Re: Cracking IBM Mainframe Password Hashes

2014-03-18 Thread Paul Gilmartin 
On Tue, 18 Mar 2014 09:19:25 +0300, Jose Munoz wrote:

Someone can comment on it, I received an email from an Open System college
arguing that mainframe is very weak...please help me to answer it:

Well, first you need to access the encrypted password file, and/or bypass the
prevalent three-strikes-and-out rule.

oclHashcat v1.20 support added to crack RACF (IBM mainframe) hashes with 1
Billion (Giga) Hashes/second on a single stock clocked hd6990 graphics
card: http://pastebin.com/Cqdhe3kR

I didn't expect IBM's Mainframe password hashing to be so weak :(
In comparison, the SHA512 hash is cracked at 0.217 BH/s (GH/s) on the same
graphics card: http://hashcat.net/oclhashcat/
 
Order of hours (Fermi estimate).  Has there been a realistic White Hat test
in either environment?

-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Cracking IBM Mainframe Password Hashes

2014-03-18 Thread R.S. 

W dniu 2014-03-18 07:19, Jose Munoz pisze:

Gents,

Someone can comment on it, I received an email from an Open System college
arguing that mainframe is very weak...please help me to answer it:


oclHashcat v1.20 support added to crack RACF (IBM mainframe) hashes with 1
Billion (Giga) Hashes/second on a single stock clocked hd6990 graphics
card: http://pastebin.com/Cqdhe3kR

I didn't expect IBM's Mainframe password hashing to be so weak :(
In comparison, the SHA512 hash is cracked at 0.217 BH/s (GH/s) on the same
graphics card: http://hashcat.net/oclhashcat/

If you don't know what's oclHashcat, it's a program that cracks password
hashes using graphics cards (GPUs). The link above shows how many
algorithms are supported and a sample of the speed that some are cracked at
depending on the GPU setup.








It's perfectly knownthat one can guess RACF password using brute force 
method. It only matter of time, computing power per engine, number of of 
engines (*).

Last, but definitely not least: attacker has to have your RACF db.
So, the prevention is easy; at least easy to say: you have to protect 
your RACF db (and all copies/backups).


So, what changed with the tools you mentioned? Another world record?



BTW: IBM announced new password encryption method in future releases.


(*) Linear scalability is good assumption for reasonably smallnumber of 
engines, for tens of thousands negines things can be more complicated.


--
Radoslaw Skorupka
Lodz, Poland






---
Tre tej wiadomoci moe zawiera informacje prawnie chronione Banku 
przeznaczone wycznie do uytku subowego adresata. Odbiorc moe by jedynie 
jej adresat z wyczeniem dostpu osób trzecich. Jeeli nie jeste adresatem 
niniejszej wiadomoci lub pracownikiem upowanionym do jej przekazania 
adresatowi, informujemy, e jej rozpowszechnianie, kopiowanie, rozprowadzanie 
lub inne dziaanie o podobnym charakterze jest prawnie zabronione i moe by 
karalne. Jeeli otrzymae t wiadomo omykowo, prosimy niezwocznie 
zawiadomi nadawc wysyajc odpowied oraz trwale usun t wiadomo 
wczajc w to wszelkie jej kopie wydrukowane lub zapisane na dysku.

This e-mail may contain legally privileged information of the Bank and is 
intended solely for business use of the addressee. This e-mail may only be 
received by the addressee and may not be disclosed to any third parties. If you 
are not the intended addressee of this e-mail or the employee authorized to 
forward it to the addressee, be advised that any dissemination, copying, 
distribution or any other similar activity is legally prohibited and may be 
punishable. If you received this e-mail by mistake please advise the sender 
immediately by using the reply facility in your e-mail software and delete 
permanently this e-mail including any copies of it either printed or saved to 
hard drive.

mBank S.A. z siedzib w Warszawie, ul. Senatorska 18, 00-950 Warszawa, www.mBank.pl, e-mail: kont...@mbank.pl 
Sd Rejonowy dla m. st. Warszawy XII Wydzia Gospodarczy Krajowego Rejestru Sdowego, nr rejestru przedsibiorców KRS 025237, NIP: 526-021-50-88. Wedug stanu na dzie 01.01.2014 r. kapita zakadowy mBanku S.A. (w caoci wpacony) wynosi 168.696.052 zote.



--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Cracking IBM Mainframe Password Hashes

2014-03-18 Thread Elardus Engelbrecht 
Jose Munoz wrote:

Someone can comment on it, I received an email from an Open System college 
arguing that mainframe is very weak...please help me to answer it:

I'm not surprised. As a RACF person, I sometimes receive e-mails from spammers 
and wannabe crackers trying to 'advise me' on a lot of things. ;-)


oclHashcat v1.20 support added to crack RACF (IBM mainframe) hashes with 1 
Billion (Giga) Hashes/second on a single stock clocked hd6990 graphics card

How did they tested it? Obtained a real copy of RACF DB and do your cracking?


I didn't expect IBM's Mainframe password hashing to be so weak :(

It may be, in fact over the years, there are 'cracking' tools available to do a 
brute force attack. Pick one and do your crack.

But as others said, you have first to obtain a copy of the RACF db somehow and 
then do your attack. And then there is that 3 strike rule too.

A competent network person will trap your IP address if you try to attack a 
live system and block you out. It has been done and we have procedures to do 
that.


If you don't know what's oclHashcat, it's a program that cracks password 
hashes using graphics cards (GPUs). The link above shows how many algorithms 
are supported and a sample of the speed that some are cracked at depending on 
the GPU setup.

It only tells me one thing - cracking is a serious business for years long. Is 
it a legal White Hat test or some nefarious underground group trying to 'test 
out' systems (including z/OS) for fun/scientific reason/criminal reason?


I'm more concerned about INSIDERS trying to do 'strange' transactions.

BTW, Radoslaw said IBM announced a new password encryption algorithm.

Groete / Greetings
Elardus Engelbrecht

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Cracking IBM Mainframe Password Hashes

2014-03-18 Thread Shmuel Metz (Seymour J.) 
In
cakspfostlizlcvvj1v1hzcxow3n8slsm8gfdu+u4buwawhl...@mail.gmail.com,
on 03/18/2014
   at 09:19 AM, Jose Munoz jmunoz6...@gmail.com said:

Someone can comment on it, I received an email from an Open System
college arguing that mainframe is very weak...please help me to
answer it:

The Devil is in the details. Strip the BS and what they are saying is
that if you ignore the standard security recommendations for MVS then
you will have security problems.

oclHashcat v1.20 support added to crack RACF (IBM mainframe) hashes

That presumes read access to it.
 
-- 
 Shmuel (Seymour J.) Metz, SysProg and JOAT
 ISO position; see http://patriot.net/~shmuel/resume/brief.html 
We don't care. We don't have to care, we're Congress.
(S877: The Shut up and Eat Your spam act of 2003)

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Cracking IBM Mainframe Password Hashes

2014-03-18 Thread Lou Losee 
I also wonder if they truly mean password hashes, as in the ancient RACF
password hash methods, or the more commonly used encryption method of
securing passwords or to be more technically correct, user ids.

--
Artificial Intelligence is no match for Natural Stupidity
  - Unknown


On Tue, Mar 18, 2014 at 3:25 AM, Shmuel Metz (Seymour J.) 
shmuel+ibm-m...@patriot.net wrote:

 In
 cakspfostlizlcvvj1v1hzcxow3n8slsm8gfdu+u4buwawhl...@mail.gmail.com,
 on 03/18/2014
at 09:19 AM, Jose Munoz jmunoz6...@gmail.com said:

 Someone can comment on it, I received an email from an Open System
 college arguing that mainframe is very weak...please help me to
 answer it:

 The Devil is in the details. Strip the BS and what they are saying is
 that if you ignore the standard security recommendations for MVS then
 you will have security problems.

 oclHashcat v1.20 support added to crack RACF (IBM mainframe) hashes

 That presumes read access to it.

 --
  Shmuel (Seymour J.) Metz, SysProg and JOAT
  ISO position; see http://patriot.net/~shmuel/resume/brief.html
 We don't care. We don't have to care, we're Congress.
 (S877: The Shut up and Eat Your spam act of 2003)

 --
 For IBM-MAIN subscribe / signoff / archive access instructions,
 send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Cracking IBM Mainframe Password Hashes

2014-03-18 Thread R.S. 

W dniu 2014-03-18 12:56, Elardus Engelbrecht pisze:
I'm not surprised. As a RACF person, I sometimes receive e-mails from 
spammers and wannabe crackers trying to 'advise me' on a lot of 
things. ;-) 
Well, in my case the statndard is nobody even heard about RACF. So I 
receive no comments or advices, even those wise. :-(



oclHashcat v1.20 support added to crack RACF (IBM mainframe) hashes with 1 
Billion (Giga) Hashes/second on a single stock clocked hd6990 graphics card

How did they tested it? Obtained a real copy of RACF DB and do your cracking?
I bet, yes. Do you want real copy of RACF db? I'll create it for you. 
Tell me the usernames and passwords you want to have.


It may be, in fact over the years, there are 'cracking' tools 
available to do a brute force attack. Pick one and do your crack. But 
as others said, you have first to obtain a copy of the RACF db somehow 
and then do your attack. And then there is that 3 strike rule too. A 
competent network person will trap your IP address if you try to 
attack a live system and block you out. It has been done and we have 
procedures to do that. 

If you have the copy, the rule of 'n strikes' won't work.
The same for IP blocking.
BTW: how do you block IP address ot the attacker?  What type of attacks 
are considered ?




It only tells me one thing - cracking is a serious business for years long. Is 
it a legal White Hat test or some nefarious underground group trying to 'test 
out' systems (including z/OS) for fun/scientific reason/criminal reason?

The real reason is in fact irrelevant, the relevant are
a) intention you present (and can prove it)
b) local law. In US there is DMCA. In many countries you can crack any 
security as long it's your lock, test environment, etc. In toehr words, 
you can freely create any tool you like (except weapon).




I'm more concerned about INSIDERS trying to do 'strange' transactions.

Almost all brute force against RACF require participation f insider.


Regards

--
Radoslaw Skorupka
Lodz, Poland






--
Treść tej wiadomości może zawierać informacje prawnie chronione Banku 
przeznaczone wyłącznie do użytku służbowego adresata. Odbiorcą może być jedynie 
jej adresat z wyłączeniem dostępu osób trzecich. Jeżeli nie jesteś adresatem 
niniejszej wiadomości lub pracownikiem upoważnionym do jej przekazania 
adresatowi, informujemy, że jej rozpowszechnianie, kopiowanie, rozprowadzanie 
lub inne działanie o podobnym charakterze jest prawnie zabronione i może być 
karalne. Jeżeli otrzymałeś tę wiadomość omyłkowo, prosimy niezwłocznie 
zawiadomić nadawcę wysyłając odpowiedź oraz trwale usunąć tę wiadomość 
włączając w to wszelkie jej kopie wydrukowane lub zapisane na dysku.

This e-mail may contain legally privileged information of the Bank and is 
intended solely for business use of the addressee. This e-mail may only be 
received by the addressee and may not be disclosed to any third parties. If you 
are not the intended addressee of this e-mail or the employee authorized to 
forward it to the addressee, be advised that any dissemination, copying, 
distribution or any other similar activity is legally prohibited and may be 
punishable. If you received this e-mail by mistake please advise the sender 
immediately by using the reply facility in your e-mail software and delete 
permanently this e-mail including any copies of it either printed or saved to 
hard drive.

mBank S.A. z siedzibą w Warszawie, ul. Senatorska 18, 00-950 Warszawa, www.mBank.pl, e-mail: kont...@mbank.pl 
Sąd Rejonowy dla m. st. Warszawy XII Wydział Gospodarczy Krajowego Rejestru Sądowego, nr rejestru przedsiębiorców KRS 025237, NIP: 526-021-50-88. Według stanu na dzień 01.01.2014 r. kapitał zakładowy mBanku S.A. (w całości wpłacony) wynosi 168.696.052 złote.



--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Cracking IBM Mainframe Password Hashes

2014-03-18 Thread Elardus Engelbrecht 
Radoslaw Skorupka wrote:

 How did they tested it? Obtained a real copy of RACF DB and do your cracking?
I bet, yes. Do you want real copy of RACF db? I'll create it for you. 
Tell me the usernames and passwords you want to have.

I'm too lazy to do that, I'll have rather mow my lawn. ;-D


If you have the copy, the rule of 'n strikes' won't work.

True.


BTW: how do you block IP address ot the attacker?  What type of attacks are 
considered ?

Any type. We have experienced some attacks with well known ids/password 
combinations. We shut down the application and blocked the IP addresses. One 
auditor tried using audit tools to ping IP addresses and ports using well known 
names like SYSTEM, IBMUSER, etc. My network guy got really annoyed+p*ssed off 
and blocked the auditor. This led to complaints that the auditor can't do his 
work. My network guy got the final word: that if any penetration test is to be 
done, it has to be done as scheduled without disrupting production work. ;-)

 I'm more concerned about INSIDERS trying to do 'strange' transactions.
Almost all brute force against RACF require participation f insider.

Indeed. All tools I know, ask you that you download as INSIDER the RACF DB to 
your workstation and then do your crack.


Regards

Thanks. The same to you too! ;-D

Groete / Greetings
Elardus Engelbrecht

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Cracking IBM Mainframe Password Hashes

2014-03-18 Thread Andrew Rowley 

On 19/03/2014 0:51, Lou Losee wrote:

I also wonder if they truly mean password hashes, as in the ancient RACF
password hash methods, or the more commonly used encryption method of
securing passwords or to be more technically correct, user ids.


I'm sure it is using the encryption method. The speed of password 
cracking on GPUs is fast enough that most hashes are vulnerable using 
traditional length passwords. RACF might be worse than some because the 
algorithm might not be specifically designed to be slow - I don't know.


The answer is to assume that anybody who can read the encrypted 
passwords of a system (password database, backups etc.) can crack some 
or all of them. RACF is no different to other systems in that regard. 
This isn't news - it has been SOP for as long as I have been in the 
industry.


An interesting article on the subject:
http://blog.codinghorror.com/speed-hashing/

Andrew Rowley

--
and...@blackhillsoftware.com
+61 413 302 386

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Cracking IBM Mainframe Password Hashes

2014-03-18 Thread Anne Lynn Wheeler 
and...@blackhillsoftware.com (Andrew Rowley) writes:
 I'm sure it is using the encryption method. The speed of password
 cracking on GPUs is fast enough that most hashes are vulnerable using
 traditional length passwords. RACF might be worse than some because
 the algorithm might not be specifically designed to be slow - I don't
 know.

 The answer is to assume that anybody who can read the encrypted
 passwords of a system (password database, backups etc.) can crack some
 or all of them. RACF is no different to other systems in that
 regard. This isn't news - it has been SOP for as long as I have been
 in the industry.

also
http://en.wikipedia.org/wiki/Password_cracking

things were speeded up some when repositories of tens of thousand
of the most common passwords were published.

some countermeasure
http://en.wikipedia.org/wiki/Salt_%28cryptography%29

simple search engine turns up how to crack racf passwords
(from feb2013)
http://mainframed767.tumblr.com/post/43072129477/how-to-copy-the-racf-database-off-the-mainframe-and
also from search
http://www.toolswatch.org/2014/02/new-tool-racfsnow-password-cracker-for-racf-ibm-mainframe-v1-5-in-the-wild/


disclaimer: we have dozens of patents on non-password, non-PKI,
non-digital-certificate public key authentication
http://www.garlic.com/~lynn/aadssummary.htm

basically recording publickey in lieu of password; we did
implementations for both radius and kerberos ... as well as some
prototype chips.

-- 
virtualization experience starting Jan1968, online at home since Mar1970

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Cracking IBM Mainframe Password Hashes

2014-03-18 Thread Andrew Rowley 

On 19/03/2014 9:30, Anne  Lynn Wheeler wrote:


also
http://en.wikipedia.org/wiki/Password_cracking

things were speeded up some when repositories of tens of thousand
of the most common passwords were published.

some countermeasure
http://en.wikipedia.org/wiki/Salt_%28cryptography%29


The GPU based tools have supposedly made rainbow tables obsolete. It's 
easier to just brute force the hash. Salts are no protection against a 
brute force attack. Another article linked from the original one I posted:


http://codahale.com/how-to-safely-store-a-password/

From that article:

Rainbow tables, despite their recent popularity as a subject of blog 
posts, have not aged gracefully. CUDA/OpenCL implementations of password 
crackers can leverage the massive amount of parallelism available in 
GPUs, peaking at billions of candidate passwords a second. You can 
literally test all lowercase, alphabetic passwords which are ≤7 
characters in less than 2 seconds. And you can now rent the hardware 
which makes this possible to the tune of less than $3/hour. For about 
$300/hour, you could crack around 500,000,000,000 candidate passwords a 
second.


Given this massive shift in the economics of cryptographic attacks, it 
simply doesn’t make sense for anyone to waste terabytes of disk space in 
the hope that their victim didn’t use a salt. It’s a lot easier to just 
crack the passwords. Even a “good” hashing scheme of SHA2256(salt ∥ 
password) is still completely vulnerable to these cheap and effective 
attacks


Andrew Rowley

--
and...@blackhillsoftware.com
+61 413 302 386

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Cracking IBM Mainframe Password Hashes

2014-03-18 Thread Ed Gould 

On Mar 18, 2014, at 5:57 PM, Andrew Rowley wrote:


On 19/03/2014 9:30, Anne  Lynn Wheeler wrote:


also
http://en.wikipedia.org/wiki/Password_cracking

things were speeded up some when repositories of tens of thousand
of the most common passwords were published.

some countermeasure
http://en.wikipedia.org/wiki/Salt_%28cryptography%29


The GPU based tools have supposedly made rainbow tables obsolete.  
It's easier to just brute force the hash. Salts are no protection  
against a brute force attack. Another article linked from the  
original one I posted:


http://codahale.com/how-to-safely-store-a-password/

From that article:

Rainbow tables, despite their recent popularity as a subject of  
blog posts, have not aged gracefully. CUDA/OpenCL implementations  
of password crackers can leverage the massive amount of parallelism  
available in GPUs, peaking at billions of candidate passwords a  
second. You can literally test all lowercase, alphabetic passwords  
which are ≤7 characters in less than 2 seconds. And you can now  
rent the hardware which makes this possible to the tune of less  
than $3/hour. For about $300/hour, you could crack around  
500,000,000,000 candidate passwords a second.


Given this massive shift in the economics of cryptographic attacks,  
it simply doesn’t make sense for anyone to waste terabytes of disk  
space in the hope that their victim didn’t use a salt. It’s a  
lot easier to just crack the passwords. Even a “good” hashing  
scheme of SHA2256(salt ∥ password) is still completely vulnerable  
to these cheap and effective attacks


Andrew Rowley



-SNIP---


I thought IBM would have spoken up before this. From what little I  
have heard is that even with the raw data (ie the RACF DB) the  
password is unable to be broken.


Ed

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Cracking IBM Mainframe Password Hashes

2014-03-18 Thread Andrew Rowley 

On 19/03/2014 10:21, Ed Gould wrote:


I thought IBM would have spoken up before this. From what little I have
heard is that even with the raw data (ie the RACF DB) the password is
unable to be broken.


You can't calculate the password from the stored value - as far as I 
know that is still the case. But by definition, you need to be able to 
check a password to see if it is correct.


If you have the database, you are not limited to 3 guesses. GPU based 
programs can try potentially billions of guesses per second.


The only real defence against this is password algorithms that are slow 
(computationally expensive). And GPUs have changed the definition of 
slow. Being difficult to implement on a GPU is an advantage at the 
moment, but future developments might also make the difficult easier.


Bottom line: the password database needs to be protected. Anyone who can 
read it can potentially crack some or all of the passwords.


Andrew Rowley

--
and...@blackhillsoftware.com
+61 413 302 386

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Cracking IBM Mainframe Password Hashes

2014-03-18 Thread Lou Losee 
The biggest problem with this is if I recall correctly, the user id is
encrypted with the password with a variant of DES that has a slight twist
from the published DES algorithm.  That is why there are two types of DES
encrypt calls in the RACROUTE REQUEST=EXTRACT macro; ENCRYPT=(data
addr,DES) and ENCRYPT=(data addr,STDDES).

The first form does RACFs variant of DES and is used for the password
encryption.  Therefore without reverse engineering the variant, a cracker
would have to use the RACROUTE macro to attempt to crack the passwords.

--
Artificial Intelligence is no match for Natural Stupidity
  - Unknown


On Tue, Mar 18, 2014 at 7:10 PM, Andrew Rowley and...@blackhillsoftware.com
 wrote:

 On 19/03/2014 10:21, Ed Gould wrote:

  I thought IBM would have spoken up before this. From what little I have
 heard is that even with the raw data (ie the RACF DB) the password is
 unable to be broken.


 You can't calculate the password from the stored value - as far as I know
 that is still the case. But by definition, you need to be able to check a
 password to see if it is correct.

 If you have the database, you are not limited to 3 guesses. GPU based
 programs can try potentially billions of guesses per second.

 The only real defence against this is password algorithms that are slow
 (computationally expensive). And GPUs have changed the definition of slow.
 Being difficult to implement on a GPU is an advantage at the moment, but
 future developments might also make the difficult easier.

 Bottom line: the password database needs to be protected. Anyone who can
 read it can potentially crack some or all of the passwords.


 Andrew Rowley

 --
 and...@blackhillsoftware.com
 +61 413 302 386

 --
 For IBM-MAIN subscribe / signoff / archive access instructions,
 send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN