Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 13 Mar 2012 21:19:45 -0700
From: Main Framed <>
Subject: Re: Re: Cracking RACF passwords

It was a long couple of weeks digging this out of RACF, but thanks to
Nigels help Dhiru was able to get it up and running in C very quickly.

If anyone on here works at a company that runs IBM mainframes they may have
access to zPDT (or ACDC) which is a "virtual" mainframe that runs on x86
(so your laptop or desktop). You may want to go that route in getting test
RACF databases to play around with. If your company didn't get a couple out
of their IBM deal then you can always purchase it for $30,000. There's also
the emulator hercules but its hard to get images etc configured for it (and
it's against the license agreement for zOS to run on Hercules).

Right now, as Dhiru has said, the process has an extra step (step #3):

1) Use JCL to create a copy of the RACF database (see
2) FTP it off of the mainframe. Make sure you type "binary" before you type
"get" otherwise it won't work in CRACF
3) Use CRACF (, hopefully someone
will mirror so it doesn't disappear eventually) to extract the hashes, and
potentially identify ultra week passwords
4) Use /run/ to convert CRACF.TXT it to a format JtR expects
5) Use JtR

If you look at most of the mainframe implementations they're getting the
password from memory OR you have to supply it with the password hashes.
RACF has some (non built in tools) for copying usernames and passwords that
you might be able to use. But honestly, copying the database off the
mainframe and doing all your processing locally is so much easier.

Also, most mainframe implementations don't require mixed case and there's
only three special chars ($, @ and #). On top of that, the basic mainframe
"shell" called TSO doesn't support passwords longer than 7. So basically if
you're cracking a RACF database start with characters A - Z, 0 - 9, #, @, $
with a max length of 7 characters.

On Mon, Mar 12, 2012 at 11:10 AM, Andres Ederra <>wrote:

> Awesome work! Thanxs!
> That is such a huge step forward!
> I found the previous asm code I posted deep into the archive of
> It shouldn't be that hard to process RACF binary database into something
> john-friendly
> If I get access to some of our RACF admins I can generate some racf db
> dumps and build an alternative to cracf.exe ... (but that can take
> months... things run slowly at corporate world...)
> Best Regards
> Andrés
> 2012/3/12 Dhiru Kholia <>
> > On Mon, Mar 12, 2012 at 8:15 PM, Andres Ederra <>
> > wrote:
> > > Hi Alexander (and all),
> > >
> > > Anyway as far as I have investigated the issue the problem is to learn
> > > the RACF algorithm, coding it as a john module its a no-issue.
> > >
> > > I'm afraid that the people who know that info maybe retired (or
> > > dead...) and IBM is not going to collaborate that much (I would want
> > > to be wrong but...)
> >
> > Thanks to Nigel and Main Framed, RACF algorithm is now *known*. A JtR
> > module has also been written (Check
> > The only part remaining
> > is converting RACF binary database(s) into a format usable by JtR
> > (i.e. racf2john utility). For now you can use CRACF (to get CRACF.txt
> > file from input RACF database), (for CRACF.txt to JtR
> > suitable conversion) and finally JtR to audit mainframe passwords.
> >
> > --
> > Cheers,
> > Dhiru
> >

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ