PaulDotCom mailing list archives
Mainframe: RACF database file?
From: Main Framed <mainframed767 () gmail com>
Date: Tue, 28 Feb 2012 08:21:59 -0800
I've spent the last couple of days puling my hair out trying to do some testing against a test z/OS system I've got access to. Since this system is mine (it's a lab system) and I have access to it I'm trying to build some better tools to test mainframes. I've got two goals: 1) Extract the user IDs and password hashes from a copy of the database file. I'd prefer to do that using a copy of the file locally on my Linux machine. 2) Identify the hashing algorithm (it's apparently a one way DES hash) I've been mucking around for #1 but finding *any* information about this is extremely frustrating. Even finding out what kind of file structure it is is an act in frustration (I wasn't able to find out what kind of file it was all I know is it's not VSAM). I know tools already exist: I've tried CRACF http://www.nigelpentland.co.uk/racf/cracf.htm, (and his other tools) and they don't work in Windows XP. Running it in a DOS image I have it loads but doesn't detect any of the simple passwords I've set (one user is A with a password of A). He's also the creator of a tool called WEAKPASS or something like it which also didn't work. I assume thats because my version is newer than when these tools were written. There's also PWCHECK ( http://www.goldisconsulting.com/OnePageG2.htm ) which is a program that runs on the mainframe. It doesn't extract the hashes (well, the debug mode might) but it basically runs on the mainframe. You need to install it to very privileged (APF datasets) areas. I *could* try and use this to extract the hashes and user IDs but it's not free. There is a way called EXTRACT in RACROUTE http://publib.boulder.ibm.com/infocenter/zos/v1r12/index.jsp?topic=%2Fcom.ibm.zos.r12.ichc600%2Fichzc6b039.htm. It would require me writting some assembly, getting system privileges on a mainframe and running the macro, but finding any information about it is difficult to understand for a mainframe neophyte such as myself. For #2 I think it's a one way DES hashing algorithm which takes the user ID, padded to 8 characters and uses the password as the salt, padded to 8 characters. From http://2000clicks.com/links/Computers/IBMMainframeHistory/cracker.htm I was able to see what, potentially the hash would look like: Userd ID: IBMUSER Password: SYS1 Hashed Password: C585D307BD44E61F But this could be from an older version of RACF, it's unclear. IBM is pretty tight lipped about this. I know where, in the database, the password is stored: from http://publib.boulder.ibm.com/infocenter/zos/v1r12/index.jsp?topic=%2Fcom.ibm.zos.r12.ichc600%2Frteut.htm I know that in the user table(?) the password is the 12th field but other than that I am lost. I feel like I have all the pieces I need to be able to break this file apart but I need some guidance to look in the right places. Strings shows me the user IDs (plus lots of other stuff) but the hashes aren't stored in plaintext in the database. Same with a HEX editor. I'm wondering if anyone on the list has any experience with the mainframe and working with this file specifically. Or even on where to start looking would be a nice start. I've also joined the RACF-L mailing list but there aren't very forthcoming with information about breaking apart their flagship security database.
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- Mainframe: RACF database file? Main Framed (Feb 29)
- <Possible follow-ups>
- Re: Mainframe: RACF database file? Main Framed (Mar 04)
- Re: Mainframe: RACF database file? Main Framed (Mar 16)
- Re: Mainframe: RACF database file? Kevin Shaw (Mar 16)
- Re: Mainframe: RACF database file? Champ Clark III (Mar 16)
- Re: Mainframe: RACF database file? John Hoyt (Mar 16)
- Re: Mainframe: RACF database file? Joel Gunderson (Mar 18)
- Re: Mainframe: RACF database file? Main Framed (Mar 16)