AS400

Commands

Audit

Display Version

DSPSYSVAL SYSVAL(QSS1MRI)

How to get & crack AS/400 hashes?

Access to an AS/400 server with *ALLOBJ and *SECADM privileges

Depending on the current setting of the QPWDLVL system value, password hashes are stored in different formats on the AS/400:
QPWDLVL 0: IBM DES hashes (supported by JtR with our 'as400-des' format plugin) LM hashes (supported by default by JtR) SHA1 uppercase hashes (supported by JtR with our 'as400-ssha1' format plugin)
QPWDLVL 1: IBM DES hashes (supported by JtR with our 'as400-des' plugin) SHA1 uppercase hashes (supported by JtR with our 'as400-ssha1' plugin)
QPWDLVL 2: IBM DES hashes* (supported by JtR with our 'as400-des' plugin) LM hashes** (supported by default by JtR) SHA1 uppercase hashes*** (supported by JtR with our 'as400-ssha1' plugin) SHA1 mixed case hashes (supported by JtR with our 'as400-ssha1' plugin)
QPWDLVL 3: SHA1 uppercase hashes*** (supported by JtR with our 'as400-ssha1' plugin) SHA1 mixed case hashes (supported by JtR with our 'as400-ssha1' plugin)

Only if QPWDMAXLEN <=10
Only if QPWDMAXLEN <=14
Depending on password policy configuration

PREREQUISITES

the latest version of IBMiScanner (part of hack400tool), available on https://github.com/hackthelegacy/hack400tool
the latest john the ripper jumbo release, including 'as400-des' and 'as400-ssha1' plugins.

LM hashes

Open IBMiScanner tool
Connect
From the list of available scans, select option 26: 'SECURITY: Get John the Ripper hashes (LM hash)'
In the output directory, a file named 'lmhashes.txt' will be created.
Copy the file to your John the Ripper 'run' directory
Run john the ripper: john --format=LM {filename} Enjoy the passwords :)

DES hashes

Open IBMiScanner tool
Connect
From the list of available scans, select option 29: 'SECURITY: Get John the Ripper hashes (DES)'
In the output directory, a file named 'DES-hashes.txt' will be created.
Copy the file to your John the Ripper 'run' directory
Run john the ripper: john --format=as400-des {filename} Enjoy the passwords :)

SHA-1 hashes

(Please note that this method is generic for both mixed and upper case)

Open IBMiScanner tool
Connect
From the list of available scans, select option 27: 'SECURITY: Get John the Ripper hashes (SHA-1 hash uppercase)' for uppercase hashes.
For mixed case hashes, you can choose for option 28: 'SECURITY: Get John the Ripper hashes SHA-1 hash mixed case)' respectively.
In the output directory, a file named 'SHA-uc-hashes.txt' for uppercase hashes or 'SHA-mc-hashes.txt' for mixed case hashes will be created.
Copy the file to your John the Ripper 'run' directory
Run john the ripper: john --format=as400-ssha1 {filename} Enjoy the passwords :)

Note: In case you used an older version of the IBMiscanner tool that outputs hashes in the format userid:hash, you can use the ibmiscanner2john.py script to convert the file into a format that can be processed by JtR

PrivEsc

User Profiles

Display and print all the information for the user profiles

PRTUSRPRF TYPE(*ALL)  SELECT(*SPCAUT) SPCAUT(*ALL)

-- display secadm special authorities
PRTUSRPRF TYPE(*ALL)  SELECT(*SPCAUT) SPCAUT(*SECADM)

PreviousIBM NextAIX

Last updated 11 months ago

Commands

Audit

Display Version

DSPSYSVAL SYSVAL(QSS1MRI)

How to get & crack AS/400 hashes?

Access to an AS/400 server with *ALLOBJ and *SECADM privileges

Depending on the current setting of the QPWDLVL system value, password hashes are stored in different formats on the AS/400:

QPWDLVL 0: IBM DES hashes (supported by JtR with our 'as400-des' format plugin) LM hashes (supported by default by JtR) SHA1 uppercase hashes (supported by JtR with our 'as400-ssha1' format plugin)
QPWDLVL 1: IBM DES hashes (supported by JtR with our 'as400-des' plugin) SHA1 uppercase hashes (supported by JtR with our 'as400-ssha1' plugin)
QPWDLVL 2: IBM DES hashes* (supported by JtR with our 'as400-des' plugin) LM hashes** (supported by default by JtR) SHA1 uppercase hashes*** (supported by JtR with our 'as400-ssha1' plugin) SHA1 mixed case hashes (supported by JtR with our 'as400-ssha1' plugin)
QPWDLVL 3: SHA1 uppercase hashes*** (supported by JtR with our 'as400-ssha1' plugin) SHA1 mixed case hashes (supported by JtR with our 'as400-ssha1' plugin)

Only if QPWDMAXLEN <=10
- Only if QPWDMAXLEN <=14
- Depending on password policy configuration

PREREQUISITES

the latest version of IBMiScanner (part of hack400tool), available on https://github.com/hackthelegacy/hack400tool

the latest john the ripper jumbo release, including 'as400-des' and 'as400-ssha1' plugins.

LM hashes

Open IBMiScanner tool

Connect

From the list of available scans, select option 26: 'SECURITY: Get John the Ripper hashes (LM hash)'

In the output directory, a file named 'lmhashes.txt' will be created.

Copy the file to your John the Ripper 'run' directory

Run john the ripper: john --format=LM {filename} Enjoy the passwords :)

DES hashes

Open IBMiScanner tool

Connect

From the list of available scans, select option 29: 'SECURITY: Get John the Ripper hashes (DES)'

In the output directory, a file named 'DES-hashes.txt' will be created.

Copy the file to your John the Ripper 'run' directory

Run john the ripper: john --format=as400-des {filename} Enjoy the passwords :)

SHA-1 hashes

(Please note that this method is generic for both mixed and upper case)

Open IBMiScanner tool

Connect

From the list of available scans, select option 27: 'SECURITY: Get John the Ripper hashes (SHA-1 hash uppercase)' for uppercase hashes.

For mixed case hashes, you can choose for option 28: 'SECURITY: Get John the Ripper hashes SHA-1 hash mixed case)' respectively.

In the output directory, a file named 'SHA-uc-hashes.txt' for uppercase hashes or 'SHA-mc-hashes.txt' for mixed case hashes will be created.

Copy the file to your John the Ripper 'run' directory

Run john the ripper: john --format=as400-ssha1 {filename} Enjoy the passwords :)

Note: In case you used an older version of the IBMiscanner tool that outputs hashes in the format userid:hash, you can use the ibmiscanner2john.py script to convert the file into a format that can be processed by JtR