|
-
February 28th, 2006, 10:06 PM
#1
Junior Member
Active Directory
Hi guys, iv recently been playing with active directory, now i seem to have foun a way to find users who have a specified password...
What you do is attemp to change the users password, which if the original password was incorrect will return an error, however if the oroginal password was correctly guessed there will bo no error and you know you were right.
OK, so on the face of it this is no more than guessing a users password at the login prompt...
This method has no password retry count, and could be used to a big affect by enumerating uses in a domain and checking for common passwords such as 'password' or the same password as the username...
What i want to know is if there is a way to counter this?
---
Thanks for reading
Kieran Foot
-
February 28th, 2006, 10:37 PM
#2
The best way to counter this would be to
use good passwords...or pass phrases
Like
"I bet you cant guess my password : )"
Or are you looking for a way to lock this out...cause AFAIK by guessing wrong 5 times or so..by default will lock out the account...unless you are admin of course...and you can just reset anyones password...including admin 
MLF
How people treat you is their karma- how you react is yours-Wayne Dyer
-
February 28th, 2006, 10:41 PM
#3
Junior Member
The above methos has no retry cound and thus allows for unlimited retry's, will there be a log file, or can i set a log to be used for such operations...
-
February 28th, 2006, 10:44 PM
#4
Sorry...then
I am not understanding how you are resetting the password in active directory.....
Is this done on the server...or at the workstation??
MLF
edit>..do you have auditing set up ...cause I am pretty sure it would show up in the Eventlogs>Security Log as Failed
How people treat you is their karma- how you react is yours-Wayne Dyer
-
February 28th, 2006, 10:46 PM
#5
Junior Member
its done at the workstation, i have an example if you know VB, maybee you can look at it
-
February 28th, 2006, 10:50 PM
#6
What OS is the server??
Cause my 2003 servers lock out users all the time when they need to reset thier passwords....
MLF
No I dont know VB...and I would not open a script for a stranger
How people treat you is their karma- how you react is yours-Wayne Dyer
-
February 28th, 2006, 10:53 PM
#7
Junior Member
they are 2003 servers, but as it is a college, users are allowed to change there own passwords...
no i would post the code, i wouldnt expect anybody to run a script/program send by an unknown
-
February 28th, 2006, 10:54 PM
#8
So...your logged on at a workstation (as admin?) and can change users paswords in your AD?
-
February 28th, 2006, 10:56 PM
#9
So you are telling me that it doesnt show up in the Security Log?? On the server??
MLF
How people treat you is their karma- how you react is yours-Wayne Dyer
-
February 28th, 2006, 11:13 PM
#10
Junior Member
you cannot reset anybody password unless you are an administrator, im not talking about re-setting anybody password.
the above method uses the change password method, rather like changing your own password, you need the original to assert the change.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
