RE: Cracking OpenVMS passwords with John the Ripper

From: mooseat_private
Date: Tue Nov 26 2002 - 14:03:31 PST

Next message: Matthias Andree: "bogofilter contrib/bogopass temp file vulnerability"

Previous message: Aaron C. Newman (Application Security, Inc.): "ASI Sybase Security Alert: Buffer overflow in DROP DATABASE"
Maybe in reply to: Jean-loup Gailly: "Cracking OpenVMS passwords with John the Ripper"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Although OpenVMS passwords are not case sensitive and limited to
alphanumeric characters, that does not mean cracking passwords is easier on
OpenVMS than on other systems. 

The algorithm used to encode OpenVMS passwords is irreversible (mentioned
for the sake of completeness). 

The password length is not limited to 8 characters. To give you an example,
compare an 8 character password using ASCII ("!".."~") with a 10 character
OpenVMS password: (127-33)**8/(2+26+10)**10=0.97 

BTW most sites require the use of at least one digit, one special
character, a non-alphanumberic character at the beginning etc. for unix and
ms-dos. That limits the number of permutations significantly and you might
end up with a number of possible passwords that can be cracked in less than
a second if your system limits the password length to 8 characters. 

There are a few other important features which are not so well known by the
general hackers society (or shall I say script kiddies?). 

OpenVMS users do not have access to the (encoded) passwords. A privilege
like SYSPRV would grant access to the system user authorization file
(SYSUAF), but a system administrator with this privilege already has access
to the entire machine. 

OpenVMS comes with intrusion detection. An attempt to guess the password
will trigger counter measures. 

Exploiting typical vulnerabilities in poorly ported c/c++ unix/ms-dos
applications is much more difficult because of the Alpha (and VAX)
architecture and many OpenVMS features (see http://www.openvms.compaq.com/
for further information). 

I suggest you send your announcemnt to comp.os.vms - just to take flak! 

> I have written a patch for John the Ripper http://www.openwall.com/john/
> to allow cracking OpenVMS (Vax and Alpha) passwords.  The patch is based on
> code from Shawn Clifford, Davide Casale and Mario Ambrogetti. 
>
> The sources are in http://jl.gailly.net/security/john-VMS-patch.tar.gz
> A README file is at http://gailly.net/security/john-VMS-readme.html
> or in ascii at http://jl.gailly.net/security/README.VMS 
>
> This patch has been tested on x86 only and does not work yet on big endian
> systems. It uses asm code for speed but a portable C version is included as
> well. The asm version checks about 150,000 passwords per second on a 1 GHz
> system. Password cracking is much easier on OpenVMS than on other systems
> since passwords are not case sensitive and limited to alphanumeric,
> '$' and '_' only. 
>
> Jean-loup Gailly
> http://gailly.net/security/

 ---------------------------------------------------------------------------
Get your free email at http://www.microsoftsucks.org

Next message: Matthias Andree: "bogofilter contrib/bogopass temp file vulnerability"
Previous message: Aaron C. Newman (Application Security, Inc.): "ASI Sybase Security Alert: Buffer overflow in DROP DATABASE"
Maybe in reply to: Jean-loup Gailly: "Cracking OpenVMS passwords with John the Ripper"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Nov 30 2002 - 12:34:10 PST