BuyMeACoffee

AS400

Commands

LogoIBM i (AS/400) Security Auditcplusglobal

Audit

LogoCIS Downloads

Display Version

DSPSYSVAL SYSVAL(QSS1MRI)

How to get & crack AS/400 hashes?

Access to an AS/400 server with *ALLOBJ and *SECADM privileges

Depending on the current setting of the QPWDLVL system value, password hashes are stored in different formats on the AS/400:

  • QPWDLVL 0: IBM DES hashes (supported by JtR with our 'as400-des' format plugin) LM hashes (supported by default by JtR) SHA1 uppercase hashes (supported by JtR with our 'as400-ssha1' format plugin)

  • QPWDLVL 1: IBM DES hashes (supported by JtR with our 'as400-des' plugin) SHA1 uppercase hashes (supported by JtR with our 'as400-ssha1' plugin)

  • QPWDLVL 2: IBM DES hashes* (supported by JtR with our 'as400-des' plugin) LM hashes** (supported by default by JtR) SHA1 uppercase hashes*** (supported by JtR with our 'as400-ssha1' plugin) SHA1 mixed case hashes (supported by JtR with our 'as400-ssha1' plugin)

  • QPWDLVL 3: SHA1 uppercase hashes*** (supported by JtR with our 'as400-ssha1' plugin) SHA1 mixed case hashes (supported by JtR with our 'as400-ssha1' plugin)

  • Only if QPWDMAXLEN <=10

    • Only if QPWDMAXLEN <=14

    • Depending on password policy configuration

PREREQUISITES

  • the latest version of IBMiScanner (part of hack400tool), available on https://github.com/hackthelegacy/hack400tool

  • the latest john the ripper jumbo release, including 'as400-des' and 'as400-ssha1' plugins.

LM hashes

  • Open IBMiScanner tool

  • Connect

  • From the list of available scans, select option 26: 'SECURITY: Get John the Ripper hashes (LM hash)'

  • In the output directory, a file named 'lmhashes.txt' will be created.

  • Copy the file to your John the Ripper 'run' directory

  • Run john the ripper: john --format=LM {filename} Enjoy the passwords :)

DES hashes

  • Open IBMiScanner tool

  • Connect

  • From the list of available scans, select option 29: 'SECURITY: Get John the Ripper hashes (DES)'

  • In the output directory, a file named 'DES-hashes.txt' will be created.

  • Copy the file to your John the Ripper 'run' directory

  • Run john the ripper: john --format=as400-des {filename} Enjoy the passwords :)

SHA-1 hashes

(Please note that this method is generic for both mixed and upper case)

  • Open IBMiScanner tool

  • Connect

  • From the list of available scans, select option 27: 'SECURITY: Get John the Ripper hashes (SHA-1 hash uppercase)' for uppercase hashes.

  • For mixed case hashes, you can choose for option 28: 'SECURITY: Get John the Ripper hashes SHA-1 hash mixed case)' respectively.

  • In the output directory, a file named 'SHA-uc-hashes.txt' for uppercase hashes or 'SHA-mc-hashes.txt' for mixed case hashes will be created.

  • Copy the file to your John the Ripper 'run' directory

  • Run john the ripper: john --format=as400-ssha1 {filename} Enjoy the passwords :)

Note: In case you used an older version of the IBMiscanner tool that outputs hashes in the format userid:hash, you can use the ibmiscanner2john.py script to convert the file into a format that can be processed by JtR

PrivEsc

LogoSimple IBM i (AS/400) hackingSilent Signal Techblog

User Profiles

Display and print all the information for the user profiles

PRTUSRPRF TYPE(*ALL)  SELECT(*SPCAUT) SPCAUT(*ALL)

-- display secadm special authorities
PRTUSRPRF TYPE(*ALL)  SELECT(*SPCAUT) SPCAUT(*SECADM)
PreviousIBMNextAIX

Last updated

Was this helpful?