Getting Data In

Audit Windows Cleartext passwords

Joels
New Member

Is there a search I can execute that will show me all the passwords that have been sent across the network in cleartext in my windows environment? LDAP, HTTP, etc? I have tried several combinations of Event ID 540 Logon Type 8 from my windows security log, but it does not seem accurate.

Tags (2)
0 Karma

BunnyHop
Contributor

Windows authentication itself is not passthru as cleartext, with a few exceptions (IIS basic authentication, Telnet, etc etc). If these are the items you're looking for, you might find this on different logs than from the Security event log, as that stores actual Windows logon, and are therefore, not going to be cleartext. My understanding is that Telnet is sent in the clear, and therefore you will see the password when you perform network sniffing, but I'm not sure if it ends up clear on the server. Eitherway, you might be looking at a different eventID than 540.

BTW, only because I'm a security geek, be careful looking for cleartext password.

Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Laser Bananas and Edge Hubs: Exploring Operational Technology (OT) Data Through a ...

  OT is a different environment to traditional IT and can have interesting challenges when interfacing the ...

Event Series: Mastering AI Tokenomics and Splunk Agent Observability

Beyond the Black Box: Correlating AI Performance and Tokenomics with Splunk Agent Observability   As ...

span_metrics: The OpenTelemetry-Idiomatic Way to See Inside Your Services

You open a trace in Splunk Observability Cloud and everything looks fine. One root span, order-pipeline, with ...