Some of what you said reminded me of a so-called security audit we once had performed at a company I used to work for...

For those of you who suggested I look for other exploits, I look for them all, that's why I'm paid.

This statement worries me a little bit. How exactly do you go about looking for ALL exploits? I am not saying that you don't do a thorough job... I may know that no matter how hard you look, and no matter how hard you try, you can't possibly catch everything.

Trouble is, any non-technical person you talk to probably believes that you are truly going to find any possible hole.

Normally I test password strength by pulling back the hash file (you need admin rights for this) and then cracking it with L0phtCrack, well, in some circumstances clients do not feel like giving me one of these accounts.

During that time, one of the auditors wanted either administrative rights to our domain, or a copy of the password hash to test against. I would hope you would see why we would be very against this happening. We would have been significantly more comfortable if we had been asked to run it ourselves, and report back on the results.

To give away every username and password on our domain to an outside company like that is most definitely not a very secure thing to do. As a matter of fact, I would hope to lose points on a security evaluation for giving in to such a request :). We'd have to trust the individual with each of those passwords, and we then are trusting everyone in their organization with those passwords. Your findings would be useless shortly afterwards, because the only thing we could do after giving that to you would be to force password changes across the entire company. (not fun!)

In any case, I think that there must be a way to do this in a reasonable time for a password of say 8 characters in length max. L0phtCrack is able to do so, and usually gets the passes within a few hours.

8 character passwords would go A LOT quicker than 16 character passwords. If we assume uppercase, lowercase, and digits, each character you tack on to the password will take 62 times longer to crack. So going from 8 characters to 9 will bring you up from hours to days. Going from 9 to 10 characters brings in into months, and the 11th character brings us up to many years.

I don't think anyone here said brute forcing an 8 character password was impossible, what they are saying is brute forcing a 16 character password is FAR from twice as hard. I guess the moral of the story here is to make sure your passwords are 10 or 11 characters long, eh? :p

One of the uses I had planned for this script was to help me in situations where my client does not give me an admin account.

This presents a much larger problem, doesn't it? If you can hit against a password hash on a local box, you can try combinations MUCH faster than trying to make login attempts. I'm assuming this is what you are doing, since we are comparing to l0pht. I would hope you would already know that this would probably be fruitless, even with an 8 character password.

Now some of you are probably asking why I would bother asking if I already knew this, well, I don't know everything, I thought someone might know something I didn't.

If you were aware of this, I am sure you would have gotten much friendlier responses if you had mentioned this in the original post.

Anyway, I most definitely do not consider myself to be a security expert... But I do have to say that almost everyone I have ever had the pleasure of working with who CLAIMED to be an expert in these matters was frighteningly ignorant of way to many things.

This statement worries me a little bit. How exactly do you go about looking for ALL exploits? I am not saying that you don't do a thorough job... I may know that no matter how hard you look, and no matter how hard you try, you can't possibly catch everything.

Well, when I conduct an audit, we do both external as well as internal testing. We usually start with some enumeration of the system, port scans and the like. Using the results we know what services are running on the computers at that time. Based upon further inspection, i.e. determining what version and what product is exactly running, we can learn quite a bit about what vulnerabilites might be present on a given port.

At that point we conduct further probing, we may attempt to exploit a hole, to see if the hole exists. On top of this manual testing, we also run two vulnerability analysis tools, Nessus and Retina. Nessus is freeware, you're welcome to check it out, Retina has a bit of a hefty price tag. This programs use the port scan results that we feed them and test against thousands of known vulnerabilities to determine if the service(s) are vulnerable to a certain exploit.

These tools generate large reports, which we then test manually again and distill into a finalized report. Perhaps when we conduct an audit there is some we miss, you can look at it as a snapshot of the network at that time, so if you come in after the audit and load up some new service, its not going to be on the report, so I guess in that sense we can't be sure we catch everything, but as far as our tools go, experience has proven them to be extremely reliable. Reliable enough that at that current point in time where the audit is taking place I'd be at least 95% sure that we caught everything. Of course there could be a new vulnerability out on a service that a plugin for the tools has not been developed, but I can't really control that, and we usually check the most recent ones manually anyways.

Trouble is, any non-technical person you talk to probably believes that you are truly going to find any possible hole.

This is true of any situation where you as a business are marketing yourself to someone whom you are technically superior too. There is a measure of trust that is associated with all business, and I back my business 100%. We have had only good responses to the business we conducted. Not to brag, but we recently finished an audit for a division of the university that I attend and we received much praise for our work, this from a company who had been audit a year prior by one of the "big" security companies.

During that time, one of the auditors wanted either administrative rights to our domain, or a copy of the password hash to test against. I would hope you would see why we would be very against this happening. We would have been significantly more comfortable if we had been asked to run it ourselves, and report back on the results.

Then I'd love to do an audit for you! You'd be doing part of my work. This goes back to your point about being technically savvy. I don't think that all that many places would have the staff to do such a thing. I'm not going to spend time to teach them, it wouldn't make sense, that's why there paying me to be there. Besides, how many places have the spare workers?

To give away every username and password on our domain to an outside company like that is most definitely not a very secure thing to do. As a matter of fact, I would hope to lose points on a security evaluation for giving in to such a request :).

In the contract that both myself and the clientel sign off on, I state that all passwords must be changed after the audit. This is for two reasons, number one being exactly what you said. You don't want me to have your passwords, and heck I don't want them either! If some massive vulnerability comes out the week after we do an audit and you didn't take the time to patch it, I don't want someone to think that I hacked them with the passwords that I got from the audit! Its as much for our protection as there's. Secondly, and most importantly, almost all business that we conduct audits for do not have any password policy in place. If this is the case, we put one into place with the assisstance of the Network Administrator and then force everyone to change their password to fit the new criterion.

Hope this clears some things up. I never thought I'd be defending my business at posting this, but such is the nature of my business. In any situation, I will likely be looked upon as a hacker first, and an aspiring security professional last.

On top of this manual testing, we also run two vulnerability analysis tools, Nessus and Retina. Nessus is freeware, you're welcome to check it out, Retina has a bit of a hefty price tag.

I've used Nessus off and on for quite a few years now, thanks :).

Reliable enough that at that current point in time where the audit is taking place I'd be at least 95% sure that we caught everything.

95% is a HUGE distance away from looking for ALL exploits(it's probably the last fraction of a percent that bites you though :p). I hope you don't think I am implying that it is possible to find everything, I know better. The trouble is your client doesn't know better, and it is a dangerous thing to tell him.

This is true of any situation where you as a business are marketing yourself to someone whom you are technically superior too.

Yes, but in your position you have to be extra careful with what you say. I have no idea what your actual skill level is, I only have what I read here to go on. All I am saying is that you need to pick your words more wisely... If you will make statements like that to us, who know you are stretching the truth, I can only assume you are making similar claims to your clients(who probably believe every word without question).

Then I'd love to do an audit for you! You'd be doing part of my work.

I'll take by that statement you haven't audited any large shops? :) It is always my job to, at the very least, make sure any of my machines are as secure as possible.

Hope this clears some things up. I never thought I'd be defending my business at posting this, but such is the nature of my business.

I certainly hope you don't think I've been replying to you under the assumption that you are a cracker looking for help breaking passwords. Whether you are or not, I hope the info in these replies will be useful for someone reading it even if it isn't you :).

I have been severely disappointed my MANY so-called 'security experts', ALL of which were from one of the big consulting firms. The way I see it, I know a good deal about the security of the systems that I own... When I hear a security consultant make mistakes related to MY hardware, I assume he will make similar mistakes where I have less knowledge. (boy that didn't feel like a good sentence :p)

I hope you are taking all this information constructively. You are only making the same mistakes every security consultant I have dealt with makes... Except the one that really bugs me... When they make a HUGE deal about a very minor security risk, yet completely ignore gaping holes(specifically password expiration schedule for a domain, vs. an intranet application storing plain text passwords in a database).

In any situation, I will likely be looked upon as a hacker first, and an aspiring security professional last.

Good luck! You are chasing a very rapidly moving target in the security world :).