Dumping OpenVMS/Tru64 alphavm_free memory – passwords !

Mimikatz for OpenVMS ? … now this is lame but actually works to my surprise.

Playing a little with gcore program from the gdb package on Debian X86_64, decided to dump the alphavm_free process memory to check for plaintext passwords there.

Here are my results:

OpenVMS 8.4-2  running via alphavm_free on Debian X86_64

# ps -ef | grep alphavm_free | grep -v grep
root 617 616 99 Apr02 pts/2 4-00:58:59 ./alphavm_free config.emu
# gcore -o /tmp/alpha 617
.....
Saved corefile /tmp/alpha.617
# strings /tmp/alpha.617 | less

User passwords were found in the memory dump for all that login via CONSOLE, the passphrases were plaintext but in UPPERCASE  for all users, SYSTEM included.

Also all new users passwords added via the VMS command sequence were found in memory dump as plaintext

$ SET PROCESS/PRIVILEGE=SYSPRV
$ SET DEFAULT SYS$SYSTEM 
$ @SYS$EXAMPLES:ADDUSER.COM

 

HP Tru64 UNIX V5.1B (Rev. 2650)  running via alphavm_free on Debian X86_64

# ps -ef | grep alphavm | grep -v grep 
root 3641 3640 81 22:30 pts/11 00:09:56 ./alphavm_free config.emu
# gcore -o /tmp/alpha 3641
......
Saved corefile /tmp/alpha.3641
# strings /tmp/alpha.3641 | less

No plaintext passwords found in the memory dump. Login as root via CONSOLE, OpenSSH remote login.

It could be worth a try to check other systems that run on Alpha architecture (NetBSD, OpenBSD ..)

 

Advertisements
Gallery | This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s