audit AD users to make sure they changed from the default and didn't use "password." Things like that. How do you prevent it?
Simple. Don't give our domain and enterprise admin access to just anyone. Only an authenticated session can perform the change password method on an account. If you are logged into a workstation using a domain admin account (bad form, there) and run the script, it will make attempts and maybe even succeed. If you are a normal user trying to do that, you'll only succeed in generating a lot of entries in the domain security logs.
Guys, it doesnt crack passwords it checks for the defaults, such as 'changeme', 'password' or using the username as the password...
And it is possible for anyone to change a password of a user of the same level...
Only admins can change admin passwords, they can also set passwords, but not for admins
Users can change user passwords and cannot set any password except their own.
I am not sure that I understand you completely. It seems that you are saying that whilst the logon attempts are probably limited to three or five, you can have unlimited goes at changing the password?Quote:
Kieran
Well, I would expect both accessing the account and attempting to change the password to produce log entries.
Also, if you change the password, the user will notice ;) You can do this with a bootable CD etc.....
I would point out that you are in a college environment. In the real World, the security is usually much tougher. You would only be able to log into approved servers from approved workstations. You would also be required to login before you could change the password, so the three strike rule would come into effect.
Also, you would only be granted authority to selected applications with an appropriate level of authority to your functional needs. Those files and applications would also be password protected.
Anyway, you should not be allowed to upload scripts and run them against a server.
:)
ok, there is no actual password change, its just that if you get an erro saying "Incorrect password." then they don have the password you tried, if theres no error then they do...
Kieran,
I think that you miss the point.You shouldn't even be allowed on the server without proper authentication up front. So you need the password FIRST
And your security policy and password validation mechanism should prevent the use of passwords that do not meet your standards, so your simple list wouldn't work anyway.
;)
Quote:
Originally posted here by KieranFootPriva
[B]Hi guys, iv recently been playing with active directory, now i seem to have foun a way to find users who have a specified password...
What you do is attemp to change the users password, which if the original password was incorrect will return an error, however if the oroginal password was correctly guessed there will bo no error and you know you were right.
OK, so on the face of it this is no more than guessing a users password at the login prompt...
This method has no password retry count, and could be used to a big affect by enumerating uses in a domain and checking for common passwords such as 'password' or the same password as the username...
What i want to know is if there is a way to counter this?
greetings...
You can use a GPO to force complex passwords. That will eliminate most of your easily guessed passwords. You can also have accounts lock after so many incorrect password guesses.
You are all missing the point here....
The issue is when the user is presented with a "Change your Password" screen... No matter how s/he gets to it. There is no limit on the users attempts to provide the existing password before they change it to the new - _Both_ must be provided in order to change the existing password to the new.
The point Kieran is missing is that you can only get to the "Change your Password" screen if you have _already_ authenticated as the user in question. The simple thing is to have the domain policy lock the workstation after a few minutes of inactivity. Then Kieran would have to provide the appropriate password in order to get to the screen he wants. Computers that are unlocked would be "vulnerable" to this kind of attack though enforcing strong passwords would slow dear Kieran down quite a bit. At worst it's a priviledge escalation issue since it's not a direct local attack because Kieran is only looking for the error message _not_ to appear thus confirming that he has the password right... He doesn't mentioning then going ahead and changing the password. If he did this would leave a log entry in the logs and would warn the user when he tries to log in again.
Are we all clear now... :)
Guys the point your missing is that there is no pre-authentication needed, there is no change password dialog, it is all done usin active directory.
Try this on your pc then....
Create two standard user accounts.
use this code to change the 2nd users password from the 1st users account
Change MEGANET-SE to your computer name or your domain name.
Change Testacc to your 2nd user
Change 786952 to the password of the 2nd user
If there is no error it has worked.
Dim oUser
Set oUser = GetObject("WinNT://MEGANET-SE/Testacc2")
oUser.ChangePassword "786952", "PASSWORD"
oUser.SetInfo
It works on my computer, fine from any user limited or not.....
Set oUser = Nothing
I am sorry...
But most users cannot create new user accounts...on thier PC ....and specially in the AD.
Are you talking about changing passwords locally????
Tiger....I get what you are saying...
Kieran.... :confused:
I need a step by step here...
OK...you are a user...logged into an AD domain...from a WS...with no domain admin rights....
Do you have admin rights on the ws???
as this user...you can change this users password???
I think what Tiger suggests in his post would circumvent this from happening...
MLF