From: Jean-loup Gailly [jloup@gailly.net]
Sent: Tuesday, November 26, 2002 12:20 PM
To: bugtraq@securityfocus.com
Subject: Cracking OpenVMS passwords with John the Ripper

I have written a patch for John the Ripper http://www.openwall.com/john/
to allow cracking OpenVMS (Vax and Alpha) passwords.  The patch is based on
code from Shawn Clifford, Davide Casale and Mario Ambrogetti.

The sources are in http://jl.gailly.net/security/john-VMS-patch.tar.gz
A README file is at http://gailly.net/security/john-VMS-readme.html
or in ascii at http://jl.gailly.net/security/README.VMS

This patch has been tested on x86 only and does not work yet on big endian
systems. It uses asm code for speed but a portable C version is included as
well. The asm version checks about 150,000 passwords per second on a 1 GHz
system. Password cracking is much easier on OpenVMS than on other systems
since passwords are not case sensitive and limited to alphanumeric,
'$' and '_' only.

Jean-loup Gailly
http://gailly.net/security/
Cracking OpenVMS passwords with John the Ripper
This is a patch for John the Ripper to allow cracking OpenVMS (Vax and Alpha) passwords. It was written by Jean-loup Gailly, based on code from Shawn Clifford, Davide Casale and Mario Ambrogetti. The patch was made for john 1.6.32 but may work for later versions.

To apply the patch, get john-1.6.tar.gz and john-1.6.32.tar.gz then do:

   tar xfz john-1.6.tar.gz
   tar xfz john-1.6.32.tar.gz
   mv john-1.6.32 john-1.6.32vms
   tar xfz john-VMS-patch.tar.gz
   cp john-1.6/doc/* john-1.6.32vms/doc/
   cp john-1.6/run/*.chr john-1.6.32vms/run/
   cd john-1.6.32vms
   patch -p0 < john-VMS.diff

This patch has been tested on x86 only (with "make linux-x86-mmx-elf") and does not work yet on big endian systems. It uses asm code for speed but a portable C version is included as well. The asm version checks about 150,000 passwords per second on a 1 Ghz system.

To crack VMS passwords, transfer the file sys$system:sysuaf.dat in binary mode to an Intel system (Linux or Windows). Note that you must be a system administrator to have read access to the sysuaf file. Run unuaf to convert this file to a format usable by John:

  unuaf sysuaf.dat > sysuaf.john

In john.conf, replace List.Rules:Wordlist with List.Rules:Wordlist2 and List.Rules:WordlistVMS with List.Rules:Wordlist

To create wordlists optimised for VMS, remember that VMS passwords can only contain uppercase letters, digits and the characters '$' and '_'. A good way to reduce a generic wordlist for VMS is:

  tr a-z A-Z < wordlist | tr -cd 'A-Z0-9$_\n' | sort -u > wordlist.vms

For convenience, the VMS cracker forces all passwords to uppercase anyway, so you can use a wordlist in lowercase, or the single crack mode which generates lowercase guesses. For speed, the VMS cracker doesn't check that the password contains only characters so to avoid wasting time create wordlists with only legal characters (upper or lower case).

For the incremental mode, generate your own vms.chr if you have a large john.pot file already:

  john -makechars:vms.chr -external:filter_vms

or just use directly:

  john -i:vms passwd-file

For general questions about John the Ripper, please refer to its documentation, available in John 1.6.

Jean-loup Gailly
http://gailly.net
PGP or GPG key
fingerprint: E3EC F4DF 7EDB E724 A3EC FBC2 D9A2 7D25 0196 71A7

Here are an ascii version of this file, the VMS patch file and its signature.
