Date: Thu, 23 Apr 2009 07:56:51 +0400 From: Solar Designer <solar@...nwall.com> To: john-users@...ts.openwall.com Subject: Re: Cracking RACF passwords On Tue, Apr 21, 2009 at 12:12:29PM -0400, John Hoyt wrote: > I?m new to this list, and I?m interested in anyone has used john to crack > RACF passwords. I doubt it. I'm not aware of an existing patch to do that. > So far I?ve found that they are DES encrypted, but I?m not sure about the > scheme used. As far as I could find, the passwords may be either "DES-encrypted" or "hashed" - this can differ between installs and maybe even between user records. Apparently, the DES encryption key is the password itself, so this is actually DES-based hashing, and the use of the word "encryption" is inappropriate. Also, apparently, the "hashing" (when DES is not being used) is ridiculously weak, so some people refer to it as "masking" instead. I derived this info mostly from the following web page (and it is consistent with information I found elsewhere): http://www.os390-mvs.freesurf.fr/ichdex01.htm Also, according to the above web page, the "userid" (is that the username?) is used as a salt, apparently by making it the cleartext data to DES-encrypt with the password as the key. We can give this a try and see if it matches your sample records. > Does anyone have any experience or suggestions? Here's the closest match I could find for a ready to use program: http://www.goldisconsulting.com/OnePageG2.htm http://www.goldisconsulting.com/OnePageL2.htm http://www.goldisconsulting.com/pwcheck.pdf http://www.goldisconsulting.com/PWCHECK-PRO.pdf This company sells a Windows-based program (two variations of it) that will audit RACF passwords (both DES and HASH ones). According to their FAQ, the program depends on being able to access the target system, yet it doesn't test candidate passwords on the target system (rather, it does so on its own). This PWCHECK program is documented to actually try various candidate passwords, much like what JtR does - which is consistent with the understanding that we actually have DES-based hashing rather than DES encryption. Maybe the following mailing list is a good place to ask about auditing RACF passwords: http://www.listserv.uga.edu/archives/racf-l.html Please share you findings on this topic, if any, with us on john-users. Also, it'd be helpful if you post info from a few sample user records (including encrypted or hashed passwords). Of course, make sure that you're authorized to do so and that you're not placing any accounts at risk by doing it (e.g., change the passwords after dumping the records but before posting). If you're able to provide the corresponding plaintext passwords, that will be very helpful. Please do not mangle the encrypted or hashed passwords (in an attempt to protect them) as that decreases their usefulness to the rest of us, or if you do have to mangle them then at least state so explicitly. Thanks, Alexander -- To unsubscribe, e-mail john-users-unsubscribe@...ts.openwall.com and reply to the automated confirmation request that will be sent to you.
Powered by blists - more mailing lists
Powered by Openwall GNU/*/Linux - Powered by OpenVZ