PaulDotCom mailing list archives
Re: Mainframe: RACF database file?
From: Champ Clark III <cclark () quadrantsec com>
Date: Fri, 16 Mar 2012 14:00:52 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Wow.. That's pretty awesome IMHO. Years ago, I worked with Jean-Loup Gailly on getting JtR supported for OpenVMS SYSUAF.DAT password cracking. To be honest, he did the hard work, I supplied some assistance with OpenVMS (via the public access OpenVMS Deathrow cluster - http://deathow.vistech.net - shameless plug :) I think it's very cool to see RACF databases supported in JtR. It's always interesting to "interesting" platforms get supported in JtR :) Nice job! On 3/16/12 11:52 AM, Main Framed wrote:
No much interest in this but I wanted to make sure I completed what I started. Anyway I'm happy to announce that thanks to work done by folks over on the John the Ripper mailing list, RACF databases are now supported. A new plugin was added to JtR to support RACF DES hashes and a new tool (racf2john) was developed to pull the usernames and hashes out of a copy of the RACF database. For anyone curious the algorithm was obfuscating the key before putting it through DES. Basically each byte was XOR'd with 0x55 and bit shifted to the left by one bit (thanks goes to Nigel Pentland for figuring it out). On Sat, Mar 3, 2012 at 7:43 PM, Main Framed <mainframed767 () gmail com <mailto:mainframed767 () gmail com>> wrote: Good news everyone! Turns out it was because I had downloaded the file from FTP which did the conversion from EBCDIC to ASCII. Instead I should've typed 'binary' before downloading the file. Neophyte mistake. Because of that I was able to find the example "hash" I included and from there find all the hashes. Next my other problem. I created an example account: UserID: TTTTTTTT Password: TESTTEST This creates a des hash (in hex) of: 42 4B 25 8A F8 B9 06 1B Unfortunately when I try to recreate the password using python (in the interpreter) DES I get a different hex value:from Crypto.Cipher import DES s = "TTTTTTTT" p = "TESTTEST" es = s.decode('ascii').encode('EBCDIC-CP-BE') ep = p.decode('ascii').encode('EBCDIC-CP-BE') des = DES.new(ep,DES.MODE_CBC) cipher = des.encrypt(es) cipher'\\t\x9bM\x05\x8dL\x8d' Which doesn't look to me to be the same hex values like I expected it to. What am I doing wrong? Date: Tue, 28 Feb 2012 08:21:59 -0800 From: Main Framed <mainframed767 () gmail com <mailto:mainframed767 () gmail com>> Subject: [Pauldotcom] Mainframe: RACF database file? To: pauldotcom () mail pauldotcom com <mailto:pauldotcom () mail pauldotcom com> I've spent the last couple of days puling my hair out trying to do some testing against a test z/OS system I've got access to. Since this system is mine (it's a lab system) and I have access to it I'm trying to build some better tools to test mainframes. I've got two goals: 1) Extract the user IDs and password hashes from a copy of the database file. I'd prefer to do that using a copy of the file locally on my Linux machine. 2) Identify the hashing algorithm (it's apparently a one way DES hash) I've been mucking around for #1 but finding *any* information about this is extremely frustrating. Even finding out what kind of file structure it is is an act in frustration (I wasn't able to find out what kind of file it was all I know is it's not VSAM). I know tools already exist: I've tried CRACF http://www.nigelpentland.co.uk/racf/cracf.htm <http://www.nigelpentland.co.uk/racf/cracf.htm>, (and his other tools) and they don't work in Windows XP. Running it in a DOS image I have it loads but doesn't detect any of the simple passwords I've set (one user is A with a password of A). He's also the creator of a tool called WEAKPASS or something like it which also didn't work. I assume thats because my version is newer than when these tools were written. There's also PWCHECK ( http://www.goldisconsulting.com/OnePageG2.htm ) which is a program that runs on the mainframe. It doesn't extract the hashes (well, the debug mode might) but it basically runs on the mainframe. You need to install it to very privileged (APF datasets) areas. I *could* try and use this to extract the hashes and user IDs but it's not free. There is a way called EXTRACT in RACROUTE http://publib.boulder.ibm.com/infocenter/zos/v1r12/index.jsp?topic=%2Fcom.ibm.zos.r12.ichc600%2Fichzc6b039.htm.
It would require me writting some assembly, getting system
privileges on a mainframe and running the macro, but finding any information about it is difficult to understand for a mainframe neophyte such as myself. For #2 I think it's a one way DES hashing algorithm which takes the user ID, padded to 8 characters and uses the password as the salt, padded to 8 characters. From http://2000clicks.com/links/Computers/IBMMainframeHistory/cracker.htm I was able to see what, potentially the hash would look like: Userd ID: IBMUSER Password: SYS1 Hashed Password: C585D307BD44E61F But this could be from an older version of RACF, it's unclear. IBM is pretty tight lipped about this. I know where, in the database, the password is stored: from http://publib.boulder.ibm.com/infocenter/zos/v1r12/index.jsp?topic=%2Fcom.ibm.zos.r12.ichc600%2Frteut.htm
I
know that in the user table(?) the password is the 12th field but other than that I am lost. I feel like I have all the pieces I need to be able to break this file apart but I need some guidance to look in the right places. Strings shows me the user IDs (plus lots of other stuff) but the hashes aren't stored in plaintext in the database. Same with a HEX editor. I'm wondering if anyone on the list has any experience with the mainframe and working with this file specifically. Or even on where to start looking would be a nice start. I've also joined the RACF-L mailing list but there aren't very forthcoming with information about breaking apart their flagship security database. _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
- -- - - Champ Clark III (cclark () quadrantsec com) Quadrant Information Security (http://quadrantsec.com) Key Fingerprint: 2E56 C2EB 1B25 C517 D5BA 2DCF 5E70 B2F8 0381 878A GPG Key ID: 0381878A -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJPY3/UAAoJENnmXt7Lmc3KerAIAILQOvd9RhQ6tTXF4Oz8qjkq 8RgGp+YGsizQQh/hzYBY4e+kYirJl3dlK78ztsX4+Bj7buWUqCgHGTL2s8aTCw8X co2pB20UbseiqbVomztd6hqle7DJKsNt6WcepQEVrBWPbngoEWAlic1QOYoZILI+ 7JXx7ivL+Rwgg3ov0Z6EsXonMp47DgBPJCVb9UvqTelstgXzYlpAy0hyx7Ivh1pJ kQex32qEFXf/dFOA0J1s4M8naugi9GsF79xt2YLXFXIPYXXRL/CPgUuUO82ZHIvh gpshzp5WS3/SfN1wE/y/M7U/eNoeQj/a0uvh87bK4pun6rNHwkOXojJSZK3G1z4= =m7ng -----END PGP SIGNATURE----- _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- Mainframe: RACF database file? Main Framed (Feb 29)
- <Possible follow-ups>
- Re: Mainframe: RACF database file? Main Framed (Mar 04)
- Re: Mainframe: RACF database file? Main Framed (Mar 16)
- Re: Mainframe: RACF database file? Kevin Shaw (Mar 16)
- Re: Mainframe: RACF database file? Champ Clark III (Mar 16)
- Re: Mainframe: RACF database file? John Hoyt (Mar 16)
- Re: Mainframe: RACF database file? Joel Gunderson (Mar 18)
- Re: Mainframe: RACF database file? Main Framed (Mar 16)