Cracking OpenVMS passwords with John the Ripper

This is patch 5 for John the Ripper to allow cracking OpenVMS (Vax and Alpha) passwords. It was written by Jean-loup Gailly, based on code from Shawn Clifford, Davide Casale and Mario Ambrogetti. The patch was made for John 1.6.32 but may work for later versions. This tool is designed for system administrators to detect users who too often select very bad passwords, too easily guessable.

To compile the patch, get john-1.6.tar.gz and john-1.6.32.tar.gz then do:

   tar xfz john-1.6.tar.gz
   tar xfz john-1.6.32.tar.gz
   mv john-1.6.32 john-1.6.32vms
   tar xfz john-1.6.32-VMS-patch-5.tar.gz
   cp john-1.6/doc/* john-1.6.32vms/doc/
   cp john-1.6/run/*.chr john-1.6.32vms/run/
   cd john-1.6.32vms
   patch -p0 < john-VMS.diff

But if you want to run John on VMS, you don't have to compile it yourself, you can get VMS executables directly. Extract them with unzip. To get unuaf, simply copy john.exe to unuaf.exe.

Version 5 of the patch works on big-endian systems. It has been tested on x86 (Linux), Alpha (VMS and FreeBSD), Vax (VMS), Sparc (SunOS), PA-RISC (Linux). The VMS Alpha executable was made with Dec C 6.0 because the version compiled with Compaq C 6.5 does not work for Blowfish and NTLM.

On x86, asm code is used for speed but a portable C version is included as well. The asm version checks about 200,000 passwords per second on a 1 Ghz system.

To compile on VMS, get make, gzip and tar. Set:

$ echo :== write sys$output

before using make.

To crack VMS passwords, you can use the native Alpha or Vax executable of John, but for better speed you can transfer the file sys$system:sysuaf.dat in binary mode to an x86 system running John. Note that you must be a system administrator to have read access to the sysuaf file. In all cases, be very careful of not giving others read access to your copy of sysuaf.dat. Use an encrypted protocol such as scp (not ftp) to transfer any file to a remote system.

Run unuaf to convert this file to a format usable by John. Use the -a option to include disabled accounts.

  unuaf sysuaf.dat > sysuaf.john
  unuaf -a > sysuaf.john

On VMS use:

  pipe run unuaf > sysuaf.john
  pipe mcr []unuaf -a > sysuaf.john

If unuaf.exe is not in the current directory, modify [] above or include the appropriate directory in your DCL$PATH.

On some sites, sysuaf.dat contains records of 1412 bytes mixed with records of 644 bytes. This confused unuaf. A new VMS/Alpha executable together with a source patch is temporarily available in unuaf.zip. If you cannot run unuaf on VMS, you must first convert sysuaf.dat before transferring it to another system:

  $ create sysuaf.fdl
  file
  organization sequential
  record
  block_span yes
  carriage_control none
  format undefined
  size 1412
  $ convert/fdl=sysuaf.fdl sysuaf.dat sysuaf.john

To get optimal results for VMS, modify john.conf as follows:

  • replace [List.Rules:Wordlist] with [List.Rules:Wordlist2]
  • replace [List.Rules:WordlistVMS] with [List.Rules:Wordlist]
  • replace [Incremental:All] with [Incremental:All2]
  • replace [Incremental:VMS] with [Incremental:All]

To create wordlists optimised for VMS, remember that VMS passwords can only contain uppercase letters, digits and the characters '$' and '_'. A good way to reduce a generic wordlist for VMS is:

  tr a-z A-Z < wordlist | tr -cd 'A-Z0-9$_\n' | sort -u > password.lst

For convenience, the VMS cracker forces all passwords to uppercase anyway, so you can use a wordlist in lowercase, or the single crack mode which generates lowercase guesses. For speed, the VMS cracker doesn't check that the password contains only legal characters so to avoid wasting time create wordlists with only legal characters (upper or lower case).

For the incremental mode, generate your own vms.chr if you have a large john.pot file already:

  john -makechars:vms.chr -external:filter_vms

or just use directly:

  john -i:vms passwd-file

For general questions about John the Ripper, please refer to its documentation, available in John 1.6.

ascii version of this file
VMS patch file ( signature ) md5sum: c5c1cd14188f659cbfc0fc7a29d4487b
Complete patched sources ( signature ) md5sum: 2120d72b82b9986dfe72f33aabf2a122
VMS executables for Alpha and Vax ( signature ).

Disclaimer: John the Ripper should not be used against machines you do not own or administer, or have prior permission to run password cracking tools against. Even if you are a system administrator, you should ask permission from your management. The authors take no responsibility for any problems related to running John the Ripper without permission.

Revision history:

  • 25 nov 2002: patch 1, first VMS patch, x86 only
  • 30 nov 2002: patch 2, port to Alpha and Vax
  • 3 dec 2002: patch 3, port to big endian systems, with bugs in Purdy1 and unuaf
  • 4 dec 2002: patch 4, bug fixes in Purdy1 (thanks to Solar Designer) and unuaf
  • 11 dec 2002: patch 5, significant speed improvements: use "long long" if possible, reduce the number of multiplications and avoid useless modulo P operations. Support non blocking IO on VMS (thanks to Martin Vorlaender).

Jean-loup Gailly
http://gailly.net
PGP or GPG key
fingerprint: E3EC F4DF 7EDB E724 A3EC FBC2 D9A2 7D25 0196 71A7

back to Jean-loup's security page