Penetration Testing mailing list archives

Re: [PEN-TEST] Pen-Testing AS/400

From: Mike Ahern <mc_ahern () YAHOO COM>
Date: Wed, 13 Dec 2000 08:56:43 -0800

Al Sparks wrote:
Here's my 2 cents regarding AS/400 security.  First,
regarding passwords; AS/400s do allow you to restrict
what passwords you can enter and even use your own
password checking program if you so choose. However,
AS/400 passwords do have 2 inherent weaknesses, making
brute force attacks easier, the passwords are not case
sensitive, and youre limited to 10 characters. That
cuts down considerably on the amount of total
passwords a brute force attack needs to check.

Here's my 2 sheckles:
I believe (please correct me if I am wrong), that
AS/400 passwords are displayed all uppercase and are
not case sensitive. This limits the password diversity
to 26 alpha characters. Also special characters are
limited to four "safe" special characters (@, #, $,
and _), which again limits password diversity. Then, I
also believe that the first character in a password
must be an alpha character. Numerics (0-9) are also
permitted.

Special security settings (I am aware of) that are
possible in AS/400 include:
 -limit adjacent digits in a password (supposedly to
prevent use of social security numbers, dates, etc.,
in passwords)
 -limit repeating characters in password
 -limit password character positions (for greater
uniqueness)
 -require a digit in the password
 -duplicate password control
 -password min/max length settings
 -password expiration intervals
 -maximum signon attempts permitted

Some of these settings I believe are a double edged
sword, preventing poor password creation problems
typically seen by many unsophisticated users. The
other side of this is that some of these same settings
can also restrict a great many possible password
combinations, reducing potential password entropy in a
situation where the manufacturer has already
significantly done that (by limiting possible
character sets to a very small subset of what is
permissible on other computer systems).

It is my opinion that if you take the poor
administration of most systems (weak security
settings, short minimum password length often
selected, etc.), poor user password construction
(tendancy to use words, tendancy to append numbers or
special characters, username=password, etc.) 400's are
often as insecure (or more so) than other computer
systems, tho they can be configured to be very secure
platforms (like many other O/S's) if you have a
diligent security-aware system admin.

 - mch






__________________________________________________
Do You Yahoo!?
Yahoo! Shopping - Thousands of Stores. Millions of Products.
http://shopping.yahoo.com/

Current thread:

Re: [PEN-TEST] Pen-Testing AS/400, (continued)
- Re: [PEN-TEST] Pen-Testing AS/400 Walsh, John (Dec 13)
- [PEN-TEST] Pen-Testing AS/400 Mike Ahern (Dec 13)
  - Re: [PEN-TEST] Pen-Testing AS/400 Mary Galligan (Dec 15)
    - Re: [PEN-TEST] Pen-Testing AS/400 David Knaack (Dec 15)
    - Re: [PEN-TEST] Pen-Testing AS/400 Enno Rey (Dec 15)
    - [PEN-TEST] Routing Protocol security paper now available NetW3.COM Consulting (Dec 16)
    - Re: [PEN-TEST] Routing Protocol security paper now available Arthur Clune (Dec 19)
    - Re: [PEN-TEST] Routing Protocol security paper now available Nicolas GREGOIRE (Dec 20)
- Re: [PEN-TEST] Pen-Testing AS/400 Bias, Harry (Dec 13)
- Re: [PEN-TEST] Pen-Testing AS/400 Al Sparks (Dec 13)
- Re: [PEN-TEST] Pen-Testing AS/400 Mike Ahern (Dec 14)