Getting Data In

Audit Windows Cleartext passwords

Joels
New Member

Is there a search I can execute that will show me all the passwords that have been sent across the network in cleartext in my windows environment? LDAP, HTTP, etc? I have tried several combinations of Event ID 540 Logon Type 8 from my windows security log, but it does not seem accurate.

Tags (2)
0 Karma

BunnyHop
Contributor

Windows authentication itself is not passthru as cleartext, with a few exceptions (IIS basic authentication, Telnet, etc etc). If these are the items you're looking for, you might find this on different logs than from the Security event log, as that stores actual Windows logon, and are therefore, not going to be cleartext. My understanding is that Telnet is sent in the clear, and therefore you will see the password when you perform network sniffing, but I'm not sure if it ends up clear on the server. Eitherway, you might be looking at a different eventID than 540.

BTW, only because I'm a security geek, be careful looking for cleartext password.

Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!