I want to assure the compliance of password policy in my office.
Environment Intro My environment is all windows based (server 2003/2008) users strength is not more than 400 employees. Nearly 90% of all users have windows xp O/S installed on their machines the other 10% population is divided between vista and windows 7 operating systems. The maximum strength for password is limited to 10 characters.
Problem statement I want to know the easiest, fastest and the most reliable way of enumerating windows users account. I have downloaded and gone through the use of many password auditing tools (l0phtcrack, ophtcrack,samsinde).
Objectives I want an approach which enables me to enumerate the user account by logging into domain controller and not having to go to each individual machine and then run the software. This activity just creates un-necessary administrative workload. Additionally, I need a software that doesn’t require booting into alternate OS (as in case of ophtcrack) doing so would affect the performance of the users and also becomes annoying.
I want to make use of rainbow tables. The specs handed to me are not enough for me to carry exhaustive brute force attack in the time that is given to me by the senior management to complete the task.
However, I got no issue regarding storage-I can dedicate as much as 1 TB for storing rainbow tables. I would appreciate if you guys can provide me with the suitable link and guide me about the things I should consider before downloading such large size files for my use.
Update: I said in the opening statement of this thread too but i guess i over simplified it. Let me re-explain. I want to check for password strength of windows users not standalone. Those connected to windows environment. I also want to incorporate use of rainbow tables in the exercise. How can i do this task with information provided above