new version of OpenVMS password cracker

7 views
Skip to first unread message

Jean-loup Gailly

unread,
Dec 11, 2002, 1:50:22 PM12/11/02
to
A new version of an OpenVMS password cracker, including Vax and Alpha
executables, is available on my page http://gailly.net/security/
The initial annoucement was
http://groups.google.com/groups?threadm=as0v2v%249m9%241%40home.gailly.net

The new version is significantly faster on most machines, particularly
on the Alpha (speed multiplied by 4). The Intel version now checks
about 200,000 passwords per second on a 1 GHz cpu.

Thanks to Martin Vorlaender for providing the VMS specific code
for non blocking I/O.

Jean-loup Gailly
http://gailly.net/security/

Didier Morandi

unread,
Dec 12, 2002, 3:07:35 PM12/12/02
to
and thanks to "Réseaux & Télécom" who posted, about your announcement, the very
first press article in France on VMS since the 31st of December 1998...

D.

Jean-loup Gailly a écrit:

Bob Koehler

unread,
Dec 12, 2002, 3:50:16 PM12/12/02
to
In article <3DF8EC87...@Free.fr>, Didier Morandi <Didier.Mor...@Free.fr> writes:
> and thanks to "Réseaux & Télécom" who posted, about your announcement, the very
> first press article in France on VMS since the 31st of December 1998...
>

unuaf still chokes on my UAF file after the first few entries.
Maybe I'll rewrite it using documented APIs, someday.

Brian Tillman

unread,
Dec 16, 2002, 1:18:26 PM12/16/02
to
I'm trying to run john on a VAX 4600. It's clocked "3 09:00:09.32" of CPU
time and shows no signs of stopping. What's reasonable?
--
Brian Tillman Internet: Brian.Tillman at smiths-aerospace dot com
Smiths Aerospace Addresses modified to prevent SPAM.
3290 Patterson Ave. SE, MS Replace "at" with "@", "dot" with "."
Grand Rapids, MI 49512-1991
This opinion doesn't represent that of my company

Carl Karcher

unread,
Dec 16, 2002, 3:01:44 PM12/16/02
to
In a previous article, "Brian Tillman" <tillma...@notnoone.notnohow.com> wrote:

->I'm trying to run john on a VAX 4600. It's clocked "3 09:00:09.32" of CPU
->time and shows no signs of stopping. What's reasonable?

From what I've gathered by experimenting and reading the documentation
(in the .doc directory of the source tree), if you used "incremental
mode" E.g.

john -i:vms sysuaf.john

it will perform a brute force attack after it's finished with
intelligent guessing (using combinations in password.lst I suspect) and
won't likely terminate. If you haven't found any in 3 days I'd terminate
it and perhaps try a wordlist mode. A vax 4600 is not really fast enough
to audit passwords using brute force. You might be better off with the
intel version on a 1Ghz+ box. Though the advantage of running it on VMS
is you don't have to worry about the system staying up long enough to
get results.

On an ES40/833 I've found it can crack 6 letter passwords at the rate of
several per day and seems to get slower the longer it runs. The first
day it found ~ 20 so it appears to make intelligent guesses first
followed by brute force. I can't discern any order is uses in checking
usernames (appears random to me).

It's definitely an eye opening tool and lets you know what you're up
against. It's certainly going to make me rethink our password length
policy.

Many thanks to Jean-loup for the VMS work on this.

--
-- Carl Karcher, Waisman Computing Services, Waisman Center, UW-Madison
-- karcher.n...@waisman.wisc.edu

Doc.Cypher

unread,
Dec 17, 2002, 4:23:59 AM12/17/02
to mail...@freedom.gmsociety.org
On 16 DEC 2002, kar...@thuria.waisman.wisc.edu (Carl Karcher) wrote:

>It's definitely an eye opening tool and lets you know what you're up
>against. It's certainly going to make me rethink our password length
>policy.
>
>Many thanks to Jean-loup for the VMS work on this.

I believe Jean-Loup has done some additional work on it to resolve the
issue reported by Bob Koehler.


Doc.
--
Time and money, the psychotropics of the business world...
~ VAXman https://vmsbox.cjb.net

Brian Tillman

unread,
Dec 18, 2002, 11:58:23 AM12/18/02
to
>From what I've gathered by experimenting and reading the documentation
>(in the .doc directory of the source tree), if you used "incremental
>mode" E.g.
>
>john -i:vms sysuaf.john
>
>it will perform a brute force attack after it's finished with
>intelligent guessing (using combinations in password.lst I suspect) and
>won't likely terminate.

But I didn't use the -i option. I submitted a batch job that contains:

$ set def [.ripper.john-1_6_32vms.run]
$ john == "$sys$disk:[]john"
$ john sysuaf.john
$ exit

So far, it's used "4 23:06:00.12" of CPU time and has processed six
usernames. Doesn't seem right to me.

Carl Karcher

unread,
Dec 18, 2002, 12:52:37 PM12/18/02
to
In a previous article, "Brian Tillman" <tillma...@notnoone.notnohow.com> wrote:

->But I didn't use the -i option. I submitted a batch job that contains:
->
->$ set def [.ripper.john-1_6_32vms.run]
->$ john == "$sys$disk:[]john"
->$ john sysuaf.john
->$ exit
->
->So far, it's used "4 23:06:00.12" of CPU time and has processed six
->usernames. Doesn't seem right to me.

Then you do end up using incremental (brute force) eventually:
From the doc/examples. file:

2. Assume you just got a password file, 'passwd.1', and want to crack it.
The simplest way is to use the default order of cracking modes:

john passwd.1

This will try "single crack" mode first, then use a wordlist with rules,
and finally go for incremental mode. Read doc/MODES for more information
on these modes.

I'd kill it and try wordlist mode with a larger wordlist (dictionary).

Jean-loup Gailly

unread,
Dec 19, 2002, 12:06:49 PM12/19/02
to
Brian Tillman wrote:

> But I didn't use the -i option.

You shouldn't do this for VMS, unless you have modified your configuration
file john.conf. The default incremental mode tries all possible 95 ascii
characters, whereas the more efficient VMS incremental mode tries only the
38 legal characters for VMS. This makes an enormous difference in speed
because you do not waste time trying illegal passwords or trying many times
different uppercase or lowercase combinations of passwords considered
the same by VMS.

To get optimal results on VMS, you should make the following
modifications to john.conf:

- replace [List.Rules:Wordlist] with [List.Rules:Wordlist2]
- replace [List.Rules:WordlistVMS] with [List.Rules:Wordlist]
- replace [Incremental:All] with [Incremental:All2]
- replace [Incremental:VMS] with [Incremental:All]

The first 2 replacements are already made in the VMS specific distribution
http://jl.gailly.net/security/john-1_6_32-vms-5.zip
but I forgot the last two (this will be fixed in the next version).

Construct your file password.lst as described in
http://gailly.net/security/john-VMS-readme.html
Do not use the file provided with John, it is much too small.
A good wordlist should have at least one million words; much bigger
lists are freely available. A big wordlist should be tried before
the incremental mode, as pointed out by Carl Karcher.


Unrelated subject: on some sites, sysuaf.dat contains records
of 1412 bytes mixed with records of 644 bytes. This confused unuaf.
A new VMS/Alpha executable together with a source patch is temporarily
available in http://jl.gailly.net/security/unuaf.zip until the fix is
integrated in the main version.

I have also added on http://gailly.net/security/john-VMS-readme.html

Disclaimer: John the Ripper should not be used against machines you do not
own or administer, or have prior permission to run password cracking tools
against. Even if you are a system administrator, you should ask permission
from your management.

Jean-loup Gailly
http://gailly.net/security/

Brian Tillman

unread,
Dec 19, 2002, 3:15:39 PM12/19/02
to
>I'd kill it and try wordlist mode with a larger wordlist (dictionary).

And where does one obtain this word list?

David M Smith

unread,
Dec 19, 2002, 4:18:41 PM12/19/02
to
On Thu, 19 Dec 2002 15:15:39 -0500, "Brian Tillman"
<tillma...@notnoone.notnohow.com> wrote:

>>I'd kill it and try wordlist mode with a larger wordlist (dictionary).
>
>And where does one obtain this word list?

Jean-loup's documentation page for his patch:

http://gailly.net/security/john-VMS-readme.html

has a link to some wordlists in a variety of languages. He also shows a
suggestion on how to "pre-process" these wordlists so that they only contain
characters which are valid in VMS passwords, in order to reduce the time to run
the tool. (These suggestions involve the use of 'tr' and 'sort' UNIX tools, it
appears -- I don't know where to get a VMS version of 'tr'.)

Give that a try...


-------------------------------------------------------------------------
David M. Smith 302.391.8533 dsmit115 at csc dot com
Computer Sciences Corporation (Opinions are those of the writer only)
-------------------------------------------------------------------------

Craig A. Berry

unread,
Dec 19, 2002, 4:50:27 PM12/19/02
to
In article <kod40vcgtf7is4hr7...@4ax.com>,

David M Smith <dsmi...@csc.com> wrote:

> He also shows a
> suggestion on how to "pre-process" these wordlists so that they only contain
> characters which are valid in VMS passwords, in order to reduce the time to run
> the tool. (These suggestions involve the use of 'tr' and 'sort' UNIX tools,

> itappears -- I don't know where to get a VMS version of 'tr'.)

Both sort and tr are included with GNV. Otherwise a line or two of Perl
should do the trick.

Carl Karcher

unread,
Dec 19, 2002, 5:19:11 PM12/19/02
to
In a previous article, "Brian Tillman" <tillma...@notnoone.notnohow.com> wrote:

->>I'd kill it and try wordlist mode with a larger wordlist (dictionary).
->
->And where does one obtain this word list?

On http://gailly.net/security/john-VMS-readme.html there's a link to one
site (ftp://ftp.ox.ac.uk/pub/wordlists/). Though I've yet to find one
that contains 1,000,000 english words.

Doc.Cypher

unread,
Dec 26, 2002, 5:40:30 AM12/26/02
to mail...@freedom.gmsociety.org
On Thu, 19 Dec 2002, jl...@gailly.OmitThisWord.net (Jean-loup Gailly)
wrote:

>I have also added on http://gailly.net/security/john-VMS-readme.html
>
> Disclaimer: John the Ripper should not be used against machines you do not
> own or administer, or have prior permission to run password cracking tools
> against. Even if you are a system administrator, you should ask permission
> from your management.

Of course, your management may not be happy with the results.

One of the group regulars who wishes to remain anonymous emailed me the
results from their run of John against the SYSUAF from a large production
system.

The SYSUAF contained over 1,000 users. Within 1 hour, almost 25% of the
passwords had been cracked, after 3 days this had risen to nearly 50%. No
VMS privileged accounts were compromised, but accounts that had access to
accounts receivable, payable, and sales order processing were cracked.

Mr Anonymous also offered some advice on improving this. Apparently there's
a VMS$PASSWORD_POLICY on one of the Freeware CDs. Installed as-is it would
have denied selection of about 1/3 of the passwords cracked by John. If
modified to take the user's choice of password, strip numbers and retest,
plus beef up the dictionary, then virtually every password cracked by John
would have been rejected.

Paul Sture

unread,
Dec 26, 2002, 6:26:25 AM12/26/02
to
In article <2002122610403...@nym.alias.net>, Doc.Cypher <Use-Author-Supplied-Address-Header@[127.1]> writes:
> On Thu, 19 Dec 2002, jl...@gailly.OmitThisWord.net (Jean-loup Gailly)
> wrote:
>
>>I have also added on http://gailly.net/security/john-VMS-readme.html
>>
>> Disclaimer: John the Ripper should not be used against machines you do not
>> own or administer, or have prior permission to run password cracking tools
>> against. Even if you are a system administrator, you should ask permission
>> from your management.
>
> Of course, your management may not be happy with the results.
>

If in doubt, ask your security department for permission _in writing_
before you attempt this. It's probably not a bad idea to have them
present as witnesses too.



> One of the group regulars who wishes to remain anonymous emailed me the
> results from their run of John against the SYSUAF from a large production
> system.
>
> The SYSUAF contained over 1,000 users. Within 1 hour, almost 25% of the
> passwords had been cracked, after 3 days this had risen to nearly 50%. No
> VMS privileged accounts were compromised, but accounts that had access to
> accounts receivable, payable, and sales order processing were cracked.
>
> Mr Anonymous also offered some advice on improving this. Apparently there's
> a VMS$PASSWORD_POLICY on one of the Freeware CDs. Installed as-is it would
> have denied selection of about 1/3 of the passwords cracked by John. If
> modified to take the user's choice of password, strip numbers and retest,
> plus beef up the dictionary, then virtually every password cracked by John
> would have been rejected.
>

It's on the Freeware V4 disk 2, in directory [PASSWORD_POLICY]

http://www.openvms.compaq.com/freeware/freeware40/PASSWORD_POLICY/

--
Paul Sture
Switzerland

Larry Kilgallen

unread,
Dec 26, 2002, 10:14:02 AM12/26/02
to
In article <xlpl4x...@elias.decus.ch>, p_s...@elias.decus.ch (Paul Sture) writes:

> If in doubt, ask your security department for permission _in writing_
> before you attempt this. It's probably not a bad idea to have them
> present as witnesses too.

In my view, your security or audit department should be the ones conducting
any tests, to provide separation of duties between those who implement VMS
security and those who check to see whether it was done right.

That is, if the security department modifies SYSUAF, then the audit
department should be doing the review function.

Paul Sture

unread,
Dec 27, 2002, 2:36:56 AM12/27/02
to
In article <BXKnAq...@eisner.encompasserve.org>, Kilg...@SpamCop.net (Larry Kilgallen) writes:
> In article <xlpl4x...@elias.decus.ch>, p_s...@elias.decus.ch (Paul Sture) writes:
>
>> If in doubt, ask your security department for permission _in writing_
>> before you attempt this. It's probably not a bad idea to have them
>> present as witnesses too.
>
> In my view, your security or audit department should be the ones conducting
> any tests, to provide separation of duties between those who implement VMS
> security and those who check to see whether it was done right.

Yes, much better. I really do not want to know XYZ's password(s), for
example, and hopefully another department can spot something we missed
somewhere.



> That is, if the security department modifies SYSUAF, then the audit
> department should be doing the review function.

In an ideal world yes. In reality some of us have to act as system
managers, security and auditors. In my experience auditors tend to
arrive once or twice a year at most. IOW they tend to take snapshots
rather than doing constant monitoring.

--
Paul Sture
Switzerland

Brian Tillman

unread,
Jan 3, 2003, 3:44:03 PM1/3/03
to
>Construct your file password.lst as described in
> http://gailly.net/security/john-VMS-readme.html

From that page:

>To create wordlists optimised for VMS, remember that VMS passwords can only
contain uppercase letters, digits and >the characters '$' and '_'. A good
way to reduce a generic wordlist for VMS is:
>
> tr a-z A-Z < wordlist | tr -cd 'A-Z0-9$_\n' | sort -u > password.lst

And how do I do that command on a VMS machine?

Mike Duffy

unread,
Jan 3, 2003, 4:04:38 PM1/3/03
to
> -----Original Message-----
> From: Brian Tillman [mailto:tillma...@notnoone.notnohow.com]
> Sent: Friday, January 03, 2003 3:44 PM
> To: Info...@Mvb.Saic.Com
> Subject: Re: new version of OpenVMS password cracker
>
>
> >Construct your file password.lst as described in
> > http://gailly.net/security/john-VMS-readme.html
>
> From that page:
>
> >To create wordlists optimised for VMS, remember that VMS
> passwords can only
> contain uppercase letters, digits and >the characters '$' and
> '_'. A good
> way to reduce a generic wordlist for VMS is:
> >
> > tr a-z A-Z < wordlist | tr -cd 'A-Z0-9$_\n' | sort -u >
> password.lst
>
> And how do I do that command on a VMS machine?

How about something like:

$ SEARCH/EXACT/MATCH=NOR (wordlist) /out=(new_wordlist) -
"a","b","c","d","e","f","g","h","i","j","k","l","m","n", -
"o","p","q","r","s","t","u","v","w","x","y","z","$","_"

Keep in mind that I have not seen the wordlist in question
to see that its characteristics would not cause this to omit
some legal combinations.

Otherwise I might whip up a procedure using F$EDIT(x,"UPCASE")
on each record then do a SORT/NODUP on the resulting file.

-Mike Duffy

Reply all
Reply to author
Forward
0 new messages