PaulDotCom mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Mainframe: RACF database file?

From: Kevin Shaw <kevin.lee.shaw () gmail com>
Date: Fri, 16 Mar 2012 13:47:39 -0400
Actually this it's probably very useful in the stig area for Tricare. A lot
of medical companies still seem to user them..
On Mar 16, 2012 1:40 PM, "Main Framed" <mainframed767 () gmail com> wrote:


No much interest in this but I wanted to make sure I completed what I
started. Anyway I'm happy to announce that thanks to work done by folks
over on the John the Ripper mailing list, RACF databases are now supported.
A new plugin was added to JtR to support RACF DES hashes and a new tool
(racf2john) was developed to pull the usernames and hashes out of a copy of
the RACF database.

For anyone curious the algorithm was obfuscating the key before putting it
through DES. Basically each byte was XOR'd with 0x55 and bit shifted to the
left by one bit (thanks goes to Nigel Pentland for figuring it out).

On Sat, Mar 3, 2012 at 7:43 PM, Main Framed <mainframed767 () gmail com>wrote:


Good news everyone!

Turns out it was because I had downloaded the file from FTP which did the
conversion from EBCDIC to ASCII. Instead I should've typed 'binary' before
downloading the file. Neophyte mistake. Because of that I was able to find
the example "hash" I included and from there find all the hashes. Next my
other problem. I created an example account:

UserID: TTTTTTTT
Password: TESTTEST

This creates a des hash (in hex) of: 42 4B 25 8A F8 B9 06 1B

Unfortunately when I try to recreate the password using python (in the
interpreter) DES I get a different hex value:


from Crypto.Cipher import DES
s = "TTTTTTTT"
p = "TESTTEST"
es = s.decode('ascii').encode('EBCDIC-CP-BE')
ep = p.decode('ascii').encode('EBCDIC-CP-BE')
des = DES.new(ep,DES.MODE_CBC)
cipher = des.encrypt(es)
cipher

'\\t\x9bM\x05\x8dL\x8d'

Which doesn't look to me to be the same hex values like I expected it to.
What am I doing wrong?






Date: Tue, 28 Feb 2012 08:21:59 -0800
From: Main Framed <mainframed767 () gmail com>
Subject: [Pauldotcom] Mainframe: RACF database file?
To: pauldotcom () mail pauldotcom com



I've spent the last couple of days puling my hair out trying to do some
testing against a test z/OS system I've got access to. Since this system
is
mine (it's a lab system) and I have access to it I'm trying to build some
better tools to test mainframes.

I've got two goals:
1) Extract the user IDs and password hashes from a copy of the database
file. I'd prefer to do that using a copy of the file locally on my Linux
machine.
2) Identify the hashing algorithm (it's apparently a one way DES hash)

I've been mucking around for #1 but finding *any* information about this
is
extremely frustrating. Even finding out what kind of file structure it is
is an act in frustration (I wasn't able to find out what kind of file it
was all I know is it's not VSAM).

I know tools already exist:

I've tried CRACF http://www.nigelpentland.co.uk/racf/cracf.htm, (and his
other tools) and they don't work in Windows XP. Running it in a DOS image
I
have it loads but doesn't detect any of the simple passwords I've set (one
user is A with a password of A). He's also the creator of a tool called
WEAKPASS or something like it which also didn't work. I assume thats
because my version is newer than when these tools were written.

There's also PWCHECK ( http://www.goldisconsulting.com/OnePageG2.htm )
which is a program that runs on the mainframe. It doesn't extract the
hashes (well, the debug mode might) but it basically runs on the
mainframe.
You need to install it to very privileged (APF datasets) areas. I *could*
try and use this to extract the hashes and user IDs but it's not free.

There is a way called EXTRACT in RACROUTE

http://publib.boulder.ibm.com/infocenter/zos/v1r12/index.jsp?topic=%2Fcom.ibm.zos.r12.ichc600%2Fichzc6b039.htm
.
It would require me writting some assembly, getting system privileges on a
mainframe and running the macro,  but finding any information about it is
difficult to understand for a mainframe neophyte such as myself.

For #2 I think it's a one way DES hashing algorithm which takes the user
ID, padded to 8 characters and uses the password as the salt, padded to
8 characters. From
http://2000clicks.com/links/Computers/IBMMainframeHistory/cracker.htm I
was
able to see what, potentially the hash would look like:

Userd ID: IBMUSER
Password: SYS1
Hashed Password: C585D307BD44E61F

But this could be from an older version of RACF, it's unclear. IBM is
pretty tight lipped about this. I know where, in the database, the
password
is stored: from

http://publib.boulder.ibm.com/infocenter/zos/v1r12/index.jsp?topic=%2Fcom.ibm.zos.r12.ichc600%2Frteut.htm
I
know that in the user table(?) the password is the 12th field but other
than that I am lost.

I feel like I have all the pieces I need to be able to break this file
apart but I need some guidance to look in the right places. Strings shows
me the user IDs (plus lots of other stuff) but the hashes aren't stored in
plaintext in the database. Same with a HEX editor.

I'm wondering if anyone on the list has any experience with the mainframe
and working with this file specifically. Or even on where to start looking
would be a nice start.

I've also joined the RACF-L mailing list but there aren't
very forthcoming with information about breaking apart their flagship
security database.




_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com


_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
Previous By Date Next
Previous By Thread Next

Current thread: