Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 23 Apr 2009 07:56:51 +0400
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Subject: Re: Cracking RACF passwords

On Tue, Apr 21, 2009 at 12:12:29PM -0400, John Hoyt wrote:
> I?m new to this list, and I?m interested in anyone has used john to crack
> RACF passwords.

I doubt it.  I'm not aware of an existing patch to do that.

> So far I?ve found that they are DES encrypted, but I?m not sure about the
> scheme used.

As far as I could find, the passwords may be either "DES-encrypted" or
"hashed" - this can differ between installs and maybe even between user
records.  Apparently, the DES encryption key is the password itself, so
this is actually DES-based hashing, and the use of the word "encryption"
is inappropriate.  Also, apparently, the "hashing" (when DES is not
being used) is ridiculously weak, so some people refer to it as
"masking" instead.  I derived this info mostly from the following web
page (and it is consistent with information I found elsewhere):

http://www.os390-mvs.freesurf.fr/ichdex01.htm

Also, according to the above web page, the "userid" (is that the
username?) is used as a salt, apparently by making it the cleartext data
to DES-encrypt with the password as the key.  We can give this a try and
see if it matches your sample records.

> Does anyone have any experience or suggestions?

Here's the closest match I could find for a ready to use program:

http://www.goldisconsulting.com/OnePageG2.htm
http://www.goldisconsulting.com/OnePageL2.htm

http://www.goldisconsulting.com/pwcheck.pdf
http://www.goldisconsulting.com/PWCHECK-PRO.pdf

This company sells a Windows-based program (two variations of it) that
will audit RACF passwords (both DES and HASH ones).  According to their
FAQ, the program depends on being able to access the target system, yet
it doesn't test candidate passwords on the target system (rather, it
does so on its own).

This PWCHECK program is documented to actually try various candidate
passwords, much like what JtR does - which is consistent with the
understanding that we actually have DES-based hashing rather than DES
encryption.

Maybe the following mailing list is a good place to ask about auditing
RACF passwords:

http://www.listserv.uga.edu/archives/racf-l.html

Please share you findings on this topic, if any, with us on john-users.
Also, it'd be helpful if you post info from a few sample user records
(including encrypted or hashed passwords).  Of course, make sure that
you're authorized to do so and that you're not placing any accounts at
risk by doing it (e.g., change the passwords after dumping the records
but before posting).  If you're able to provide the corresponding
plaintext passwords, that will be very helpful.  Please do not mangle
the encrypted or hashed passwords (in an attempt to protect them) as
that decreases their usefulness to the rest of us, or if you do have to
mangle them then at least state so explicitly.

Thanks,

Alexander

-- 
To unsubscribe, e-mail john-users-unsubscribe@...ts.openwall.com and reply
to the automated confirmation request that will be sent to you.

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ