Unconfigured Ad Widget

Collapse

Announcement

Collapse
No announcement yet.

Passwords Revealed

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Passwords Revealed

    Didn't someone mention this a while back? Maybe it's in the forum archives? I'd like a listing too, quite frankly.

  • #2
    Passwords Revealed

    I did take a brief look but could see anything Ill have another look or get some stronger glasses!! Thanks

    Comment


    • #3
      Passwords Revealed

      Craig, In the normal order of things you cannot do this. The passwords are not stored anywhere in a readable form. They could conceivably be cracked by a brute force attack, but I don't think this is what you had in mind. There is however a system value QPWDVLDPGM that allows you to specify a password validation program. This program that you write yourself is intended to allow you to specify extra validation that the other QPWD* system values may not provide. In order for you to be able to do this the QPWDVLDPGM has to be passed the password in clear. Once they realise this many programmers cannot resist the chance to store the passwords in a file. They may even encrypt them, usually using some naive scheme that could be cracked by an expert in about 10 minutes. Once the passwords are stored a utility program is written to reveal them. It's my guess that the program you used to use was one such. Any such abuse of QPWDVLDPGM seriously weakens the integrity of OS/400 security. It also weakens the position of anyone who has access to the "reveal" utility. There should be no way a security administrator can ever see a user's password. Suppose one of your users is running a fraud on the system and it's spotted and traced back to his ID. Who could the crook be? Only 2 people: him or you. Dave...

      Comment


      • #4
        Passwords Revealed

        A friend is just trying to prove a point not to use it in a detremental way. But I take your point that using it could leave the system open to abuse. Many Thanks Craig

        Comment


        • #5
          Passwords Revealed

          Craig, This topic comes up about every six months or so. So far as I know, the folks that participate in MC's forum and especially the MC staff make it known that there are ways to do this, and that there even exists (somewhere) code examples to do so. No one that I have seen has published where or how to do so. In the normal progression of things, folks will figure out a way to do this and then IBM will develop a new methodology for storing such data. As for finding out a password, there is no real way to do this on the /400. On the /34 and /36 we had the PATCH command that let you look at sector level data. None of the passwords on the /34 were encrypted, just stored. The /36 was encrypted. It took me almost a week (non dedicated) to break the encryption. I have not bothered with the /400, as I never really cared. -bret

          Comment


          • #6
            Passwords Revealed

            None of the passwords on the /34 were encrypted, just stored.
            I seem to remember that the S/34 passwords were stored in reverse hex, which is about the simplest level of enryption there is. If you had physical access to the S/34's side panel you could literally press a button (the STOP button?) to start PATCH running on the system console without needing to sign on. Looking through the VTOC near the top of the disk you could find the address of the password file #SECPROF. Each profile's password would appear below and slightly offset from the ID, which was in clear. It wasn't a terribly secure scheme. If I've just compromised anyone's security then it's about time you upgraded! :-) Dave...

            Comment


            • #7
              Passwords Revealed

              It's not really a question of whether your intentions are honourable. The very act of storing the passwords undermines the integrity of the system. I cannot emphasise it enough. Or as your internal auditor might say, "Go ahead, punk, make my day." :-) Dave...

              Comment


              • #8
                Passwords Revealed

                Dave, You hit on an issue that is a definite bone of contention with me. I still find system operators and managers who think that they should have the password for every user. "Just in case they have to sign on as that user," is the excuse I always get. If these are stored in a file, it's even worse. Cause now, the entire IS staff can get to them and if a super user gets wind of it, he/she will at some point download via Excel or other utility. Now the worse part. Most of these "Security Monitors" do not believe in changing the IBM supplied passwords. Maybe QSECOFR and/or QSYSOPR, but the other Q profiles are left the same. If I dialed into their system and started attempting to sign on with Q-whatever and used that as the password, I can look around the system and eventually find this file. This is real world. Part of my job as consultant was to verify the security of the systems. What holes. Managers usually hated us after the first few days, but if we kept their data (and it's integrity) safe, then we did our job. Can you imagine someone being at level 50, and still doing this? I almost be that somewhere out there, there is at least one site doing so. -bret

                Comment


                • #9
                  Passwords Revealed

                  Bret, You can have the most secure system in the world and still leave it wide open. Richard Feynman's autobiography "Surely You're Joking Mr. Feynman" (which you really ought to read if you haven't already) has a story from when he was working at Los Alamos on the atomic bomb project. One of the top managers made a huge fuss about needing to have a bigger, stronger safe in his office than anyone else because he had access to more secrets. When he left the project he failed to pass on the combination so his successor told the site locksmith, who was really just a handyman, to go and drill the safe to get it open. Feynman thought it would be really neat to find out how a safe is drilled so he went along to watch. By the time he got there, however, the safe, with the door still perfectly intact, was already open and the locksmith was quietly eating his sandwiches. The manager with the big important secrets had left his super duper safe at the factory default combination. It was the same default as the combination desk locks and it was the first thing the locksmith had tried. Incidentally, the real secrets of the bomb were locked away in a scientist's desk draw. For a joke Feynman removed them sheet by sheet through a gap between the desk top and the back of the drawer. The scientist was so relieved to find that it was Feynman who had stolen his papers, and not the Russians, that he forgave him at once. Dave...

                  Comment


                  • #10
                    Passwords Revealed

                    I will look for this next week when I get a day off. Thanks, Bret

                    Comment


                    • #11
                      Passwords Revealed

                      Actually if you set a comms trace going before users signon - you will see them coming into the 400 - username and password !!!!! But don't tell anyone!

                      Comment


                      • #12
                        Passwords Revealed

                        About 2 years ago, user id and passwords could be captured using dmpsysobj and looking at some offsets. Rochester ptf'ed the problem and they also strongly suggested retricting this command. I was able to capture QSECOFR password on another machine because of authority to dmpsysobj.

                        Comment


                        • #13
                          Passwords Revealed

                          A few years ago, i had an RPG program that enabled me, with QSECOFR authority, to reveal the UserID and password from the user profile file. Does anyone have any idea whether such a program still exists or where I might find a RPG listing. Craig

                          Comment


                          • #14
                            Passwords Revealed

                            If you are not using SSL (or similar) and using data transfer (FTP, ODBC, etc.) just use a sniffer and you'll see the passwords in actual text. There will be restrictions (how and if you use switches/hubs) but passwords as well as any other data being transferred (pay rates, sales figures, etc.) can be sniffed.

                            Comment

                            Working...
                            X