13. VANGUARD SECURITY & COMPLIANCE 2016
Purpose
This session will:
• Go over the tools introduced in
Mondays keynote
• Explain what’s going on behind the
scenes
• Show you how to use the tools
16. VANGUARD SECURITY & COMPLIANCE 2016
Kali Linux
• A Linux distribution
• Comes pre-loaded with multiple
tools:
• BURP
• Metasploit
• BeeF
• Many more
20. VANGUARD SECURITY & COMPLIANCE 2016
Nmap
• Created in 1997
• By: Fyodor
• Mostly ‘C’
• Includes Service Detection
• Added Scripting Engine in ‘07
21. VANGUARD SECURITY & COMPLIANCE 2016
Nmap
• Network MAP
• Uses various techniques to
discover open ports
• E.G. “Syn Scan”
22. VANGUARD SECURITY & COMPLIANCE 2016
Service Probes
• Identify what is running on a port
• Uses TCP/UDP probes
23. VANGUARD SECURITY & COMPLIANCE 2016
Nmap Probes
• Use the flag: ‘-sV’
• Null Probe:
Matches data sent to Nmap
• Approx 4,000 ‘Null Probes’
Let’s look at TN3270*:
match tn3270 m|^xffxfdx1d| p/IBM Telnet TN3270/ i/3270-REGIME/
* line 4606 in nmap-service-probes
24. VANGUARD SECURITY & COMPLIANCE 2016
TN3270 Null Probe
match -> ‘Match the following’
Tn3270 -> ‘with tn3270’
m|^xffxfdx1d|
xffxfdx1d = IAC DO TN3270E
p/IBM Telnet TN3270/ = Set to
‘IBM Telnet…’
25.
26. VANGUARD SECURITY & COMPLIANCE 2016
Other Probes
• TCP Probes
• Send Data, inspect reply
• For example Network Job Entry
Probe:
27.
28. VANGUARD SECURITY & COMPLIANCE 2016
NJE Probe
• Sends an invalid NJE ‘OPEN’
packet
• Waits for either ‘ACK’ or ‘NAK’ in
EBCDIC
33. VANGUARD SECURITY & COMPLIANCE 2016
TN3270 NSE Library
• A ‘virtual’ TN3270 terminal written
in Lua
• Available:
https://github.com/
zedsec390/NMAP
• Allows for the following:
34. VANGUARD SECURITY & COMPLIANCE 2016
Invoke
• To invoke scripts use the flag
--script
( is line continuation in linux)
nmap -sV
--script tn3270-screen
35.
36. VANGUARD SECURITY & COMPLIANCE 2016
Additional TN3270
Scripts
• VTAM Applid Enumeration
• TSO:
• User ID EnumeraFon
• Password Brute Force
• CICS:
• TransacFon EnumeraFon
• User ID EnumeraFon
• User Password Brute Forcing
37. VANGUARD SECURITY & COMPLIANCE 2016
Additional TN3270
Scripts
• VTAM Applid Enumeration
• TSO:
• User ID EnumeraFon
• Password Brute Force
• CICS:
• TransacFon EnumeraFon
• User ID EnumeraFon
• User Password Brute Forcing
38. VANGUARD SECURITY & COMPLIANCE 2016
TSO User
Enumeration
• Let’s walk through the arguments:
• Note the Libraries: brute & unpwdb
Argument Defini5on
brute.maxthreads=100
Max number of concurrent
connecFons. Set to 100.
userdb=‘/tmp/users.txt’
File with usernames you want to
test.
tso-enum.commands=‘TSOL5’
The command used to get to
TSO.
39. VANGUARD SECURITY & COMPLIANCE 2016
CICS Transaction
Enumeration
Argument Defini5on
brute.maxthreads=100
Max number of concurrent
connecFons. Set to 100.
idlist=‘/tmp/users.txt’
File with CICS transacFons you’re
looking for.
cics-enum.commands=‘CICSTS29’
The command used to get to the
CICS region.
cics-enum.path=‘/home/test’
Successfully idenFfied
transacFon screenshots will be
placed in this folder.
42. VANGUARD SECURITY & COMPLIANCE 2016
Metasploit Framework
• Developed by H.D. Moore 2003
• Moved to Ruby in 2007
• Created an easy to use exploit
platform
• Chad Rikansrud
(@bigendiansmalls) add JCL and
z/OS architecture support in 2016
43. VANGUARD SECURITY & COMPLIANCE 2016
Using MSF
• Run ‘msfconsole’
• To list all exploits: show exploits
• Run the ONLY z/os ‘exploit’
use exploit/mainframe/ftp/ftp_jcl_creds
• Show the options with: show options
• Fill in the options you need
• Select which ‘payload’ you want to use
44. VANGUARD SECURITY & COMPLIANCE 2016
Set options
• Exploit options:
Op5on Defini5on
FTPUSER User ID to use.
FTPPASS Password to use.
RHOST
FTP Hostname/IP address of
target LPAR
RPORT FTP port (use Nmap)
45. VANGUARD SECURITY & COMPLIANCE 2016
Metasploit Payload
Options
Now select a payload:
set payload cmd/mainframe/reverse_shell_jcl
Change the payload options:
Op5on Defini5on
LHOST Our Hostname or IP address
LPORT
The port you want metasploit to
open a listener on.
49. VANGUARD SECURITY & COMPLIANCE 2016
CICSpwn
• Release this year by Ayoul
• Relies on CEMT/CEDA
transaction IDs (for now)
• Uses CEMT to upload and
execute JCL/REXX
• Can be used to assess CICS and
break in to environments
• Requires Python 2.7
50. VANGUARD SECURITY & COMPLIANCE 2016
Interesting Options
Invoke with: python cicspwn
Flag Defini5on
-i Gather informaFon
-A Test all opFons
-s
Upload JCL to be executed by
CICS user (requires CEMT)
--bypass
Will bypass RACF if CEDA is
available.
54. VANGUARD SECURITY & COMPLIANCE 2016
Escalation
• So far only network based
• What happens after access is
granted?
55. VANGUARD SECURITY & COMPLIANCE 2016
Some Ideas
• Storage ‘scrapers’ to gather system
information (think ‘IPLINFO’ but built in to
metasploit)
• Automated APF tools to attempt privilege
escalation through zapping APF
authorized modules
• Data dumping tools to grab all datasets
• SMP/E corruption
56. VANGUARD SECURITY & COMPLIANCE 2016
Why Not?
• Make your own tools?
I’d prefer the tools come with what
the experts need, so they have it
without knowing about it