This document provides an introduction to hacking mainframes in 2020. It begins with an overview of mainframe systems and terminology. It then discusses reconnaissance methods like port scanning and credential theft to gain initial access. Next, it covers conducting internal reconnaissance to escalate privileges by exploiting surrogate users, APF authorized libraries, and UNIX privilege escalation techniques. The document aims to provide enough context for curiosity about hacking mainframe systems.
2. Thanks
▪ You awesome people for being here
▪ Phil (Soldier of Fortran - @mainframed767)
▪ Chad (@bigendiansmalls)
▪ Ayoub (@ayoul3__)
▪ Many other mainframe security researchers
January 19, 2020 NULL CHAPTER - CHANDIGARH 2
Ref: https://rlv.zcache.com/funny_japanese_akita_with_cute_smile_thank_you_card-r7c85cc2bcb8f48a5b29047d2781ed5f4_xvuat_8byvr_324.jpg
3. About Me
▪ Organizer – BSides Singapore
▪ Principal Security Consultant at SEC Consult – Singapore
▪ Do the H4kS on daily basis – Web, Mobile apps & Infra mainly
▪ 7+ years in Information Security
▪ Author of XVWA – WebAppSec learning app
▪ Interested in Windows Exploit development, SDR & Mainframes
▪ Licensed Scuba/Sky diver
▪ Travels in free time (https://www.aroundtheglobe.life/)
▪ Tweet me @samanl33t
January 19, 2020 NULL CHAPTER - CHANDIGARH 3
4. What to expect …
▪ Basic Idea of Mainframe systems
▪ Lots of new words and terminologies
▪ Probable overflow of Information in 1 hour.
▪ Attack kill-chain for Mainframes
▪ Demos (Yes!)
▪ (Hopefully) a trigger for curiosity about mainframes
January 19, 2020 NULL CHAPTER - CHANDIGARH 4
5. What is a Mainframe?
This..
January 19, 2020 NULL CHAPTER - CHANDIGARH 5
Ref: https://www.dailyhostnews.com/wp-content/uploads/2018/04/derver-1050x600.jpg
6. What is a Mainframe
And this..
January 19, 2020 NULL CHAPTER - CHANDIGARH 6
Ref: https://upload.wikimedia.org/wikipedia/commons/thumb/f/fc/Glowing_IBM_z13_and_clock_-_cropped.JPG/1200px-Glowing_IBM_z13_and_clock_-_cropped.JPG
7. What is a Mainframe?
▪ Mainly Z/OS or IBM system Z
▪ Not AS400 (System i)
▪ Widely used Business critical system – Banks, Insurance, Airlines..
▪ Not Legacy – IBMZ15 released few months ago.
▪ Available since 1950s
▪ Handles millions of Input/output per second.
▪ God of backwards compatibility
▪ Built for RAS (Reliability, Availability, Serviceability)
▪ Supports many languages – HLASM, COBOL, C, Java, JCL, REXX, CLIST, Python etc.
January 19, 2020 NULL CHAPTER - CHANDIGARH 7
8. z15 Specs
▪ 190 processors – 12 core, 5.2 GHz each
▪ 40 TB of RAM
▪ Dedicated processors for managing I/O
▪ Dedicated processors for Encryption/Decryption
January 19, 2020 NULL CHAPTER - CHANDIGARH 8
9. January 19, 2020 NULL CHAPTER - CHANDIGARH 9
Why is this relevant?
12. Talking Mainframe..
▪ LPARS – Logical Partitions (Hosts/Servers)
▪ VTAM – Virtual Telecommunications Access method
▪ DASD – Direct Access Storage Devices (Basically hard drives)
▪ Storage – Memory
▪ TSO – Time Sharing Option (z/OS Shell)
▪ IPL – Initial Program Load – Booting the mainframe
▪ Sysprog – System Programs, Operators – Console Operators
▪ MVS, OS390 – Old names for Z/OS
January 19, 2020 NULL CHAPTER - CHANDIGARH 12
https://rainmaker.fm/wp-content/uploads/2015/06/themainframe2-350x350.png
13. Talking Mainframe – Files/Folders
▪ Called Datasets
▪ Starts with High Level Qualifier (HLQ)
For example : “NULLCHD” in “NULLCHD.TEST.FILE”
▪ Two types:
▪ Sequential Datasets
Use . (“DOT”) naming convention
Example : NULLCHD.TEST.FILE , where NULLCHD is HLQ, TEST is like a folder and FILE is the file.
▪ Partitioned Datasets
Also called Libraries, Libs
Example : NULLCHD.TEST(FILE), where NULLCHD is HLQ, TEST is the Library and FILE is the member of library
▪ Files are called “members of a dataset” in case of PDS
January 19, 2020 NULL CHAPTER - CHANDIGARH 13
14. Connecting to z/OS system
▪ TN3270 protocol
▪ Basically Telnet on weed
▪ Uses EBCDIC (Not ASCII)
▪ Clear-text
▪ TN3270 over SSL is also used (port 992)
▪ Emulators:
▪ X3270
▪ W3270 (Windows)
▪ C3270
▪ VTAM : The first screen you see when you connect over TN3270
January 19, 2020 NULL CHAPTER - CHANDIGARH 14
https://upload.wikimedia.org/wikipedia/commons/a/a8/IBM-3279.jpg
15. Time Sharing Option (TSO)
▪ Command prompt for Z/OS
▪ Not so user friendly
▪ Accepts commands like:
▪ ping
▪ netstat home
▪ Listuser (LU)
January 19, 2020 NULL CHAPTER - CHANDIGARH 15
17. Interactive System Productivity Facility (ISPF)
▪ GUI for Z/OS
▪ User friendly
January 19, 2020 NULL CHAPTER - CHANDIGARH 17
18. Unix on Mainframe – USS/OMVS
▪ Unix System Services (USS)
▪ Implements TCP/IP stack
▪ Used in almost all Z/OS systems today
▪ Webserver, FTP, SSH etc. configured and works from here.
▪ Supports a lot of standard Unix commands
▪ Comes with Z/OS specific UNIX commands
January 19, 2020 NULL CHAPTER - CHANDIGARH 18
19. Unix on Mainframe – USS/OMVS
January 19, 2020 NULL CHAPTER - CHANDIGARH 19
20. Other interfaces
▪ FTP
▪ SSH
▪ Telnet – Normal telnet
▪ NJE – Network Job Entries
▪ Connect:Direct (C:D)
▪ Message Queues (MQs)
▪ Etc..
January 19, 2020 NULL CHAPTER - CHANDIGARH 20
21. Mainframe Applications
▪ Applications for Transaction management
▪ CICS – Customer Information Control System
▪ Most common today
▪ IMS – Information Management System
▪ Trust on the Client-side.
▪ Batch processing
▪ Out of scope for this talk
January 19, 2020 NULL CHAPTER - CHANDIGARH 21
Ref: https://www.ibm.com/ibm/history/ibm100/images/icp/T891660T84208Q97/us__en_us__ibm100__cics__application_screen__620x350.jpg
23. Z/OS Security Architecture
▪ By design – a Strong Security Architecture.
▪ Strong segregation for each program running on the system
▪ This segregation prevents programs interfering with other programs as well as the Operating
System.
▪ Unless system is modified to set such privileges for a program (privileged programs)
▪ Privileged programs can bypass ALL security controls.
January 19, 2020 NULL CHAPTER - CHANDIGARH 23
24. z/OS Security Controls
Two Types:
▪ Hardware based security controls
▪ Supervisor State – Restricts privileged hardware instructions
▪ Protect Keys – Restricts memory a program can update
▪ Address Spaces – Restricts memory a program can read
▪ Software based security controls:
▪ RACF (IBM)
▪ ACF/2 (CA)
▪ TopSecret (CA)
Purpose of software-based controls is to check what a user is authorized to access and
do.
January 19, 2020 NULL CHAPTER - CHANDIGARH 24
25. Resource Access Control Facility (RACF)
▪ Makes about 75% of the market
▪ Almost everything is controlled via RACF
▪ Stores everything in a RACF DB
▪ Password hashes as well
▪ Users and other resources are assigned attributes defining their privilege level:
▪ Super User access is called "SPECIAL" (SPECIAL Attribute)
▪ Default passwords are 6/8 characters (all CAPS, 3 special characters)
▪ Default User - IBMUSER/SYS1
▪ Usually disabled
▪ Allows: WARNING Mode & SURROGATE Profiles
January 19, 2020 NULL CHAPTER - CHANDIGARH 25
27. Hacking/Pentesting Mainframes
Common Scope:
▪ Z/OS system - which includes complete OS,RACF, TSO etc.
▪ Mainframe Applications – CICS, IMS etc.
Approach:
Initial recon > Gaining Access > Local Recon > Privilege Escalation
January 19, 2020 NULL CHAPTER - CHANDIGARH 27
28. Hacking Mainframes – Initial Recon
▪ Nmap Scanning
▪ Open Ports/Running Services
▪ NMAP scripts to enumerate following information (by Phil Young)
▪ VTAM (APPLIDs)
▪ Logical Units (LUs)
▪ TSO User Ids
▪ CICS transactions
▪ Look for:
▪ Telnet 3270 - Port 23/992 (and variants)
▪ FTP - Port 21 (and variants)
▪ NJE Services
▪ MQ and Connect:Direct Services – 1414 & 1363,1364.
January 19, 2020 NULL CHAPTER - CHANDIGARH 28
29. Hacking Mainframes – Gaining Access
▪Default Accounts - IBMUSER/SYS1
▪ most likely disabled
▪Bruteforcing TSO user accounts
▪ Accounts might get locked after 3 attempts
▪ Applies to TSO, FTP, SSH etc.
▪Steal credentials
▪ MiTM
▪ Phishing (SETn3270)
▪Using FTP
▪ Uploading the JCL and executing it to get reverse shell
▪ Manually
▪ Metasploit
▪ TSh0cker
January 19, 2020 NULL CHAPTER - CHANDIGARH 29
30. Hacking Mainframes – Gaining Access
▪Using Credentials
▪ Most likely provided for Grey box pentest
▪CICS Applications
▪ This is usually when the CICS applications are in scope.
▪ Some sensitive transactions are accessible without authentication.
▪ Tools/Scripts:
▪ CICSPwn
▪ BRIDA
▪Other Usual Ways
▪ Webservers
▪ DB2
▪ Other vulnerable network services
January 19, 2020 NULL CHAPTER - CHANDIGARH 30
Ref: https://nmap.org/movies/matrix/access_granted.jpg
31. Hacking Mainframes – Local Recon
▪Check for your current user’s security (RACF) attribute
▪If you’re already “SPECIAL” or “OPERATOR”, you have access to everything.
▪ Look for following:
▪ Basic System information – version info, security software used (RACF/AFC2 etc.) etc.
▪ Interesting files with configuration of other services (MQ, C:D Netmap files etc.)
▪ SURROGATE Users
▪ Users with access to USS etc.
▪ REXX ENUM Script: https://github.com/mainframed/Enumeration
January 19, 2020 NULL CHAPTER - CHANDIGARH 31
32. Hacking Mainframes – Local Recon
▪Manual Way (commands/utils)
▪ IPLINFO
▪ SHOWZOS
▪ TASID
▪Using SEARCH command
▪ List of APF Authorized Libraries
▪ List of SVCs (Supervisor Calls)
▪ Running JOBs
▪Enumeration in USS/OMVS
▪ Check for 'a' attribute (APF authorized Libraries)
▪ Usual unix enumeration - crontabs, config files, webserver folders, files,
January 19, 2020 NULL CHAPTER - CHANDIGARH 32
33. Hacking Mainframes – Privilege Escalation
▪RACF
▪ Cracking Passwords
▪ SURROGATE Profiles
▪ submit Job as SURROGATE user (using JCL)
▪Unix Privilege Escalation
▪ BPX.SUPERUSER?
▪ Permissions on su to root without password
▪ BPX.FILEATTR.APF
▪ Create APF Auth files (+a)
▪ SUPERUSER.FILESYS.MOUNT
▪ Mount malicious filesystem with SPF/SETUID
▪ UID = 0 is NOT gaining SPECIAL on z/OS
January 19, 2020 NULL CHAPTER - CHANDIGARH 33
34. Hacking Mainframes – Privilege Escalation
▪APF Auth libraries:
▪ If you have UPDATE access on any of APF libraries, you can do whatever you want.
▪SVC (Supervisor Calls)
▪Tools/Scripts -
▪ ELV.APF (By Ayoub) - https://github.com/ayoul3/Privesc
▪ Metasploit (apf_privesc_jcl)
▪ Mount malicious filesystem with SPF/SETUID
January 19, 2020 NULL CHAPTER - CHANDIGARH 34
35. January 19, 2020 NULL CHAPTER - CHANDIGARH 35
Demo 2 – From nothing
to SPECIAL
36. Challenges
▪ Challenges:
▪ A common belief - “Our Mainframe is Secure because it’s not accessible from over the internet”
▪ Every organization will have their own mainframe configuration (and it varies a lot)
▪ Highly protected systems in an organization.
▪ Making them hard to get information about.
▪ Mainframe teams are usually the only people in an organization who knows about these system.
▪ Everything is documented, but too many documents
On the other hand:
▪ Modern mainframers are super helpful and are security aware.
▪ The Security community has started to gain interest in mainframes recently
January 19, 2020 NULL CHAPTER - CHANDIGARH 36
37. Where to go from here?
▪ Start exploring z/OS mainframes:
▪ Master the Mainframe contest by IBM (https://masterthemainframe.com/)
▪ Your company’s mainframes are the easiest and hardest to explore.
▪ Setup local lab with Hercules & Turnkey
▪ zD&T – if you can afford.
▪ Develop more resources and tools to aid in mainframe security research.
▪ Connect:Direct is unexplored as of now.
January 19, 2020 NULL CHAPTER - CHANDIGARH 37