SlideShare a Scribd company logo

Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_girls_chd_v1.0

n|u - The Open Security Community
n|u - The Open Security Community

This document provides an introduction to hacking mainframes in 2020. It begins with an overview of mainframe systems and terminology. It then discusses reconnaissance methods like port scanning and credential theft to gain initial access. Next, it covers conducting internal reconnaissance to escalate privileges by exploiting surrogate users, APF authorized libraries, and UNIX privilege escalation techniques. The document aims to provide enough context for curiosity about hacking mainframe systems.

1 of 38
Download to read offline
Gibson 101 QUICK INTRODUCTION TO HACKING MAINFRAMES IN 2020
Thanks ▪ You awesome people for being here ▪ Phil (Soldier of Fortran - @mainframed767) ▪ Chad (@bigendiansmalls) ▪ Ayoub (@ayoul3__) ▪ Many other mainframe security researchers January 19, 2020 NULL CHAPTER - CHANDIGARH 2 Ref: https://rlv.zcache.com/funny_japanese_akita_with_cute_smile_thank_you_card-r7c85cc2bcb8f48a5b29047d2781ed5f4_xvuat_8byvr_324.jpg
About Me ▪ Organizer – BSides Singapore ▪ Principal Security Consultant at SEC Consult – Singapore ▪ Do the H4kS on daily basis – Web, Mobile apps & Infra mainly ▪ 7+ years in Information Security ▪ Author of XVWA – WebAppSec learning app ▪ Interested in Windows Exploit development, SDR & Mainframes ▪ Licensed Scuba/Sky diver ▪ Travels in free time (https://www.aroundtheglobe.life/) ▪ Tweet me @samanl33t January 19, 2020 NULL CHAPTER - CHANDIGARH 3
What to expect … ▪ Basic Idea of Mainframe systems ▪ Lots of new words and terminologies ▪ Probable overflow of Information in 1 hour. ▪ Attack kill-chain for Mainframes ▪ Demos (Yes!) ▪ (Hopefully) a trigger for curiosity about mainframes January 19, 2020 NULL CHAPTER - CHANDIGARH 4
What is a Mainframe? This.. January 19, 2020 NULL CHAPTER - CHANDIGARH 5 Ref: https://www.dailyhostnews.com/wp-content/uploads/2018/04/derver-1050x600.jpg
What is a Mainframe And this.. January 19, 2020 NULL CHAPTER - CHANDIGARH 6 Ref: https://upload.wikimedia.org/wikipedia/commons/thumb/f/fc/Glowing_IBM_z13_and_clock_-_cropped.JPG/1200px-Glowing_IBM_z13_and_clock_-_cropped.JPG
What is a Mainframe? ▪ Mainly Z/OS or IBM system Z ▪ Not AS400 (System i) ▪ Widely used Business critical system – Banks, Insurance, Airlines.. ▪ Not Legacy – IBMZ15 released few months ago. ▪ Available since 1950s ▪ Handles millions of Input/output per second. ▪ God of backwards compatibility ▪ Built for RAS (Reliability, Availability, Serviceability) ▪ Supports many languages – HLASM, COBOL, C, Java, JCL, REXX, CLIST, Python etc. January 19, 2020 NULL CHAPTER - CHANDIGARH 7
z15 Specs ▪ 190 processors – 12 core, 5.2 GHz each ▪ 40 TB of RAM ▪ Dedicated processors for managing I/O ▪ Dedicated processors for Encryption/Decryption January 19, 2020 NULL CHAPTER - CHANDIGARH 8
January 19, 2020 NULL CHAPTER - CHANDIGARH 9 Why is this relevant?
January 19, 2020 NULL CHAPTER - CHANDIGARH 10 Ref: http://ibmmainframes.com/references/a41.html
z/OS Terminal January 19, 2020 NULL CHAPTER - CHANDIGARH 11
Talking Mainframe.. ▪ LPARS – Logical Partitions (Hosts/Servers) ▪ VTAM – Virtual Telecommunications Access method ▪ DASD – Direct Access Storage Devices (Basically hard drives) ▪ Storage – Memory ▪ TSO – Time Sharing Option (z/OS Shell) ▪ IPL – Initial Program Load – Booting the mainframe ▪ Sysprog – System Programs, Operators – Console Operators ▪ MVS, OS390 – Old names for Z/OS January 19, 2020 NULL CHAPTER - CHANDIGARH 12 https://rainmaker.fm/wp-content/uploads/2015/06/themainframe2-350x350.png
Talking Mainframe – Files/Folders ▪ Called Datasets ▪ Starts with High Level Qualifier (HLQ) For example : “NULLCHD” in “NULLCHD.TEST.FILE” ▪ Two types: ▪ Sequential Datasets Use . (“DOT”) naming convention Example : NULLCHD.TEST.FILE , where NULLCHD is HLQ, TEST is like a folder and FILE is the file. ▪ Partitioned Datasets Also called Libraries, Libs Example : NULLCHD.TEST(FILE), where NULLCHD is HLQ, TEST is the Library and FILE is the member of library ▪ Files are called “members of a dataset” in case of PDS January 19, 2020 NULL CHAPTER - CHANDIGARH 13
Connecting to z/OS system ▪ TN3270 protocol ▪ Basically Telnet on weed ▪ Uses EBCDIC (Not ASCII) ▪ Clear-text ▪ TN3270 over SSL is also used (port 992) ▪ Emulators: ▪ X3270 ▪ W3270 (Windows) ▪ C3270 ▪ VTAM : The first screen you see when you connect over TN3270 January 19, 2020 NULL CHAPTER - CHANDIGARH 14 https://upload.wikimedia.org/wikipedia/commons/a/a8/IBM-3279.jpg
Time Sharing Option (TSO) ▪ Command prompt for Z/OS ▪ Not so user friendly ▪ Accepts commands like: ▪ ping ▪ netstat home ▪ Listuser (LU) January 19, 2020 NULL CHAPTER - CHANDIGARH 15
Time Sharing Option (TSO) January 19, 2020 NULL CHAPTER - CHANDIGARH 16
Interactive System Productivity Facility (ISPF) ▪ GUI for Z/OS ▪ User friendly January 19, 2020 NULL CHAPTER - CHANDIGARH 17
Unix on Mainframe – USS/OMVS ▪ Unix System Services (USS) ▪ Implements TCP/IP stack ▪ Used in almost all Z/OS systems today ▪ Webserver, FTP, SSH etc. configured and works from here. ▪ Supports a lot of standard Unix commands ▪ Comes with Z/OS specific UNIX commands January 19, 2020 NULL CHAPTER - CHANDIGARH 18
Unix on Mainframe – USS/OMVS January 19, 2020 NULL CHAPTER - CHANDIGARH 19
Other interfaces ▪ FTP ▪ SSH ▪ Telnet – Normal telnet ▪ NJE – Network Job Entries ▪ Connect:Direct (C:D) ▪ Message Queues (MQs) ▪ Etc.. January 19, 2020 NULL CHAPTER - CHANDIGARH 20
Mainframe Applications ▪ Applications for Transaction management ▪ CICS – Customer Information Control System ▪ Most common today ▪ IMS – Information Management System ▪ Trust on the Client-side. ▪ Batch processing ▪ Out of scope for this talk January 19, 2020 NULL CHAPTER - CHANDIGARH 21 Ref: https://www.ibm.com/ibm/history/ibm100/images/icp/T891660T84208Q97/us__en_us__ibm100__cics__application_screen__620x350.jpg
January 19, 2020 NULL CHAPTER - CHANDIGARH 22 Demo 1 – Mainframe (z/OS) Interface Ref: https://imgc.allpostersimages.com/images/P-473-488-90/65/6599/39P2100Z/posters/mick-stevens-we-met-20-years-ago-when-tom-hacked-into-my-mainframe-cartoon.jpg
Z/OS Security Architecture ▪ By design – a Strong Security Architecture. ▪ Strong segregation for each program running on the system ▪ This segregation prevents programs interfering with other programs as well as the Operating System. ▪ Unless system is modified to set such privileges for a program (privileged programs) ▪ Privileged programs can bypass ALL security controls. January 19, 2020 NULL CHAPTER - CHANDIGARH 23
z/OS Security Controls Two Types: ▪ Hardware based security controls ▪ Supervisor State – Restricts privileged hardware instructions ▪ Protect Keys – Restricts memory a program can update ▪ Address Spaces – Restricts memory a program can read ▪ Software based security controls: ▪ RACF (IBM) ▪ ACF/2 (CA) ▪ TopSecret (CA) Purpose of software-based controls is to check what a user is authorized to access and do. January 19, 2020 NULL CHAPTER - CHANDIGARH 24
Resource Access Control Facility (RACF) ▪ Makes about 75% of the market ▪ Almost everything is controlled via RACF ▪ Stores everything in a RACF DB ▪ Password hashes as well ▪ Users and other resources are assigned attributes defining their privilege level: ▪ Super User access is called "SPECIAL" (SPECIAL Attribute) ▪ Default passwords are 6/8 characters (all CAPS, 3 special characters) ▪ Default User - IBMUSER/SYS1 ▪ Usually disabled ▪ Allows: WARNING Mode & SURROGATE Profiles January 19, 2020 NULL CHAPTER - CHANDIGARH 25
January 19, 2020 NULL CHAPTER - CHANDIGARH 26 Hacking/Pentesting Mainframes Ref: http://www.quickmeme.com/img/9e/9e8b15a7bd7ba7c33486602aaee307be487ac260811100613ee3535ca0aa0bb1.jpg
Hacking/Pentesting Mainframes Common Scope: ▪ Z/OS system - which includes complete OS,RACF, TSO etc. ▪ Mainframe Applications – CICS, IMS etc. Approach: Initial recon > Gaining Access > Local Recon > Privilege Escalation January 19, 2020 NULL CHAPTER - CHANDIGARH 27
Hacking Mainframes – Initial Recon ▪ Nmap Scanning ▪ Open Ports/Running Services ▪ NMAP scripts to enumerate following information (by Phil Young) ▪ VTAM (APPLIDs) ▪ Logical Units (LUs) ▪ TSO User Ids ▪ CICS transactions ▪ Look for: ▪ Telnet 3270 - Port 23/992 (and variants) ▪ FTP - Port 21 (and variants) ▪ NJE Services ▪ MQ and Connect:Direct Services – 1414 & 1363,1364. January 19, 2020 NULL CHAPTER - CHANDIGARH 28
Hacking Mainframes – Gaining Access ▪Default Accounts - IBMUSER/SYS1 ▪ most likely disabled ▪Bruteforcing TSO user accounts ▪ Accounts might get locked after 3 attempts ▪ Applies to TSO, FTP, SSH etc. ▪Steal credentials ▪ MiTM ▪ Phishing (SETn3270) ▪Using FTP ▪ Uploading the JCL and executing it to get reverse shell ▪ Manually ▪ Metasploit ▪ TSh0cker January 19, 2020 NULL CHAPTER - CHANDIGARH 29
Hacking Mainframes – Gaining Access ▪Using Credentials ▪ Most likely provided for Grey box pentest ▪CICS Applications ▪ This is usually when the CICS applications are in scope. ▪ Some sensitive transactions are accessible without authentication. ▪ Tools/Scripts: ▪ CICSPwn ▪ BRIDA ▪Other Usual Ways ▪ Webservers ▪ DB2 ▪ Other vulnerable network services January 19, 2020 NULL CHAPTER - CHANDIGARH 30 Ref: https://nmap.org/movies/matrix/access_granted.jpg
Hacking Mainframes – Local Recon ▪Check for your current user’s security (RACF) attribute ▪If you’re already “SPECIAL” or “OPERATOR”, you have access to everything. ▪ Look for following: ▪ Basic System information – version info, security software used (RACF/AFC2 etc.) etc. ▪ Interesting files with configuration of other services (MQ, C:D Netmap files etc.) ▪ SURROGATE Users ▪ Users with access to USS etc. ▪ REXX ENUM Script: https://github.com/mainframed/Enumeration January 19, 2020 NULL CHAPTER - CHANDIGARH 31
Hacking Mainframes – Local Recon ▪Manual Way (commands/utils) ▪ IPLINFO ▪ SHOWZOS ▪ TASID ▪Using SEARCH command ▪ List of APF Authorized Libraries ▪ List of SVCs (Supervisor Calls) ▪ Running JOBs ▪Enumeration in USS/OMVS ▪ Check for 'a' attribute (APF authorized Libraries) ▪ Usual unix enumeration - crontabs, config files, webserver folders, files, January 19, 2020 NULL CHAPTER - CHANDIGARH 32
Hacking Mainframes – Privilege Escalation ▪RACF ▪ Cracking Passwords ▪ SURROGATE Profiles ▪ submit Job as SURROGATE user (using JCL) ▪Unix Privilege Escalation ▪ BPX.SUPERUSER? ▪ Permissions on su to root without password ▪ BPX.FILEATTR.APF ▪ Create APF Auth files (+a) ▪ SUPERUSER.FILESYS.MOUNT ▪ Mount malicious filesystem with SPF/SETUID ▪ UID = 0 is NOT gaining SPECIAL on z/OS January 19, 2020 NULL CHAPTER - CHANDIGARH 33
Hacking Mainframes – Privilege Escalation ▪APF Auth libraries: ▪ If you have UPDATE access on any of APF libraries, you can do whatever you want. ▪SVC (Supervisor Calls) ▪Tools/Scripts - ▪ ELV.APF (By Ayoub) - https://github.com/ayoul3/Privesc ▪ Metasploit (apf_privesc_jcl) ▪ Mount malicious filesystem with SPF/SETUID January 19, 2020 NULL CHAPTER - CHANDIGARH 34
January 19, 2020 NULL CHAPTER - CHANDIGARH 35 Demo 2 – From nothing to SPECIAL
Challenges ▪ Challenges: ▪ A common belief - “Our Mainframe is Secure because it’s not accessible from over the internet” ▪ Every organization will have their own mainframe configuration (and it varies a lot) ▪ Highly protected systems in an organization. ▪ Making them hard to get information about. ▪ Mainframe teams are usually the only people in an organization who knows about these system. ▪ Everything is documented, but too many documents On the other hand: ▪ Modern mainframers are super helpful and are security aware. ▪ The Security community has started to gain interest in mainframes recently January 19, 2020 NULL CHAPTER - CHANDIGARH 36
Where to go from here? ▪ Start exploring z/OS mainframes: ▪ Master the Mainframe contest by IBM (https://masterthemainframe.com/) ▪ Your company’s mainframes are the easiest and hardest to explore. ▪ Setup local lab with Hercules & Turnkey ▪ zD&T – if you can afford. ▪ Develop more resources and tools to aid in mainframe security research. ▪ Connect:Direct is unexplored as of now. January 19, 2020 NULL CHAPTER - CHANDIGARH 37
January 19, 2020 NULL CHAPTER - CHANDIGARH 38 Overwhelmed? Twitter: @samanl33t Email: saman.j.l33t@gmail.com Awesome Mainframe Hacking Resources : https://github.com/samanL33T/Awesome-Mainframe-Hacking Ref: http://www.quickmeme.com/img/31/3182781d07db4c2024894ca56ac3dfaeaed9d7c657139cc3499c662644f18c0e.jpg

More Related Content

Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_girls_chd_v1.0

  • 1. Gibson 101 QUICK INTRODUCTION TO HACKING MAINFRAMES IN 2020
  • 2. Thanks ▪ You awesome people for being here ▪ Phil (Soldier of Fortran - @mainframed767) ▪ Chad (@bigendiansmalls) ▪ Ayoub (@ayoul3__) ▪ Many other mainframe security researchers January 19, 2020 NULL CHAPTER - CHANDIGARH 2 Ref: https://rlv.zcache.com/funny_japanese_akita_with_cute_smile_thank_you_card-r7c85cc2bcb8f48a5b29047d2781ed5f4_xvuat_8byvr_324.jpg
  • 3. About Me ▪ Organizer – BSides Singapore ▪ Principal Security Consultant at SEC Consult – Singapore ▪ Do the H4kS on daily basis – Web, Mobile apps & Infra mainly ▪ 7+ years in Information Security ▪ Author of XVWA – WebAppSec learning app ▪ Interested in Windows Exploit development, SDR & Mainframes ▪ Licensed Scuba/Sky diver ▪ Travels in free time (https://www.aroundtheglobe.life/) ▪ Tweet me @samanl33t January 19, 2020 NULL CHAPTER - CHANDIGARH 3
  • 4. What to expect … ▪ Basic Idea of Mainframe systems ▪ Lots of new words and terminologies ▪ Probable overflow of Information in 1 hour. ▪ Attack kill-chain for Mainframes ▪ Demos (Yes!) ▪ (Hopefully) a trigger for curiosity about mainframes January 19, 2020 NULL CHAPTER - CHANDIGARH 4
  • 5. What is a Mainframe? This.. January 19, 2020 NULL CHAPTER - CHANDIGARH 5 Ref: https://www.dailyhostnews.com/wp-content/uploads/2018/04/derver-1050x600.jpg
  • 6. What is a Mainframe And this.. January 19, 2020 NULL CHAPTER - CHANDIGARH 6 Ref: https://upload.wikimedia.org/wikipedia/commons/thumb/f/fc/Glowing_IBM_z13_and_clock_-_cropped.JPG/1200px-Glowing_IBM_z13_and_clock_-_cropped.JPG
  • 7. What is a Mainframe? ▪ Mainly Z/OS or IBM system Z ▪ Not AS400 (System i) ▪ Widely used Business critical system – Banks, Insurance, Airlines.. ▪ Not Legacy – IBMZ15 released few months ago. ▪ Available since 1950s ▪ Handles millions of Input/output per second. ▪ God of backwards compatibility ▪ Built for RAS (Reliability, Availability, Serviceability) ▪ Supports many languages – HLASM, COBOL, C, Java, JCL, REXX, CLIST, Python etc. January 19, 2020 NULL CHAPTER - CHANDIGARH 7
  • 8. z15 Specs ▪ 190 processors – 12 core, 5.2 GHz each ▪ 40 TB of RAM ▪ Dedicated processors for managing I/O ▪ Dedicated processors for Encryption/Decryption January 19, 2020 NULL CHAPTER - CHANDIGARH 8
  • 9. January 19, 2020 NULL CHAPTER - CHANDIGARH 9 Why is this relevant?
  • 10. January 19, 2020 NULL CHAPTER - CHANDIGARH 10 Ref: http://ibmmainframes.com/references/a41.html
  • 11. z/OS Terminal January 19, 2020 NULL CHAPTER - CHANDIGARH 11
  • 12. Talking Mainframe.. ▪ LPARS – Logical Partitions (Hosts/Servers) ▪ VTAM – Virtual Telecommunications Access method ▪ DASD – Direct Access Storage Devices (Basically hard drives) ▪ Storage – Memory ▪ TSO – Time Sharing Option (z/OS Shell) ▪ IPL – Initial Program Load – Booting the mainframe ▪ Sysprog – System Programs, Operators – Console Operators ▪ MVS, OS390 – Old names for Z/OS January 19, 2020 NULL CHAPTER - CHANDIGARH 12 https://rainmaker.fm/wp-content/uploads/2015/06/themainframe2-350x350.png
  • 13. Talking Mainframe – Files/Folders ▪ Called Datasets ▪ Starts with High Level Qualifier (HLQ) For example : “NULLCHD” in “NULLCHD.TEST.FILE” ▪ Two types: ▪ Sequential Datasets Use . (“DOT”) naming convention Example : NULLCHD.TEST.FILE , where NULLCHD is HLQ, TEST is like a folder and FILE is the file. ▪ Partitioned Datasets Also called Libraries, Libs Example : NULLCHD.TEST(FILE), where NULLCHD is HLQ, TEST is the Library and FILE is the member of library ▪ Files are called “members of a dataset” in case of PDS January 19, 2020 NULL CHAPTER - CHANDIGARH 13
  • 14. Connecting to z/OS system ▪ TN3270 protocol ▪ Basically Telnet on weed ▪ Uses EBCDIC (Not ASCII) ▪ Clear-text ▪ TN3270 over SSL is also used (port 992) ▪ Emulators: ▪ X3270 ▪ W3270 (Windows) ▪ C3270 ▪ VTAM : The first screen you see when you connect over TN3270 January 19, 2020 NULL CHAPTER - CHANDIGARH 14 https://upload.wikimedia.org/wikipedia/commons/a/a8/IBM-3279.jpg
  • 15. Time Sharing Option (TSO) ▪ Command prompt for Z/OS ▪ Not so user friendly ▪ Accepts commands like: ▪ ping ▪ netstat home ▪ Listuser (LU) January 19, 2020 NULL CHAPTER - CHANDIGARH 15
  • 16. Time Sharing Option (TSO) January 19, 2020 NULL CHAPTER - CHANDIGARH 16
  • 17. Interactive System Productivity Facility (ISPF) ▪ GUI for Z/OS ▪ User friendly January 19, 2020 NULL CHAPTER - CHANDIGARH 17
  • 18. Unix on Mainframe – USS/OMVS ▪ Unix System Services (USS) ▪ Implements TCP/IP stack ▪ Used in almost all Z/OS systems today ▪ Webserver, FTP, SSH etc. configured and works from here. ▪ Supports a lot of standard Unix commands ▪ Comes with Z/OS specific UNIX commands January 19, 2020 NULL CHAPTER - CHANDIGARH 18
  • 19. Unix on Mainframe – USS/OMVS January 19, 2020 NULL CHAPTER - CHANDIGARH 19
  • 20. Other interfaces ▪ FTP ▪ SSH ▪ Telnet – Normal telnet ▪ NJE – Network Job Entries ▪ Connect:Direct (C:D) ▪ Message Queues (MQs) ▪ Etc.. January 19, 2020 NULL CHAPTER - CHANDIGARH 20
  • 21. Mainframe Applications ▪ Applications for Transaction management ▪ CICS – Customer Information Control System ▪ Most common today ▪ IMS – Information Management System ▪ Trust on the Client-side. ▪ Batch processing ▪ Out of scope for this talk January 19, 2020 NULL CHAPTER - CHANDIGARH 21 Ref: https://www.ibm.com/ibm/history/ibm100/images/icp/T891660T84208Q97/us__en_us__ibm100__cics__application_screen__620x350.jpg
  • 22. January 19, 2020 NULL CHAPTER - CHANDIGARH 22 Demo 1 – Mainframe (z/OS) Interface Ref: https://imgc.allpostersimages.com/images/P-473-488-90/65/6599/39P2100Z/posters/mick-stevens-we-met-20-years-ago-when-tom-hacked-into-my-mainframe-cartoon.jpg
  • 23. Z/OS Security Architecture ▪ By design – a Strong Security Architecture. ▪ Strong segregation for each program running on the system ▪ This segregation prevents programs interfering with other programs as well as the Operating System. ▪ Unless system is modified to set such privileges for a program (privileged programs) ▪ Privileged programs can bypass ALL security controls. January 19, 2020 NULL CHAPTER - CHANDIGARH 23
  • 24. z/OS Security Controls Two Types: ▪ Hardware based security controls ▪ Supervisor State – Restricts privileged hardware instructions ▪ Protect Keys – Restricts memory a program can update ▪ Address Spaces – Restricts memory a program can read ▪ Software based security controls: ▪ RACF (IBM) ▪ ACF/2 (CA) ▪ TopSecret (CA) Purpose of software-based controls is to check what a user is authorized to access and do. January 19, 2020 NULL CHAPTER - CHANDIGARH 24
  • 25. Resource Access Control Facility (RACF) ▪ Makes about 75% of the market ▪ Almost everything is controlled via RACF ▪ Stores everything in a RACF DB ▪ Password hashes as well ▪ Users and other resources are assigned attributes defining their privilege level: ▪ Super User access is called "SPECIAL" (SPECIAL Attribute) ▪ Default passwords are 6/8 characters (all CAPS, 3 special characters) ▪ Default User - IBMUSER/SYS1 ▪ Usually disabled ▪ Allows: WARNING Mode & SURROGATE Profiles January 19, 2020 NULL CHAPTER - CHANDIGARH 25
  • 26. January 19, 2020 NULL CHAPTER - CHANDIGARH 26 Hacking/Pentesting Mainframes Ref: http://www.quickmeme.com/img/9e/9e8b15a7bd7ba7c33486602aaee307be487ac260811100613ee3535ca0aa0bb1.jpg
  • 27. Hacking/Pentesting Mainframes Common Scope: ▪ Z/OS system - which includes complete OS,RACF, TSO etc. ▪ Mainframe Applications – CICS, IMS etc. Approach: Initial recon > Gaining Access > Local Recon > Privilege Escalation January 19, 2020 NULL CHAPTER - CHANDIGARH 27
  • 28. Hacking Mainframes – Initial Recon ▪ Nmap Scanning ▪ Open Ports/Running Services ▪ NMAP scripts to enumerate following information (by Phil Young) ▪ VTAM (APPLIDs) ▪ Logical Units (LUs) ▪ TSO User Ids ▪ CICS transactions ▪ Look for: ▪ Telnet 3270 - Port 23/992 (and variants) ▪ FTP - Port 21 (and variants) ▪ NJE Services ▪ MQ and Connect:Direct Services – 1414 & 1363,1364. January 19, 2020 NULL CHAPTER - CHANDIGARH 28
  • 29. Hacking Mainframes – Gaining Access ▪Default Accounts - IBMUSER/SYS1 ▪ most likely disabled ▪Bruteforcing TSO user accounts ▪ Accounts might get locked after 3 attempts ▪ Applies to TSO, FTP, SSH etc. ▪Steal credentials ▪ MiTM ▪ Phishing (SETn3270) ▪Using FTP ▪ Uploading the JCL and executing it to get reverse shell ▪ Manually ▪ Metasploit ▪ TSh0cker January 19, 2020 NULL CHAPTER - CHANDIGARH 29
  • 30. Hacking Mainframes – Gaining Access ▪Using Credentials ▪ Most likely provided for Grey box pentest ▪CICS Applications ▪ This is usually when the CICS applications are in scope. ▪ Some sensitive transactions are accessible without authentication. ▪ Tools/Scripts: ▪ CICSPwn ▪ BRIDA ▪Other Usual Ways ▪ Webservers ▪ DB2 ▪ Other vulnerable network services January 19, 2020 NULL CHAPTER - CHANDIGARH 30 Ref: https://nmap.org/movies/matrix/access_granted.jpg
  • 31. Hacking Mainframes – Local Recon ▪Check for your current user’s security (RACF) attribute ▪If you’re already “SPECIAL” or “OPERATOR”, you have access to everything. ▪ Look for following: ▪ Basic System information – version info, security software used (RACF/AFC2 etc.) etc. ▪ Interesting files with configuration of other services (MQ, C:D Netmap files etc.) ▪ SURROGATE Users ▪ Users with access to USS etc. ▪ REXX ENUM Script: https://github.com/mainframed/Enumeration January 19, 2020 NULL CHAPTER - CHANDIGARH 31
  • 32. Hacking Mainframes – Local Recon ▪Manual Way (commands/utils) ▪ IPLINFO ▪ SHOWZOS ▪ TASID ▪Using SEARCH command ▪ List of APF Authorized Libraries ▪ List of SVCs (Supervisor Calls) ▪ Running JOBs ▪Enumeration in USS/OMVS ▪ Check for 'a' attribute (APF authorized Libraries) ▪ Usual unix enumeration - crontabs, config files, webserver folders, files, January 19, 2020 NULL CHAPTER - CHANDIGARH 32
  • 33. Hacking Mainframes – Privilege Escalation ▪RACF ▪ Cracking Passwords ▪ SURROGATE Profiles ▪ submit Job as SURROGATE user (using JCL) ▪Unix Privilege Escalation ▪ BPX.SUPERUSER? ▪ Permissions on su to root without password ▪ BPX.FILEATTR.APF ▪ Create APF Auth files (+a) ▪ SUPERUSER.FILESYS.MOUNT ▪ Mount malicious filesystem with SPF/SETUID ▪ UID = 0 is NOT gaining SPECIAL on z/OS January 19, 2020 NULL CHAPTER - CHANDIGARH 33
  • 34. Hacking Mainframes – Privilege Escalation ▪APF Auth libraries: ▪ If you have UPDATE access on any of APF libraries, you can do whatever you want. ▪SVC (Supervisor Calls) ▪Tools/Scripts - ▪ ELV.APF (By Ayoub) - https://github.com/ayoul3/Privesc ▪ Metasploit (apf_privesc_jcl) ▪ Mount malicious filesystem with SPF/SETUID January 19, 2020 NULL CHAPTER - CHANDIGARH 34
  • 35. January 19, 2020 NULL CHAPTER - CHANDIGARH 35 Demo 2 – From nothing to SPECIAL
  • 36. Challenges ▪ Challenges: ▪ A common belief - “Our Mainframe is Secure because it’s not accessible from over the internet” ▪ Every organization will have their own mainframe configuration (and it varies a lot) ▪ Highly protected systems in an organization. ▪ Making them hard to get information about. ▪ Mainframe teams are usually the only people in an organization who knows about these system. ▪ Everything is documented, but too many documents On the other hand: ▪ Modern mainframers are super helpful and are security aware. ▪ The Security community has started to gain interest in mainframes recently January 19, 2020 NULL CHAPTER - CHANDIGARH 36
  • 37. Where to go from here? ▪ Start exploring z/OS mainframes: ▪ Master the Mainframe contest by IBM (https://masterthemainframe.com/) ▪ Your company’s mainframes are the easiest and hardest to explore. ▪ Setup local lab with Hercules & Turnkey ▪ zD&T – if you can afford. ▪ Develop more resources and tools to aid in mainframe security research. ▪ Connect:Direct is unexplored as of now. January 19, 2020 NULL CHAPTER - CHANDIGARH 37
  • 38. January 19, 2020 NULL CHAPTER - CHANDIGARH 38 Overwhelmed? Twitter: @samanl33t Email: saman.j.l33t@gmail.com Awesome Mainframe Hacking Resources : https://github.com/samanL33T/Awesome-Mainframe-Hacking Ref: http://www.quickmeme.com/img/31/3182781d07db4c2024894ca56ac3dfaeaed9d7c657139cc3499c662644f18c0e.jpg