|
Message-ID: <CA+1i5E7+c4z24oe5+Z9fB+969x0SB9nwazkOrd-NFqqJ=bi-iA@mail.gmail.com> Date: Tue, 13 Mar 2012 21:19:45 -0700 From: Main Framed <mainframed767@...il.com> To: john-users@...ts.openwall.com Subject: Re: Re: Cracking RACF passwords It was a long couple of weeks digging this out of RACF, but thanks to Nigels help Dhiru was able to get it up and running in C very quickly. If anyone on here works at a company that runs IBM mainframes they may have access to zPDT (or ACDC) which is a "virtual" mainframe that runs on x86 (so your laptop or desktop). You may want to go that route in getting test RACF databases to play around with. If your company didn't get a couple out of their IBM deal then you can always purchase it for $30,000. There's also the emulator hercules but its hard to get images etc configured for it (and it's against the license agreement for zOS to run on Hercules). Right now, as Dhiru has said, the process has an extra step (step #3): 1) Use JCL to create a copy of the RACF database (see http://pastebin.com/gpDTz7EF) 2) FTP it off of the mainframe. Make sure you type "binary" before you type "get" otherwise it won't work in CRACF 3) Use CRACF (http://www.nigelpentland.co.uk/cracf.htm, hopefully someone will mirror so it doesn't disappear eventually) to extract the hashes, and potentially identify ultra week passwords 4) Use /run/cracf2john.py to convert CRACF.TXT it to a format JtR expects 5) Use JtR If you look at most of the mainframe implementations they're getting the password from memory OR you have to supply it with the password hashes. RACF has some (non built in tools) for copying usernames and passwords that you might be able to use. But honestly, copying the database off the mainframe and doing all your processing locally is so much easier. Also, most mainframe implementations don't require mixed case and there's only three special chars ($, @ and #). On top of that, the basic mainframe "shell" called TSO doesn't support passwords longer than 7. So basically if you're cracking a RACF database start with characters A - Z, 0 - 9, #, @, $ with a max length of 7 characters. On Mon, Mar 12, 2012 at 11:10 AM, Andres Ederra <andres.ederra@...il.com>wrote: > Awesome work! Thanxs! > > That is such a huge step forward! > > I found the previous asm code I posted deep into the archive of > http://www.os390-mvs.freesurf.fr< > http://www.os390-mvs.freesurf.fr/ichdex01.htm> > > It shouldn't be that hard to process RACF binary database into something > john-friendly > > If I get access to some of our RACF admins I can generate some racf db > dumps and build an alternative to cracf.exe ... (but that can take > months... things run slowly at corporate world...) > > > Best Regards > > Andrés > > 2012/3/12 Dhiru Kholia <dhiru.kholia@...il.com> > > > On Mon, Mar 12, 2012 at 8:15 PM, Andres Ederra <andres.ederra@...il.com> > > wrote: > > > Hi Alexander (and all), > > > > > > Anyway as far as I have investigated the issue the problem is to learn > > > the RACF algorithm, coding it as a john module its a no-issue. > > > > > > I'm afraid that the people who know that info maybe retired (or > > > dead...) and IBM is not going to collaborate that much (I would want > > > to be wrong but...) > > > > Thanks to Nigel and Main Framed, RACF algorithm is now *known*. A JtR > > module has also been written (Check > > https://github.com/magnumripper/magnum-jumbo). The only part remaining > > is converting RACF binary database(s) into a format usable by JtR > > (i.e. racf2john utility). For now you can use CRACF (to get CRACF.txt > > file from input RACF database), cracf2john.py (for CRACF.txt to JtR > > suitable conversion) and finally JtR to audit mainframe passwords. > > > > -- > > Cheers, > > Dhiru > > >
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.