Re: Cracking IBM Mainframe Password Hashes
On Tue, 18 Mar 2014 09:19:25 +0300, Jose Munoz wrote: Someone can comment on it, I received an email from an Open System college arguing that mainframe is very weak...please help me to answer it: Well, first you need to access the encrypted password file, and/or bypass the prevalent three-strikes-and-out rule. oclHashcat v1.20 support added to crack RACF (IBM mainframe) hashes with 1 Billion (Giga) Hashes/second on a single stock clocked hd6990 graphics card: http://pastebin.com/Cqdhe3kR I didn't expect IBM's Mainframe password hashing to be so weak :( In comparison, the SHA512 hash is cracked at 0.217 BH/s (GH/s) on the same graphics card: http://hashcat.net/oclhashcat/ Order of hours (Fermi estimate). Has there been a realistic White Hat test in either environment? -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Cracking IBM Mainframe Password Hashes
W dniu 2014-03-18 07:19, Jose Munoz pisze: Gents, Someone can comment on it, I received an email from an Open System college arguing that mainframe is very weak...please help me to answer it: oclHashcat v1.20 support added to crack RACF (IBM mainframe) hashes with 1 Billion (Giga) Hashes/second on a single stock clocked hd6990 graphics card: http://pastebin.com/Cqdhe3kR I didn't expect IBM's Mainframe password hashing to be so weak :( In comparison, the SHA512 hash is cracked at 0.217 BH/s (GH/s) on the same graphics card: http://hashcat.net/oclhashcat/ If you don't know what's oclHashcat, it's a program that cracks password hashes using graphics cards (GPUs). The link above shows how many algorithms are supported and a sample of the speed that some are cracked at depending on the GPU setup. It's perfectly knownthat one can guess RACF password using brute force method. It only matter of time, computing power per engine, number of of engines (*). Last, but definitely not least: attacker has to have your RACF db. So, the prevention is easy; at least easy to say: you have to protect your RACF db (and all copies/backups). So, what changed with the tools you mentioned? Another world record? BTW: IBM announced new password encryption method in future releases. (*) Linear scalability is good assumption for reasonably smallnumber of engines, for tens of thousands negines things can be more complicated. -- Radoslaw Skorupka Lodz, Poland --- Tre tej wiadomoci moe zawiera informacje prawnie chronione Banku przeznaczone wycznie do uytku subowego adresata. Odbiorc moe by jedynie jej adresat z wyczeniem dostpu osób trzecich. Jeeli nie jeste adresatem niniejszej wiadomoci lub pracownikiem upowanionym do jej przekazania adresatowi, informujemy, e jej rozpowszechnianie, kopiowanie, rozprowadzanie lub inne dziaanie o podobnym charakterze jest prawnie zabronione i moe by karalne. Jeeli otrzymae t wiadomo omykowo, prosimy niezwocznie zawiadomi nadawc wysyajc odpowied oraz trwale usun t wiadomo wczajc w to wszelkie jej kopie wydrukowane lub zapisane na dysku. This e-mail may contain legally privileged information of the Bank and is intended solely for business use of the addressee. This e-mail may only be received by the addressee and may not be disclosed to any third parties. If you are not the intended addressee of this e-mail or the employee authorized to forward it to the addressee, be advised that any dissemination, copying, distribution or any other similar activity is legally prohibited and may be punishable. If you received this e-mail by mistake please advise the sender immediately by using the reply facility in your e-mail software and delete permanently this e-mail including any copies of it either printed or saved to hard drive. mBank S.A. z siedzib w Warszawie, ul. Senatorska 18, 00-950 Warszawa, www.mBank.pl, e-mail: kont...@mbank.pl Sd Rejonowy dla m. st. Warszawy XII Wydzia Gospodarczy Krajowego Rejestru Sdowego, nr rejestru przedsibiorców KRS 025237, NIP: 526-021-50-88. Wedug stanu na dzie 01.01.2014 r. kapita zakadowy mBanku S.A. (w caoci wpacony) wynosi 168.696.052 zote. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Cracking IBM Mainframe Password Hashes
Jose Munoz wrote: Someone can comment on it, I received an email from an Open System college arguing that mainframe is very weak...please help me to answer it: I'm not surprised. As a RACF person, I sometimes receive e-mails from spammers and wannabe crackers trying to 'advise me' on a lot of things. ;-) oclHashcat v1.20 support added to crack RACF (IBM mainframe) hashes with 1 Billion (Giga) Hashes/second on a single stock clocked hd6990 graphics card How did they tested it? Obtained a real copy of RACF DB and do your cracking? I didn't expect IBM's Mainframe password hashing to be so weak :( It may be, in fact over the years, there are 'cracking' tools available to do a brute force attack. Pick one and do your crack. But as others said, you have first to obtain a copy of the RACF db somehow and then do your attack. And then there is that 3 strike rule too. A competent network person will trap your IP address if you try to attack a live system and block you out. It has been done and we have procedures to do that. If you don't know what's oclHashcat, it's a program that cracks password hashes using graphics cards (GPUs). The link above shows how many algorithms are supported and a sample of the speed that some are cracked at depending on the GPU setup. It only tells me one thing - cracking is a serious business for years long. Is it a legal White Hat test or some nefarious underground group trying to 'test out' systems (including z/OS) for fun/scientific reason/criminal reason? I'm more concerned about INSIDERS trying to do 'strange' transactions. BTW, Radoslaw said IBM announced a new password encryption algorithm. Groete / Greetings Elardus Engelbrecht -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Cracking IBM Mainframe Password Hashes
In cakspfostlizlcvvj1v1hzcxow3n8slsm8gfdu+u4buwawhl...@mail.gmail.com, on 03/18/2014 at 09:19 AM, Jose Munoz jmunoz6...@gmail.com said: Someone can comment on it, I received an email from an Open System college arguing that mainframe is very weak...please help me to answer it: The Devil is in the details. Strip the BS and what they are saying is that if you ignore the standard security recommendations for MVS then you will have security problems. oclHashcat v1.20 support added to crack RACF (IBM mainframe) hashes That presumes read access to it. -- Shmuel (Seymour J.) Metz, SysProg and JOAT ISO position; see http://patriot.net/~shmuel/resume/brief.html We don't care. We don't have to care, we're Congress. (S877: The Shut up and Eat Your spam act of 2003) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Cracking IBM Mainframe Password Hashes
I also wonder if they truly mean password hashes, as in the ancient RACF password hash methods, or the more commonly used encryption method of securing passwords or to be more technically correct, user ids. -- Artificial Intelligence is no match for Natural Stupidity - Unknown On Tue, Mar 18, 2014 at 3:25 AM, Shmuel Metz (Seymour J.) shmuel+ibm-m...@patriot.net wrote: In cakspfostlizlcvvj1v1hzcxow3n8slsm8gfdu+u4buwawhl...@mail.gmail.com, on 03/18/2014 at 09:19 AM, Jose Munoz jmunoz6...@gmail.com said: Someone can comment on it, I received an email from an Open System college arguing that mainframe is very weak...please help me to answer it: The Devil is in the details. Strip the BS and what they are saying is that if you ignore the standard security recommendations for MVS then you will have security problems. oclHashcat v1.20 support added to crack RACF (IBM mainframe) hashes That presumes read access to it. -- Shmuel (Seymour J.) Metz, SysProg and JOAT ISO position; see http://patriot.net/~shmuel/resume/brief.html We don't care. We don't have to care, we're Congress. (S877: The Shut up and Eat Your spam act of 2003) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Cracking IBM Mainframe Password Hashes
W dniu 2014-03-18 12:56, Elardus Engelbrecht pisze: I'm not surprised. As a RACF person, I sometimes receive e-mails from spammers and wannabe crackers trying to 'advise me' on a lot of things. ;-) Well, in my case the statndard is nobody even heard about RACF. So I receive no comments or advices, even those wise. :-( oclHashcat v1.20 support added to crack RACF (IBM mainframe) hashes with 1 Billion (Giga) Hashes/second on a single stock clocked hd6990 graphics card How did they tested it? Obtained a real copy of RACF DB and do your cracking? I bet, yes. Do you want real copy of RACF db? I'll create it for you. Tell me the usernames and passwords you want to have. It may be, in fact over the years, there are 'cracking' tools available to do a brute force attack. Pick one and do your crack. But as others said, you have first to obtain a copy of the RACF db somehow and then do your attack. And then there is that 3 strike rule too. A competent network person will trap your IP address if you try to attack a live system and block you out. It has been done and we have procedures to do that. If you have the copy, the rule of 'n strikes' won't work. The same for IP blocking. BTW: how do you block IP address ot the attacker? What type of attacks are considered ? It only tells me one thing - cracking is a serious business for years long. Is it a legal White Hat test or some nefarious underground group trying to 'test out' systems (including z/OS) for fun/scientific reason/criminal reason? The real reason is in fact irrelevant, the relevant are a) intention you present (and can prove it) b) local law. In US there is DMCA. In many countries you can crack any security as long it's your lock, test environment, etc. In toehr words, you can freely create any tool you like (except weapon). I'm more concerned about INSIDERS trying to do 'strange' transactions. Almost all brute force against RACF require participation f insider. Regards -- Radoslaw Skorupka Lodz, Poland -- Treść tej wiadomości może zawierać informacje prawnie chronione Banku przeznaczone wyłącznie do użytku służbowego adresata. Odbiorcą może być jedynie jej adresat z wyłączeniem dostępu osób trzecich. Jeżeli nie jesteś adresatem niniejszej wiadomości lub pracownikiem upoważnionym do jej przekazania adresatowi, informujemy, że jej rozpowszechnianie, kopiowanie, rozprowadzanie lub inne działanie o podobnym charakterze jest prawnie zabronione i może być karalne. Jeżeli otrzymałeś tę wiadomość omyłkowo, prosimy niezwłocznie zawiadomić nadawcę wysyłając odpowiedź oraz trwale usunąć tę wiadomość włączając w to wszelkie jej kopie wydrukowane lub zapisane na dysku. This e-mail may contain legally privileged information of the Bank and is intended solely for business use of the addressee. This e-mail may only be received by the addressee and may not be disclosed to any third parties. If you are not the intended addressee of this e-mail or the employee authorized to forward it to the addressee, be advised that any dissemination, copying, distribution or any other similar activity is legally prohibited and may be punishable. If you received this e-mail by mistake please advise the sender immediately by using the reply facility in your e-mail software and delete permanently this e-mail including any copies of it either printed or saved to hard drive. mBank S.A. z siedzibą w Warszawie, ul. Senatorska 18, 00-950 Warszawa, www.mBank.pl, e-mail: kont...@mbank.pl Sąd Rejonowy dla m. st. Warszawy XII Wydział Gospodarczy Krajowego Rejestru Sądowego, nr rejestru przedsiębiorców KRS 025237, NIP: 526-021-50-88. Według stanu na dzień 01.01.2014 r. kapitał zakładowy mBanku S.A. (w całości wpłacony) wynosi 168.696.052 złote. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Cracking IBM Mainframe Password Hashes
Radoslaw Skorupka wrote: How did they tested it? Obtained a real copy of RACF DB and do your cracking? I bet, yes. Do you want real copy of RACF db? I'll create it for you. Tell me the usernames and passwords you want to have. I'm too lazy to do that, I'll have rather mow my lawn. ;-D If you have the copy, the rule of 'n strikes' won't work. True. BTW: how do you block IP address ot the attacker? What type of attacks are considered ? Any type. We have experienced some attacks with well known ids/password combinations. We shut down the application and blocked the IP addresses. One auditor tried using audit tools to ping IP addresses and ports using well known names like SYSTEM, IBMUSER, etc. My network guy got really annoyed+p*ssed off and blocked the auditor. This led to complaints that the auditor can't do his work. My network guy got the final word: that if any penetration test is to be done, it has to be done as scheduled without disrupting production work. ;-) I'm more concerned about INSIDERS trying to do 'strange' transactions. Almost all brute force against RACF require participation f insider. Indeed. All tools I know, ask you that you download as INSIDER the RACF DB to your workstation and then do your crack. Regards Thanks. The same to you too! ;-D Groete / Greetings Elardus Engelbrecht -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Cracking IBM Mainframe Password Hashes
On 19/03/2014 0:51, Lou Losee wrote: I also wonder if they truly mean password hashes, as in the ancient RACF password hash methods, or the more commonly used encryption method of securing passwords or to be more technically correct, user ids. I'm sure it is using the encryption method. The speed of password cracking on GPUs is fast enough that most hashes are vulnerable using traditional length passwords. RACF might be worse than some because the algorithm might not be specifically designed to be slow - I don't know. The answer is to assume that anybody who can read the encrypted passwords of a system (password database, backups etc.) can crack some or all of them. RACF is no different to other systems in that regard. This isn't news - it has been SOP for as long as I have been in the industry. An interesting article on the subject: http://blog.codinghorror.com/speed-hashing/ Andrew Rowley -- and...@blackhillsoftware.com +61 413 302 386 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Cracking IBM Mainframe Password Hashes
and...@blackhillsoftware.com (Andrew Rowley) writes: I'm sure it is using the encryption method. The speed of password cracking on GPUs is fast enough that most hashes are vulnerable using traditional length passwords. RACF might be worse than some because the algorithm might not be specifically designed to be slow - I don't know. The answer is to assume that anybody who can read the encrypted passwords of a system (password database, backups etc.) can crack some or all of them. RACF is no different to other systems in that regard. This isn't news - it has been SOP for as long as I have been in the industry. also http://en.wikipedia.org/wiki/Password_cracking things were speeded up some when repositories of tens of thousand of the most common passwords were published. some countermeasure http://en.wikipedia.org/wiki/Salt_%28cryptography%29 simple search engine turns up how to crack racf passwords (from feb2013) http://mainframed767.tumblr.com/post/43072129477/how-to-copy-the-racf-database-off-the-mainframe-and also from search http://www.toolswatch.org/2014/02/new-tool-racfsnow-password-cracker-for-racf-ibm-mainframe-v1-5-in-the-wild/ disclaimer: we have dozens of patents on non-password, non-PKI, non-digital-certificate public key authentication http://www.garlic.com/~lynn/aadssummary.htm basically recording publickey in lieu of password; we did implementations for both radius and kerberos ... as well as some prototype chips. -- virtualization experience starting Jan1968, online at home since Mar1970 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Cracking IBM Mainframe Password Hashes
On 19/03/2014 9:30, Anne Lynn Wheeler wrote: also http://en.wikipedia.org/wiki/Password_cracking things were speeded up some when repositories of tens of thousand of the most common passwords were published. some countermeasure http://en.wikipedia.org/wiki/Salt_%28cryptography%29 The GPU based tools have supposedly made rainbow tables obsolete. It's easier to just brute force the hash. Salts are no protection against a brute force attack. Another article linked from the original one I posted: http://codahale.com/how-to-safely-store-a-password/ From that article: Rainbow tables, despite their recent popularity as a subject of blog posts, have not aged gracefully. CUDA/OpenCL implementations of password crackers can leverage the massive amount of parallelism available in GPUs, peaking at billions of candidate passwords a second. You can literally test all lowercase, alphabetic passwords which are ≤7 characters in less than 2 seconds. And you can now rent the hardware which makes this possible to the tune of less than $3/hour. For about $300/hour, you could crack around 500,000,000,000 candidate passwords a second. Given this massive shift in the economics of cryptographic attacks, it simply doesn’t make sense for anyone to waste terabytes of disk space in the hope that their victim didn’t use a salt. It’s a lot easier to just crack the passwords. Even a “good” hashing scheme of SHA2256(salt ∥ password) is still completely vulnerable to these cheap and effective attacks Andrew Rowley -- and...@blackhillsoftware.com +61 413 302 386 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Cracking IBM Mainframe Password Hashes
On Mar 18, 2014, at 5:57 PM, Andrew Rowley wrote: On 19/03/2014 9:30, Anne Lynn Wheeler wrote: also http://en.wikipedia.org/wiki/Password_cracking things were speeded up some when repositories of tens of thousand of the most common passwords were published. some countermeasure http://en.wikipedia.org/wiki/Salt_%28cryptography%29 The GPU based tools have supposedly made rainbow tables obsolete. It's easier to just brute force the hash. Salts are no protection against a brute force attack. Another article linked from the original one I posted: http://codahale.com/how-to-safely-store-a-password/ From that article: Rainbow tables, despite their recent popularity as a subject of blog posts, have not aged gracefully. CUDA/OpenCL implementations of password crackers can leverage the massive amount of parallelism available in GPUs, peaking at billions of candidate passwords a second. You can literally test all lowercase, alphabetic passwords which are ≤7 characters in less than 2 seconds. And you can now rent the hardware which makes this possible to the tune of less than $3/hour. For about $300/hour, you could crack around 500,000,000,000 candidate passwords a second. Given this massive shift in the economics of cryptographic attacks, it simply doesn’t make sense for anyone to waste terabytes of disk space in the hope that their victim didn’t use a salt. It’s a lot easier to just crack the passwords. Even a “good” hashing scheme of SHA2256(salt ∥ password) is still completely vulnerable to these cheap and effective attacks Andrew Rowley -SNIP--- I thought IBM would have spoken up before this. From what little I have heard is that even with the raw data (ie the RACF DB) the password is unable to be broken. Ed -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Cracking IBM Mainframe Password Hashes
On 19/03/2014 10:21, Ed Gould wrote: I thought IBM would have spoken up before this. From what little I have heard is that even with the raw data (ie the RACF DB) the password is unable to be broken. You can't calculate the password from the stored value - as far as I know that is still the case. But by definition, you need to be able to check a password to see if it is correct. If you have the database, you are not limited to 3 guesses. GPU based programs can try potentially billions of guesses per second. The only real defence against this is password algorithms that are slow (computationally expensive). And GPUs have changed the definition of slow. Being difficult to implement on a GPU is an advantage at the moment, but future developments might also make the difficult easier. Bottom line: the password database needs to be protected. Anyone who can read it can potentially crack some or all of the passwords. Andrew Rowley -- and...@blackhillsoftware.com +61 413 302 386 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Cracking IBM Mainframe Password Hashes
The biggest problem with this is if I recall correctly, the user id is encrypted with the password with a variant of DES that has a slight twist from the published DES algorithm. That is why there are two types of DES encrypt calls in the RACROUTE REQUEST=EXTRACT macro; ENCRYPT=(data addr,DES) and ENCRYPT=(data addr,STDDES). The first form does RACFs variant of DES and is used for the password encryption. Therefore without reverse engineering the variant, a cracker would have to use the RACROUTE macro to attempt to crack the passwords. -- Artificial Intelligence is no match for Natural Stupidity - Unknown On Tue, Mar 18, 2014 at 7:10 PM, Andrew Rowley and...@blackhillsoftware.com wrote: On 19/03/2014 10:21, Ed Gould wrote: I thought IBM would have spoken up before this. From what little I have heard is that even with the raw data (ie the RACF DB) the password is unable to be broken. You can't calculate the password from the stored value - as far as I know that is still the case. But by definition, you need to be able to check a password to see if it is correct. If you have the database, you are not limited to 3 guesses. GPU based programs can try potentially billions of guesses per second. The only real defence against this is password algorithms that are slow (computationally expensive). And GPUs have changed the definition of slow. Being difficult to implement on a GPU is an advantage at the moment, but future developments might also make the difficult easier. Bottom line: the password database needs to be protected. Anyone who can read it can potentially crack some or all of the passwords. Andrew Rowley -- and...@blackhillsoftware.com +61 413 302 386 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN