RACF bits and pieces

24 April 2018

hashcat commands for RACF passwords

by Jim

First of all I recommend finding out the password rules in place, this may help.

Then start here for the initial steps. You then have two options to get the hashes into the hashcat format of $racf$*QWERTY1*5AA70358A9C369E0 rather than the John the Ripper format of QWERTY1:$QWERTY1$*QWERTY1*5AA70358A9C369E0:

  1. After running racf2john use a regex Find/Replace in Notepad++/BBEdit etc. of ^[^:]+: and replace with nothing (or use grep and sed from a terminal if you prefer)

  2. If running Windows, use Nigel Pentland’s racfsnow which will, as well as crack passwords, also write the hashes out in both hashcat and John the Ripper output.

Install hashcat and a dictionary file. If MIXEDCASE is not enabled on the system in question then for added cracking speed I would recommend an all uppercase dictionary with words no longer than 8 characters. I suggest starting with one of the dictionaries from here which have already been edited to convert the contents to uppercase and remove words longer than 8 characters etc.

The below assumes basic knowledge of hashcat as well as having copied my racf.rule file to the rules subdirectory of hashcat. The command format below is for macOS/Unix, for Windows substitute ./hashcat with hashcat64.exe and swap any / characters for a \

These examples are ordered from quickest to slowest.

Basic dictionary attack

./hashcat -m 8500 hashes.txt dictionary.txt

Dictionary with rule

./hashcat -m 8500 hashes.txt -r rules/racf.rule dictionary.txt

Hybrid attack - uses dictionary and appends 3 numerics - adjust the number of numerics as you see fit

./hashcat -m 8500 hashes.txt -a 6 dictionary.txt ?d?d?d

Mask attack for 8 character passwords using uppercase, digits and national characters

./hashcat -m 8500 hashes.txt -a 3 -1 ?u?d@#£ ?1?1?1?1?1?1?1?1 replace @#£ with your own national characters as appropriate e.g. $ for £, § for @ etc.

For an incremental version that cycles through from e.g. 6 characters up to 8 then add --increment --increment-min=6

OA43999 version of the above:

./hashcat -m 8500 hashes.txt -a 3 -1 ?u?d#£@.<+|&!*-%_>?:=' ?1?1?1?1?1?1?1?1

./hashcat -m 8500 hashes.txt --show --outfile=cracked.txt

If running on a unix based OS or using WSL or cmder on Windows I would recommend pulling out the cracked passwords, removing duplicates and then creating a new dictionary file. This file can then be moved between hashcat/John the Ripper and should help speed up any future cracking attempts

cut -d: -f 2- hashcat.pot | sort -u > cracked.dic
cat cracked.dic dictionary.txt > combined.txt
cut -d: -f 2- combined.txt | sort -u > dictionary.txt
tags: RACF - passwords