Bugtraq mailing list archives
RE: Cracking OpenVMS passwords with John the Ripper
From: moose () microsoftsucks org
Date: Tue, 26 Nov 2002 22:03:31 GMT
Although OpenVMS passwords are not case sensitive and limited to alphanumeric characters, that does not mean cracking passwords is easier onOpenVMS than on other systems.
The algorithm used to encode OpenVMS passwords is irreversible (mentionedfor the sake of completeness).
The password length is not limited to 8 characters. To give you an example, compare an 8 character password using ASCII ("!".."~") with a 10 characterOpenVMS password: (127-33)**8/(2+26+10)**10=0.97
BTW most sites require the use of at least one digit, one special character, a non-alphanumberic character at the beginning etc. for unix and ms-dos. That limits the number of permutations significantly and you might end up with a number of possible passwords that can be cracked in less thana second if your system limits the password length to 8 characters.
There are a few other important features which are not so well known by thegeneral hackers society (or shall I say script kiddies?).
OpenVMS users do not have access to the (encoded) passwords. A privilege like SYSPRV would grant access to the system user authorization file (SYSUAF), but a system administrator with this privilege already has accessto the entire machine.
OpenVMS comes with intrusion detection. An attempt to guess the passwordwill trigger counter measures.
Exploiting typical vulnerabilities in poorly ported c/c++ unix/ms-dos applications is much more difficult because of the Alpha (and VAX) architecture and many OpenVMS features (see http://www.openvms.compaq.com/for further information). I suggest you send your announcemnt to comp.os.vms - just to take flak!
I have written a patch for John the Ripper http://www.openwall.com/john/ to allow cracking OpenVMS (Vax and Alpha) passwords. The patch is based oncode from Shawn Clifford, Davide Casale and Mario Ambrogetti.The sources are in http://jl.gailly.net/security/john-VMS-patch.tar.gz A README file is at http://gailly.net/security/john-VMS-readme.htmlor in ascii at http://jl.gailly.net/security/README.VMSThis patch has been tested on x86 only and does not work yet on big endian systems. It uses asm code for speed but a portable C version is included as well. The asm version checks about 150,000 passwords per second on a 1 GHz system. Password cracking is much easier on OpenVMS than on other systems since passwords are not case sensitive and limited to alphanumeric,'$' and '_' only.Jean-loup Gailly http://gailly.net/security/
---------------------------------------------------------------------------Get your free email at http://www.microsoftsucks.org
Current thread:
- Cracking OpenVMS passwords with John the Ripper Jean-loup Gailly (Nov 27)
- <Possible follow-ups>
- RE: Cracking OpenVMS passwords with John the Ripper moose (Nov 28)