-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Wow.. That's pretty awesome IMHO. Years ago, I worked with Jean-Loup Gailly on getting JtR supported for OpenVMS SYSUAF.DAT password cracking. To be honest, he did the hard work, I supplied some assistance with OpenVMS (via the public access OpenVMS Deathrow cluster - http://deathow.vistech.net - shameless plug :)
I think it's very cool to see RACF databases supported in JtR. It's always interesting to "interesting" platforms get supported in JtR :) Nice job! On 3/16/12 11:52 AM, Main Framed wrote: > No much interest in this but I wanted to make sure I completed what > I started. Anyway I'm happy to announce that thanks to work done by > folks over on the John the Ripper mailing list, RACF databases are > now supported. A new plugin was added to JtR to support RACF DES > hashes and a new tool (racf2john) was developed to pull the > usernames and hashes out of a copy of the RACF database. > > For anyone curious the algorithm was obfuscating the key before > putting it through DES. Basically each byte was XOR'd with 0x55 and > bit shifted to the left by one bit (thanks goes to Nigel Pentland > for figuring it out). > > On Sat, Mar 3, 2012 at 7:43 PM, Main Framed > <[email protected] <mailto:[email protected]>> wrote: > > Good news everyone! > > Turns out it was because I had downloaded the file from FTP which > did the conversion from EBCDIC to ASCII. Instead I should've typed > 'binary' before downloading the file. Neophyte mistake. Because of > that I was able to find the example "hash" I included and from > there find all the hashes. Next my other problem. I created an > example account: > > UserID: TTTTTTTT Password: TESTTEST > > This creates a des hash (in hex) of: 42 4B 25 8A F8 B9 06 1B > > Unfortunately when I try to recreate the password using python (in > the interpreter) DES I get a different hex value: > >>>> from Crypto.Cipher import DES s = "TTTTTTTT" p = "TESTTEST" >>>> es = s.decode('ascii').encode('EBCDIC-CP-BE') ep = >>>> p.decode('ascii').encode('EBCDIC-CP-BE') des = >>>> DES.new(ep,DES.MODE_CBC) cipher = des.encrypt(es) cipher > '\\t\x9bM\x05\x8dL\x8d' > > Which doesn't look to me to be the same hex values like I expected > it to. What am I doing wrong? > > > > > > > Date: Tue, 28 Feb 2012 08:21:59 -0800 From: Main Framed > <[email protected] <mailto:[email protected]>> Subject: > [Pauldotcom] Mainframe: RACF database file? To: > [email protected] > <mailto:[email protected]> > > > > I've spent the last couple of days puling my hair out trying to do > some testing against a test z/OS system I've got access to. Since > this system is mine (it's a lab system) and I have access to it I'm > trying to build some better tools to test mainframes. > > I've got two goals: 1) Extract the user IDs and password hashes > from a copy of the database file. I'd prefer to do that using a > copy of the file locally on my Linux machine. 2) Identify the > hashing algorithm (it's apparently a one way DES hash) > > I've been mucking around for #1 but finding *any* information > about this is extremely frustrating. Even finding out what kind of > file structure it is is an act in frustration (I wasn't able to > find out what kind of file it was all I know is it's not VSAM). > > I know tools already exist: > > I've tried CRACF http://www.nigelpentland.co.uk/racf/cracf.htm > <http://www.nigelpentland.co.uk/racf/cracf.htm>, (and his other > tools) and they don't work in Windows XP. Running it in a DOS image > I have it loads but doesn't detect any of the simple passwords > I've set (one user is A with a password of A). He's also the > creator of a tool called WEAKPASS or something like it which also > didn't work. I assume thats because my version is newer than when > these tools were written. > > There's also PWCHECK ( > http://www.goldisconsulting.com/OnePageG2.htm ) which is a program > that runs on the mainframe. It doesn't extract the hashes (well, > the debug mode might) but it basically runs on the mainframe. You > need to install it to very privileged (APF datasets) areas. I > *could* try and use this to extract the hashes and user IDs but > it's not free. > > There is a way called EXTRACT in RACROUTE > http://publib.boulder.ibm.com/infocenter/zos/v1r12/index.jsp?topic=%2Fcom.ibm.zos.r12.ichc600%2Fichzc6b039.htm. > > It would require me writting some assembly, getting system > privileges on a mainframe and running the macro, but finding any > information about it is difficult to understand for a mainframe > neophyte such as myself. > > For #2 I think it's a one way DES hashing algorithm which takes the > user ID, padded to 8 characters and uses the password as the salt, > padded to 8 characters. From > http://2000clicks.com/links/Computers/IBMMainframeHistory/cracker.htm > I was able to see what, potentially the hash would look like: > > Userd ID: IBMUSER Password: SYS1 Hashed Password: C585D307BD44E61F > > But this could be from an older version of RACF, it's unclear. IBM > is pretty tight lipped about this. I know where, in the database, > the password is stored: from > http://publib.boulder.ibm.com/infocenter/zos/v1r12/index.jsp?topic=%2Fcom.ibm.zos.r12.ichc600%2Frteut.htm > > I > know that in the user table(?) the password is the 12th field but > other than that I am lost. > > I feel like I have all the pieces I need to be able to break this > file apart but I need some guidance to look in the right places. > Strings shows me the user IDs (plus lots of other stuff) but the > hashes aren't stored in plaintext in the database. Same with a HEX > editor. > > I'm wondering if anyone on the list has any experience with the > mainframe and working with this file specifically. Or even on where > to start looking would be a nice start. > > I've also joined the RACF-L mailing list but there aren't very > forthcoming with information about breaking apart their flagship > security database. > > > > > _______________________________________________ Pauldotcom mailing > list [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main > Web Site: http://pauldotcom.com - -- - - Champ Clark III ([email protected]) Quadrant Information Security (http://quadrantsec.com) Key Fingerprint: 2E56 C2EB 1B25 C517 D5BA 2DCF 5E70 B2F8 0381 878A GPG Key ID: 0381878A -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJPY3/UAAoJENnmXt7Lmc3KerAIAILQOvd9RhQ6tTXF4Oz8qjkq 8RgGp+YGsizQQh/hzYBY4e+kYirJl3dlK78ztsX4+Bj7buWUqCgHGTL2s8aTCw8X co2pB20UbseiqbVomztd6hqle7DJKsNt6WcepQEVrBWPbngoEWAlic1QOYoZILI+ 7JXx7ivL+Rwgg3ov0Z6EsXonMp47DgBPJCVb9UvqTelstgXzYlpAy0hyx7Ivh1pJ kQex32qEFXf/dFOA0J1s4M8naugi9GsF79xt2YLXFXIPYXXRL/CPgUuUO82ZHIvh gpshzp5WS3/SfN1wE/y/M7U/eNoeQj/a0uvh87bK4pun6rNHwkOXojJSZK3G1z4= =m7ng -----END PGP SIGNATURE----- _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
