Freeware / opensource Brute Force password cracker

Audit wanted me to simulate a High severity event which we have only a few such as
successful Brute Force, true DDoS (not sure what's the bandwidth) & compromised
network/firewall devices that lead to operations outage.

This is to see if the SoC responds within SLA (from Splunk alert which currently
covers Prod servers/devices) & how fast we mitigate it.

I think the easiest is to
a) install a brute force password cracker
b) create a local account not subject to GPO (eg: password doesnt get locked
    despite number of failed attempts with a simple password) on a non-
    critical Prod server

Any freeware tool on Windows that do brute force for Windows that anyone
can recommend?  SIP Vicious or is there a free l0phtcrack ?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

EirmanChief Operations ManagerCommented:
sunhuxAuthor Commented:
Which one is suitable for cracking Windows OS password?
Does sunnyelf/cheetah  help?

Some other tools are for .rar or Enxxx.db, not Windows
sunhuxAuthor Commented:
Plan to install on a test laptop that attempts to crack across LAN of a server's Windows OS password.

Ideally not to install the tool in the Prod server itself
The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.

EirmanChief Operations ManagerCommented:
SourceForge is even better

I really don't know which software to recommend - read the comments/reviews
EirmanChief Operations ManagerCommented:
As far as I know, you don't need brute force to crack windows passwords
EirmanChief Operations ManagerCommented:
Search for windows password recovery tool
Links to that type of software are disallowed here
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
I really wonder how you should be able to detect "a successfull Brute Force". You can see the attempts, but not the result. It is different for a DDoS - success means services won't work anymore.
Lee W, MVPTechnology and Business Process AdvisorCommented:
It's been a while, but I used John the Ripper.
Are you looking to simulate the attack from inside?
I.e. Mimic a situation where an real system/user was compromised, virus infected system, .....

Brute force attacks often deal with overloading the handler to gain a shell versus compromise/guess the password of an account.
Modifying  the behavior in such a case is unnecessary.
btanExec ConsultantCommented:
if the idea is to really in validating the demonstration of meeting the SoC SLA and not the prod system on its security capabilities for detecting/alerting brute force, then why not just have some log injector or data generator to send such sample brute force message into Splunk then let it trigger the alert based on the rule set. You do not really need to touch on the production system with such simulated attack. And you can control the no of such message to trigger the severity level - if you measure the persistent surge  of the attempts.

Splunk SA-Eventgen
The event generator works in one of two ways; it can be used to either ‘replay’ the events within a file or series of files, or it can be used to randomly extract entries within the file and generate them at semi-random intervals, with particular fields or values changed per your specification.

otherwise, you may want to check out Kali Linux - Hydra,  John the Ripper

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
sunhuxAuthor Commented:
btanExec ConsultantCommented:
You will probably need to have at least a sample event of auch brute force attempt which your splunk ruleset will trigger, then have eventgen to make it continuous with random data /timestamp on each brute force tries.
We now have a event generator that is pulling from an existing sample of data (again, more on this in the first post), adding the current timestamp at run time, and then altering two values, one to be a random integer, and another string randomly selected from a sample set.  You could expand on this infinitely to create a brand new sample data set which is completely different than it’s source sample.
If really need step through consider having put it as Gig project for expertise.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.