The document explores the vulnerabilities of mainframes, particularly in the context of SCADA systems, highlighting their outdated security measures and the potential for cyberattacks. It draws parallels between historical incidents like Stuxnet and the current state of mainframe security, emphasizing the need for modernization and better protection strategies. Ultimately, it serves as a cautionary note, advocating for increased awareness and research into mainframe security to avoid repeating past mistakes.

1. A STUXNET FOR MAINFRAMES

2. Cheryl Biswas
• Security researcher/analyst Threat Intel
• APTs, Mainframes, ICS SCADA, Shadow IT, StarTrek
• BSidesLV, Circle City, BSidesT0, SecTor, Hackfest, TiaraCon
• https://whitehatcheryl.wordpress.com
• Twitter: @3ncr1pt3d
DISCLAIMER: The views represented here are solely her own and not those of
her employers, past or present.
11/4/2016@3ncr1pt3d A Stuxnet For Mainframes

3. HEAD IN THE SAND DEFENCE

4. YOU SAY SCADA
WE SAY … MAINFRAMES

5. MOM!! THE INTERNET IS BROKEN

6. INTRO
In the beginning
There were mainframes
And it was good.

7. Then came Scada. And it was good too.

8. CONGRATULATIONS! IT’S A ... PLC

9. BUT THEN CAME
...

10. WHAT IS
SCADA

11. I CAN’T LIVE ...
IF LIVING IS WITHOUT YOU

13. DOES NOT
PLAY WELL
WITH OTHERS

14. WHAT ARE MAINFRAMES?

15. MAINFRAMES … RIGHT?

16. THESE ARE NOT THE MAINFRAMES YOU’RE
LOOKING FOR

17. THIS AIN’T YOUR GRANDMA’S MAINFRAME

18. MAINFRAMES - BUILT TO LAST
• High Availability
• Longevity
• Virtualization
• The ability to offload to separate engines
• Backward compatibility with older software
• Massive Throughput
https://en.wikipedia.org/wiki/Mainframe_computer

19. @3ncr1pt3d A Stuxnet For Mainframes 11/4/2016

21. SCADA MAINFRAME
❏ Culture
❏ Security Approach
❏ Perceptions
❏ Built to Last
❏ Closed off
❏ Does not play well
with others
❏ Culture
❏ Security Approach
❏ Perceptions
❏ Built to Last
❏ Closed off
❏ Does not play well
with others

24. Innovation
Disruption
Would you like some security
with that?

25. SECURITY BASICS WE KEEP GETTING WRONG
❏ Passwords
❏ Encryption
❏ Access
❏ Patching
http://blog.senr.io/blog/unique-snowfla
kes-or-ubiquitous-tech-the-truth-behind
-the-industrial-internet-of-things-iiot

26. ICS / SCADA - WHAT HAVE WE LEARNED?

27. "NONE OF OUR SCADA OR ICS
EQUIPMENT IS ACCESSIBLE FROM THE
INTERNET."
O RLY?

28. PROJECT SHINE
1,000,000
SCADA ICS
DEVICES
FOUND ONLINE

32. SCADA ATTACK VECTORS

33. SCADA ATTACKS
Malicious Trojan
http://www.risidata.com/Database

34. SCADA ATTACKS
Stolen equipment
http://www.risidata.com/Database

35. SCADA ATTACKS
Social Engineering
http://www.risidata.com/Database

36. SCADA - JUMPING AIR GAPS
• Designed for underwater communication
• Near ultrasonic frequency
• Remote key logging for multiple hops
http://www.jocm.us/index.php?m=content&c=index&a=show&c
atid=124&id=600

38. MAINFRAMES & SCADA - THE LINKS
• Similar in Culture
• Lack of security
• Perceived as secure
• “Air Gapped”
• “See no evil” – cuz you don’t see it if you aren’t
looking

40. BUT IT’S AIR GAPPED
“Mainframe modernization or exposing the classic
system of record data to new services means that the
data is no longer isolated on the mainframe – the
world is now “unknown, unknown.” We have lost sight
and control of where the data is going the minute we
try to harness mainframe data for other purposes than
batch or transaction applications.”
zOS Expert

41. MAINFRAME - LACK OF ATTACK DATA
Because … What you don’t see won’t hurt you

42. CULTURE
http://mainframed767.tumblr.com/post/79167015212/please-dont
-post-on-mainframe-forums?is_related_post=1

44. MAINFRAME EXPLOIT RESEARCH

45. MAINFRAME - EXPLOIT RESEARCH
Bigendiansmalls
https://www.bigendiansmalls.com/category/security/exploit-develop
ment/

46. MAINFRAME - NMAP
Can now detect Mainframe ports
Mainframe banners are not static
More accessible to others for hacking
http://mainframed767.tumblr.com/post/132669411918/mainframes-a
nd-nmap-together-at-last
http://mainframed767.tumblr.com/post/47105571997/nmap-script-to
-grab-mainframe-screens

47. MAINFRAMES - BIND SHELLCODE
Mainframe assembler
EBCDIC to ASCII converter
Connect with NetCat
https://www.bigendiansmalls.com/mainframe-bind-shell-source-code
/
ASCII TO
EBCDIC
ASCII TO
EBCDIC
EBCDIC TO ASCII

48. LETS GET TECHNICAL

49. MAINFRAMES - STACK BUT DIFFERENT
▪Mainframe prologue creates Dynamic Storage Area
▪Points to next free byte on the stack used
▪Does not subtract from ESP to allocate space
▪Register used as a stack pointer
▪Not forced to do so.
https://www.bigendiansmalls.com/smashing-the-zos-le-daisy-chain-for-fun-and
cease-and-desist-letters-guest-post-2/

50. ALLOCATION OF MEMORY - FUNCTION
PROLOGUE
0x8012343
0x8012344
Function Called
0x8012345 -
SFP
IP
EBP
MAIN()ESP
EBP
SFPESP +

51. ALLOCATION MEMORY - FUNCTION
PROLOGUE
0x8012345
0x8012344
Function Called
IP Allocated
Memory
EBP
-28ESPMAIN() FUNCTIO
N()
SFPESP +

52. ALLOCATION MEMORY - FUNCTION
EPILOGUIE
IP
EBP
MAIN()ESP
EBP
SFP
ESP +
SFP

53. ALLOCATION MEMORY - DSA PROLOGUE
0x8012345
0x8012344
Function
“Called”
IP
Dynamic
Storage Area
MAIN()
Pointer to
original DS
DSA NOT
STACK
Save Area

54. Not gonna
happen
HOW TO EXPLOIT - STRING EXPLOITATION !=
WINAlways aware of length
StringStringStringStrin
gString
Length
StringStringStrin
gStri
Length
https://www.bigendiansmalls.com/smashing-the-zos-le-daisy-chain-for-fun-an
d-cease-and-desist-letters-guest-post-2/
AAAAAAAAAA

55. MAINFRAMES - UNIQUE TO EXPLOIT
S0C1 Exception
http://mainframed767.tumblr.com/post/136886215917/guest-post-jan-cannaerts-smashing-the-zo
s-le
AAAAAAAAAAAAAAA
AAAAAA
Memory
containing Data
OPCODES
OPCODE does not
exist
No size checking
AAAAA
AAA
Overflow causes
execution to
branch to another
memory location

56. MAINFRAMES - UNIQUE TO EXPLOIT
S0C1 Exception
http://mainframed767.tumblr.com/post/136886215917/guest-post-jan-cannaerts-smashing-the-zo
s-le
DSA Level 0 DSA 1
Returns to DS 0
DSA
Level 0
DSA 2
DSA
Level 1
Register 14 = RP

57. MAINFRAMES - UNIQUE TO EXPLOIT
Globally addressed arrays
S0C1 Exception
http://mainframed767.tumblr.com/post/136886215917/guest-post-jan-cannaerts-smashing-the-zo
s-le
DSA Level 0 DSA 2DSA Level 1
Register 14 = RP
DSA 2DSA 1 DSA 3
Procedure returns to Level 1
Actually executes
code in DSA2

58. MAINFRAMES - INSECURITY OF MEMORY
Memory not more secure than Windows or Unix.
No “DEP”
No strict ASLR
http://mainframed767.tumblr.com/post/136886215917/guest-post-jan-cannaerts-smashing-the-zo
s-le

59. ACCESSIBLE TO YOU!

60. FTP EXPLOIT
EXPLOIT/MAINFRAME/FTP/FTP_JCL_CREDS

61. MAINFRAME - FIRST METASPLOIT MODULE
Poorly configured FTP server.
FTP -> Shell
https://www.bigendiansmalls.com/a-logical-first-step/

62. FTP METASPLOIT MODULE
ARCH_CMD Executes a command, or uses a command to
give a shell
Platform: Mainframe Uses the Mainframe payloads of metasploit
Target Automatic Only works with IBM FTP CS V.R.
Requires Credentials Credentials allow a file to be uploaded
Debugging enabled Can enable Verbose and FTPdebug
https://www.bigendiansmalls.com/a-logical-first-step/
https://www.rapid7.com/db/modules/exploit/mainframe/ftp/

63. FTP METASPLOIT MODULE
Checks Banner
If banner correct, logs in and uploads file
File is uploaded as JOB & executes
https://www.bigendiansmalls.com/a-logical-first-step/@3ncr1pt3d A Stuxnet For Mainframes 11/4/2016

64. GENERIC JCL TEST FOR MAINFRAME EXPLOITS
This can be used as a template for other JCL based payloads
https://www.rapid7.com/db/modules/payload/cmd/mainframe/generic_j
clhttps://www.bigendiansmalls.com/a-logical-first-step/

65. Z/OS (MVS) COMMAND SHELL, REVERSE TCP
Creates a reverse shell.This implementation does not include ebcdic character
translation, so a client with translation capabilities is required. MSF handles this
automatically.
https://www.rapid7.com/db/modules/exploit/mainframe/ftp/ft
p_jcl_creds
https://www.bigendiansmalls.com/mainframe-bind-shell-sourc

66. GENERIC COMMAND SHELL
Connect back to attacker and spawn a command shell

67. HOW THE MIGHTY FALL

68. BIGENDIAN POC
11/4/2016@3ncr1pt3d A Stuxnet For Mainframes

69. STUXNET - SCADA

72. SCADA - STUXNET
• Air Gap bypass
• APT
• C2
• Self erasing
• Specific to system it wants
• Nation State

73. SCADA -THE THREAT IS REAL
• Dec 2015 Powergrid attack in
Ukraine
• March 2016 Ransomware hits
US power company in
Michigan
• June 2016 Irongate Targetted
ICS malware in testing stage

74. CRYSTAL BALL GAZING

75. We’re here to say history doesn’t need to
repeat itself. Especially not when we
know how dire the outcome could be.
Scada gives us the lessons we need to
learn from and apply to mainframe
security. The question now is - will we do
it?

79. THE KEYS TO THE KINGDOM
▪ Obtain Domain admin level creds
▪ Gain a copy of NTDS.dit for Kerberos golden tickets to move freely
▪ Identify the back up and recovery systems, including DRP
▪ Identify the critical data and services. Mission critical
▪ Identify messaging servers
▪ Find and compromise application distribution platforms

82. HOW TO GET YOUR FEET WET
Researchers to Research
• https://www.bigendiansmalls.com/
• http://mainframed767.tumblr.com/
• Mainframe Assembly
• locallyhttp://www.cbttape.org/ftp/asmbook/alnv200.pdf

83. HOW TO GET YOUR FEET WET
• Virtualization software to play
• http://www.bsp-gmbh.com/turnkey/
• http://mvs380.sourceforge.net/
• https://www.tripwire.com/state-of-security/security-data-protection/cyber-secur
ity/mainframe-insecuritites-or-hack-the-gibson-no-really/