Brute-Force Password Auditing

Brute-force password attacks on your network help you identify weak passwords

Audit passwords on your network with online brute-force attacks and offline password cracking beyond just Windows credentials. Brute-force passwords with Rapid7 Metasploit, either to audit passwords in your organization or as part of a penetration test.

Simply better security by:

Visibility

Find weak passwords across your network. Brute-force more than a dozen services, beyond Windows and Linux logins.

Management

Modify, collect and replay credentials. Keep track of all passwords and hashes and use them to uncover common passwords.

Action

Change passwords and tweak policy. Generate reports for your stakeholders to address security issues.

Don't have time to conduct a brute-force password audit in-house? Talk to one of our security consultants on how we can help you with our professional services.

Generate credentials based on standard or custom dictionaries and information learned from the target network

Visibility: Find weak passwords across your network

Audit your network for weak passwords beyond just Windows logins. Weak or shared credentials often help attackers intrude deeper into the network and breach sensitive data.

With Rapid7 Metasploit, you can identify and address:

  • Replaying cached credentials
  • Re-use of passwords across trust zones
  • Development test credentials in a production environment
  • Active accounts of previous employees
  • Replaying cached credentials
  • Re-use of passwords across trust zones
  • Development test credentials in a production environment
  • Active accounts of previous employees

Don't stop at Windows logins.

Typically, your users will already have to meet minimum password requirements when they enter a new Windows password, giving you good baseline security for these accounts. There is a simple and better solution. Brute-force passwords on more than a dozen services with Metasploit to cover your bases

Crack offline. Brute-force online.

With most password auditors, you are limited to cracking Windows and Linux passwords offline. Yet, offline cracking won’t work on many of the network services you have on your network, leaving you exposed. Combine both offline cracking and online brute-force password auditing with Metasploit. Choose the types of services you’d like to audit and hit go. It’s that simple.

Mutate passwords for bruteforce password auditing with Metasploit

Management: Modify, collect and replay credentials

Audit your network for weak passwords beyond just Windows logins. Keep track of your credentials in Metasploit and play with them as you go the network over and over again until you have found.

Love to play with words? Us too.

Use a custom wordlist that reflects your local language, industry or specifics about the organization you’re password auditing. Specify known credentials, such as development accounts and accounts of employees or consultants that are no longer with the company, to verify that these cannot be used to gain access to any systems on the network. Metasploit also takes new words it learned from your network, such as machine and user names, and feeds them back into the dictionary.

Be green: recycle passwords

Collect and recycle passwords and password hashes after you have compromised a system. Get access to more systems and replay encrypted passwords you have cracked offline – courtesy to Metasploit’s integration with John The Ripper. Iterate the process to get access to additional machines, harvesting more and more credentials and hashes in each round.

Receive a password auditing report on the types of credentials that failed the audit

Action: Change passwords and tweak policy

Learn from what you’ve found to improve security. Password auditing is a huge learning experience. Once you’ve found weak passwords, don’t just change it but find out how this happened. Uncover the root cause, for example a bad process or lack of training, and fix it.

Once you have completed your password audit, generate an Authentication Tokens Audit Report that includes passwords, SSH keys, and SMB hashes, summarizing:

  • Guessed password frequency
  • A list of all guessed passwords
  • Authentication token frequencies
  • A list of all authentication tokens

Configure the reports to either show or mask found passwords, depending for whom you’re creating the report. Create PCI and FISMA compliance reports to simplify passing your audit.

On-Demand Webcast

Password auditing with Metasploit

Watch Now

On-Demand Webcast

Effective password testing using Metasploit

Watch Now

Contact Us

Have any questions about our products or features?

Contact Us Today