AnsweredAssumed Answered

Password Auditing & Password Bruteforcing

Question asked by Joseph Arenas on Apr 10, 2019



I would like to better understand the workflow around which the specific feature works.
My idea of password bruteforcing is that,
- It has different levels, (as per public documentation)
- It bruteforces actual logins. ( Login attempts will be recorded by Windows)

- It can only bruteforce local Windows accounts.
- You can have your own list by having a list similar to this:
      L: Administrator

      P: password

- Scanning domain controller will bruteforce all user accounts


However, can I have a list with a domain specified?
     L: DOMAINA\user01

     P: password

Can someone give me a better idea of the limitations and actual workflow of this feature?


My idea of password auditing via PC is that:
- Dissolvable agent will access password hashes and compare it to given passwords

- It has three levels as well, the last being able to create custom list

- The list is just a list of passwords:





Can I use this to audit domain accounts in a domain controller?
Does this only apply for local windows accounts?
What is the workflow behind this?

Links of references so you won't have to: