"Once they’d downloaded the RACF database, they subjected it to a password-cracking tool. John the Ripper is one such tool, widely available on the internet. On Feb 28, about the same time the RACF database was downloaded, some questions appeared on the mailing list PaulDotCom about hashing methods for RACF; by March 3rd, apparently in response, John the Ripper had been enhanced to include the capability of working on RACF passwords, in collaboration with another tool call CRACF.
"In the Zauf article is this description: 'Creating a password hash algorithm works like this: After entering the password, it is padded with spaces, if necessary, to a length of 8 bytes. Each character is then XORed with x‘55’ and shifted left one bit. Then the user ID is DES-encrypted, using the modified password as the DES key. Developers took a few days to determine the algorithm and modify John the Ripper. Now the utility excels at hashing the RACF database.' It also mentioned a source-code module named racf2john.c, 'a tool that converts database file exported in the input data, read for JTR' [Google’s translation from Polish]. "By way of testing, investigators attempted to use these tools themselves to crack RACF passwords. They found that a great many passwords could be extracted, that they were easy to discover by dictionary attack, that they were not very complex and in many cases that they’d been unchanged from the default when the ID was created. Using a standalone PC they cracked about 30 000 passwords (out of 120 000 on Applicat’s database) in 'a couple of days'." --- Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313 /* If the Earth were flat, cats would have pushed everything off it by now. */ -----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Charles Mills Sent: Monday, May 6, 2019 13:14 I *believe* that was done by investigators after the fact, attempting to determine how the attack might have been done. I don't recall that there is compelling evidence that Svartholm actually did that. It *is* trivially easy to do, assuming (a.) read access to the DB and (b.) old-style password storage. -----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of David Spiegel Sent: Sunday, May 5, 2019 8:02 AM One of the tricks he pulled was to offload the RACF Database to a PC and Dictionary Attack it. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
