[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Cracking OpenVMS passwords with John the Ripper

Although OpenVMS passwords are not case sensitive and limited to
alphanumeric characters, that does not mean cracking passwords is easier on
OpenVMS than on other systems.
The algorithm used to encode OpenVMS passwords is irreversible (mentioned
for the sake of completeness).
The password length is not limited to 8 characters. To give you an example,
compare an 8 character password using ASCII ("!".."~") with a 10 character
OpenVMS password: (127-33)**8/(2+26+10)**10=0.97
BTW most sites require the use of at least one digit, one special
character, a non-alphanumberic character at the beginning etc. for unix and
ms-dos. That limits the number of permutations significantly and you might
end up with a number of possible passwords that can be cracked in less than
a second if your system limits the password length to 8 characters.
There are a few other important features which are not so well known by the
general hackers society (or shall I say script kiddies?).
OpenVMS users do not have access to the (encoded) passwords. A privilege
like SYSPRV would grant access to the system user authorization file
(SYSUAF), but a system administrator with this privilege already has access
to the entire machine.
OpenVMS comes with intrusion detection. An attempt to guess the password
will trigger counter measures.
Exploiting typical vulnerabilities in poorly ported c/c++ unix/ms-dos
applications is much more difficult because of the Alpha (and VAX)
architecture and many OpenVMS features (see http://www.openvms.compaq.com/
for further information). I suggest you send your announcemnt to comp.os.vms - just to take flak!
I have written a patch for John the Ripper http://www.openwall.com/john/
to allow cracking OpenVMS (Vax and Alpha) passwords.  The patch is based on
code from Shawn Clifford, Davide Casale and Mario Ambrogetti.
The sources are in http://jl.gailly.net/security/john-VMS-patch.tar.gz
A README file is at http://gailly.net/security/john-VMS-readme.html
or in ascii at http://jl.gailly.net/security/README.VMS
This patch has been tested on x86 only and does not work yet on big endian
systems. It uses asm code for speed but a portable C version is included as
well. The asm version checks about 150,000 passwords per second on a 1 GHz
system. Password cracking is much easier on OpenVMS than on other systems
since passwords are not case sensitive and limited to alphanumeric,
'$' and '_' only.
Jean-loup Gailly

Get your free email at http://www.microsoftsucks.org