Mainframe: RACF database file?

[Main Framed <mainframed767 () gmail com>]

I've spent the last couple of days puling my hair out trying to do some
testing against a test z/OS system I've got access to. Since this system is
mine (it's a lab system) and I have access to it I'm trying to build some
better tools to test mainframes.

I've got two goals:
1) Extract the user IDs and password hashes from a copy of the database
file. I'd prefer to do that using a copy of the file locally on my Linux
machine.
2) Identify the hashing algorithm (it's apparently a one way DES hash)

I've been mucking around for #1 but finding *any* information about this is
extremely frustrating. Even finding out what kind of file structure it is
is an act in frustration (I wasn't able to find out what kind of file it
was all I know is it's not VSAM).

I know tools already exist:

I've tried CRACF http://www.nigelpentland.co.uk/racf/cracf.htm, (and his
other tools) and they don't work in Windows XP. Running it in a DOS image I
have it loads but doesn't detect any of the simple passwords I've set (one
user is A with a password of A). He's also the creator of a tool called
WEAKPASS or something like it which also didn't work. I assume thats
because my version is newer than when these tools were written.

There's also PWCHECK ( http://www.goldisconsulting.com/OnePageG2.htm )
which is a program that runs on the mainframe. It doesn't extract the
hashes (well, the debug mode might) but it basically runs on the mainframe.
You need to install it to very privileged (APF datasets) areas. I *could*
try and use this to extract the hashes and user IDs but it's not free.

There is a way called EXTRACT in RACROUTE
http://publib.boulder.ibm.com/infocenter/zos/v1r12/index.jsp?topic=%2Fcom.ibm.zos.r12.ichc600%2Fichzc6b039.htm.
It would require me writting some assembly, getting system privileges on a
mainframe and running the macro,  but finding any information about it is
difficult to understand for a mainframe neophyte such as myself.

For #2 I think it's a one way DES hashing algorithm which takes the user
ID, padded to 8 characters and uses the password as the salt, padded to
8 characters. From
http://2000clicks.com/links/Computers/IBMMainframeHistory/cracker.htm I was
able to see what, potentially the hash would look like:

Userd ID: IBMUSER
Password: SYS1
Hashed Password: C585D307BD44E61F

But this could be from an older version of RACF, it's unclear. IBM is
pretty tight lipped about this. I know where, in the database, the password
is stored: from
http://publib.boulder.ibm.com/infocenter/zos/v1r12/index.jsp?topic=%2Fcom.ibm.zos.r12.ichc600%2Frteut.htm
I
know that in the user table(?) the password is the 12th field but other
than that I am lost.

I feel like I have all the pieces I need to be able to break this file
apart but I need some guidance to look in the right places. Strings shows
me the user IDs (plus lots of other stuff) but the hashes aren't stored in
plaintext in the database. Same with a HEX editor.

I'm wondering if anyone on the list has any experience with the mainframe
and working with this file specifically. Or even on where to start looking
would be a nice start.

I've also joined the RACF-L mailing list but there aren't
very forthcoming with information about breaking apart their flagship
security database.

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com