Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
@bigendiansmalls@bigendiansmalls
Learning mainframe
hacking
@bigendiansmalls@bigendiansmalls
The puzzle
• Learn how to mainframe
– Architecture
– Language
– Vernacular
• Make it easi...
@bigendiansmalls@bigendiansmalls
/ME
• Enjoys RE, ASM, Learning, Not taking no
for an answer
• Relative n00b to MF haxorin...
@bigendiansmalls@bigendiansmalls
5 stages of learning
mainframe
1. DENIAL
@bigendiansmalls@bigendiansmalls
DENIAL
• Most secure platform
– If configured correctly **
• Antiquated tech – on it’s wa...
@bigendiansmalls@bigendiansmalls
obsolescence
• Not.
• Google it.
• That’s enough
@bigendiansmalls@bigendiansmalls
Antiquated
• Ha!
• Possible 100% uptime, protection
against data loss
• 5.5ghz 6 core ooo...
@bigendiansmalls@bigendiansmalls
Trad’L hax no apply
• Things like buffer overflows?
• RCE?
@bigendiansmalls@bigendiansmalls
Gut check
@bigendiansmalls@bigendiansmalls
@bigendiansmalls@bigendiansmalls
Trad’L hax no apply
• Well ……
@bigendiansmalls@bigendiansmalls
5 stages of learning
mainframe
1. DENIAL
2. ANGER
@bigendiansmalls@bigendiansmalls
ANGER
• This is a complicated system
• People help
– Pay for it = good
– Search for it = ...
@bigendiansmalls@bigendiansmalls
People un-help
@bigendiansmalls@bigendiansmalls
@bigendiansmalls@bigendiansmalls
Doco help overload
• Manuals with IP in the title:
– 16 Manuals in
– 59.39 MB of PDF file...
@bigendiansmalls@bigendiansmalls
• IPv6 Network and Application Design Guide
• IP Diagnosis Guide
• (IP) New Function Summ...
@bigendiansmalls@bigendiansmalls
5 stages of learning
mainframe
1. DENIAL
2. ANGER
3. BARGAINING
@bigendiansmalls@bigendiansmalls
BARGAINING
I Solemnly swear I will never, ever
complain about a buggy Makefile, if
you ju...
@bigendiansmalls@bigendiansmalls
5 stages of learning
mainframe
1. DENIAL
2. ANGER
3. BARGAINING
4. DEPRESSION
@bigendiansmalls@bigendiansmalls
Depression v1.0
• And also:
– Protocol droids - existing mainframe
workforce
– No tribal ...
@bigendiansmalls@bigendiansmalls
DEPRESSION v2.0
• Up against:
– Vernacular – Words you have never
heard or different mean...
@bigendiansmalls@bigendiansmalls
@bigendiansmalls@bigendiansmalls
5 stages of learning
mainframe
1. DENIAL
2. ANGER
3. BARGAINING
4. DEPRESSION
5. ACCEPTAN...
@bigendiansmalls@bigendiansmalls
ACCEPTANCE
• Writing code with only 2 manuals,
instead of 7.
• Help others get involved.
...
@bigendiansmalls@bigendiansmalls
@bigendiansmalls@bigendiansmalls
metasploit
• What’s in thus far
– Basic payloads (3 kinds, 2 flavors)
• Bind / reverse sh...
@bigendiansmalls@bigendiansmalls
Bind shell - enc
• ~1300 bytes (large!)
• Encoder included
• Can use any client to
connec...
@bigendiansmalls@bigendiansmalls
@bigendiansmalls@bigendiansmalls
Rev shell - noenc
• ~300 bytes (small for z)
• No encoder
• Must use client which
does tr...
@bigendiansmalls@bigendiansmalls
@bigendiansmalls@bigendiansmalls
Post / Other
• With fundamentals in place
• Can do custom POST functions
• Direct command...
@bigendiansmalls@bigendiansmalls
@bigendiansmalls@bigendiansmalls
3270 WIP
• Early preview of native 3270
module in MSF
• Used to echo screens, enter raw
c...
@bigendiansmalls@bigendiansmalls
@bigendiansmalls@bigendiansmalls
What’s next
• GCC, GNU UTILS
• Debug framework is on the radare
• Further additions to MS...
@bigendiansmalls@bigendiansmalls
THANKS! CONTACT NFO
IBM
SoF – Graphics, moral support
Others in the community
http://www....
@bigendiansmalls@bigendiansmalls
Upcoming SlideShare
Loading in …5
×

Mainframe Hacking - Derbycon 5.0

8,426 views

Published on

Here's my talk from this year's Derbycon on Mainframe Security and porting Mainframe tools to Metasploit

Published in: Technology
  • for Mainframe Technologies online training register at http://www.todaycourses.com
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Mainframe Hacking - Derbycon 5.0

  1. 1. @bigendiansmalls@bigendiansmalls Learning mainframe hacking
  2. 2. @bigendiansmalls@bigendiansmalls The puzzle • Learn how to mainframe – Architecture – Language – Vernacular • Make it easier for others • Build and Port Tools • Get the word out
  3. 3. @bigendiansmalls@bigendiansmalls /ME • Enjoys RE, ASM, Learning, Not taking no for an answer • Relative n00b to MF haxoring • Loves a good puzzle • Really excited about continuing to teach ppl bout Gibsons • Here on behalf of myself, not employer IN HONOR OF HACKERS 20YR ANNIVERSARY, I BRING YOU:
  4. 4. @bigendiansmalls@bigendiansmalls 5 stages of learning mainframe 1. DENIAL
  5. 5. @bigendiansmalls@bigendiansmalls DENIAL • Most secure platform – If configured correctly ** • Antiquated tech – on it’s way out • Can’t be exploited by traditional means • A quick review:
  6. 6. @bigendiansmalls@bigendiansmalls obsolescence • Not. • Google it. • That’s enough
  7. 7. @bigendiansmalls@bigendiansmalls Antiquated • Ha! • Possible 100% uptime, protection against data loss • 5.5ghz 6 core ooo CISC – 100+ cores / TB’s of RAM – Nearly limitless storage etc etc
  8. 8. @bigendiansmalls@bigendiansmalls Trad’L hax no apply • Things like buffer overflows? • RCE?
  9. 9. @bigendiansmalls@bigendiansmalls Gut check
  10. 10. @bigendiansmalls@bigendiansmalls
  11. 11. @bigendiansmalls@bigendiansmalls Trad’L hax no apply • Well ……
  12. 12. @bigendiansmalls@bigendiansmalls 5 stages of learning mainframe 1. DENIAL 2. ANGER
  13. 13. @bigendiansmalls@bigendiansmalls ANGER • This is a complicated system • People help – Pay for it = good – Search for it = lulz • Manuals: thorough. Really thorough
  14. 14. @bigendiansmalls@bigendiansmalls People un-help
  15. 15. @bigendiansmalls@bigendiansmalls
  16. 16. @bigendiansmalls@bigendiansmalls Doco help overload • Manuals with IP in the title: – 16 Manuals in – 59.39 MB of PDF files – 13,384 Pages – Which one? Let’s read the titles:
  17. 17. @bigendiansmalls@bigendiansmalls • IPv6 Network and Application Design Guide • IP Diagnosis Guide • (IP) New Function Summary • IP Configuration Guide • IP Configuration Reference • IP Programmer's Guide and Reference • IP User's Guide and Commands • IP System Administrator's Commands • IP Sockets Application Programming Interface Guide and Reference • IP CICS Sockets Guide • IP IMS Sockets Guide • IP Network Print Facility • IP Messages Volume 1 (EZA) • IP Messages Volume 2 (EZB, EZD) • IP Messages Volume 3 (EZY) • IP Messages Volume 4 (EZZ, SNM)
  18. 18. @bigendiansmalls@bigendiansmalls 5 stages of learning mainframe 1. DENIAL 2. ANGER 3. BARGAINING
  19. 19. @bigendiansmalls@bigendiansmalls BARGAINING I Solemnly swear I will never, ever complain about a buggy Makefile, if you just let me please get this simple SSHD server set up on a mainframe before I die.
  20. 20. @bigendiansmalls@bigendiansmalls 5 stages of learning mainframe 1. DENIAL 2. ANGER 3. BARGAINING 4. DEPRESSION
  21. 21. @bigendiansmalls@bigendiansmalls Depression v1.0 • And also: – Protocol droids - existing mainframe workforce – No tribal knowledge - Lack of Howto's and FAQs – Documentation Overload
  22. 22. @bigendiansmalls@bigendiansmalls DEPRESSION v2.0 • Up against: – Vernacular – Words you have never heard or different meanings. – Tools - designed for developing, testing, and delivering complex workable production systems – No public disclosure
  23. 23. @bigendiansmalls@bigendiansmalls
  24. 24. @bigendiansmalls@bigendiansmalls 5 stages of learning mainframe 1. DENIAL 2. ANGER 3. BARGAINING 4. DEPRESSION 5. ACCEPTANCE
  25. 25. @bigendiansmalls@bigendiansmalls ACCEPTANCE • Writing code with only 2 manuals, instead of 7. • Help others get involved. • Creating tools that others can use • Still want to test / secure – but no access or months to read manuals? How about ….
  26. 26. @bigendiansmalls@bigendiansmalls
  27. 27. @bigendiansmalls@bigendiansmalls metasploit • What’s in thus far – Basic payloads (3 kinds, 2 flavors) • Bind / reverse shell w & w/o encoders – Built-in Command Shell w/decoder – Core files for translation, platform & architecture definition
  28. 28. @bigendiansmalls@bigendiansmalls Bind shell - enc • ~1300 bytes (large!) • Encoder included • Can use any client to connect, including std. MSF Command Shell
  29. 29. @bigendiansmalls@bigendiansmalls
  30. 30. @bigendiansmalls@bigendiansmalls Rev shell - noenc • ~300 bytes (small for z) • No encoder • Must use client which does translation (MSF now includes!)
  31. 31. @bigendiansmalls@bigendiansmalls
  32. 32. @bigendiansmalls@bigendiansmalls Post / Other • With fundamentals in place • Can do custom POST functions • Direct command execution – With screens
  33. 33. @bigendiansmalls@bigendiansmalls
  34. 34. @bigendiansmalls@bigendiansmalls 3270 WIP • Early preview of native 3270 module in MSF • Used to echo screens, enter raw commands use valid credentials for POST exploitation
  35. 35. @bigendiansmalls@bigendiansmalls
  36. 36. @bigendiansmalls@bigendiansmalls What’s next • GCC, GNU UTILS • Debug framework is on the radare • Further additions to MSF – Customized Meterpreter – JCL Creator – Full TN3270 emulation • File transfer / Command execution • Moar training & teaching
  37. 37. @bigendiansmalls@bigendiansmalls THANKS! CONTACT NFO IBM SoF – Graphics, moral support Others in the community http://www.bigendiansmalls.com @bigendiansmalls mainframe@bigendiansmalls
  38. 38. @bigendiansmalls@bigendiansmalls

×