Advanced mainframe hacking

VANGUARD SECURITY & COMPLIANCE 2016
Philip Young
ZedSec 390
CST08
Advanced Mainframe
Hacking
SECURITY & COMPLIANCE
CONFERENCE 2016

Disclaimer
I’m not here in the
name of or on behalf of
my employer. All
opinions expressed
here are my own.

Purpose
This session will:
• Go over the tools introduced in
Mondays keynote
• Explain what’s going on behind the
scenes
• Show you how to use the tools

Tools Covered
• Nmap
• Metasploit
• CICSpwn
• ELV.APF

Platform
• Linux (Kali Linux)
• Vmware
• macOS
• VPS

Kali Linux
• A Linux distribution
• Comes pre-loaded with multiple
tools:
• BURP
• Metasploit
• BeeF
• Many more

Nmap
• Created in 1997
• By: Fyodor
• Mostly ‘C’
• Includes Service Detection
• Added Scripting Engine in ‘07

Nmap
• Network MAP
• Uses various techniques to
discover open ports
• E.G. “Syn Scan”

Service Probes
• Identify what is running on a port
• Uses TCP/UDP probes

Nmap Probes
• Use the flag: ‘-sV’
• Null Probe:
Matches data sent to Nmap
• Approx 4,000 ‘Null Probes’
Let’s look at TN3270*:
match tn3270 m|^xffxfdx1d| p/IBM Telnet TN3270/ i/3270-REGIME/
* line 4606 in nmap-service-probes

TN3270 Null Probe
match -> ‘Match the following’
Tn3270 -> ‘with tn3270’

m|^xffxfdx1d|
xffxfdx1d = IAC DO TN3270E

p/IBM Telnet TN3270/ = Set to
‘IBM Telnet…’

Other Probes
• TCP Probes
• Send Data, inspect reply
• For example Network Job Entry
Probe:

NJE Probe
• Sends an invalid NJE ‘OPEN’
packet
• Waits for either ‘ACK’ or ‘NAK’ in
EBCDIC

Nmap Scripting
Engine (NSE)
• Composed of Libraries and scripts
• Over 530 scripts available
• 121 Libraries
• Uses Lua

NSE Categories
AUTH
BROADCAST
BRUTE
DEFAULT
DISCOVERY
DOS
EXPLOIT
EXTERNAL
FUZZER
INTRUSIVE
MALWARE
SAFE
VERSION
VULN

TN3270 NSE Library
• A ‘virtual’ TN3270 terminal written
in Lua
• Available:
https://github.com/
zedsec390/NMAP
• Allows for the following:

Invoke
• To invoke scripts use the flag
--script
( is line continuation in linux)

nmap -sV
--script tn3270-screen

Additional TN3270
Scripts
• VTAM Applid Enumeration
• TSO:
• User ID EnumeraFon
• Password Brute Force
• CICS:
• TransacFon EnumeraFon
• User ID EnumeraFon
• User Password Brute Forcing

TSO User
Enumeration
• Let’s walk through the arguments:
•  Note the Libraries: brute & unpwdb
Argument Deﬁni5on
brute.maxthreads=100
Max number of concurrent
connecFons. Set to 100.
userdb=‘/tmp/users.txt’
File with usernames you want to
test.
tso-enum.commands=‘TSOL5’
The command used to get to
TSO.

CICS Transaction
Enumeration
Argument Deﬁni5on
brute.maxthreads=100
Max number of concurrent
connecFons. Set to 100.
idlist=‘/tmp/users.txt’
File with CICS transacFons you’re
looking for.
cics-enum.commands=‘CICSTS29’
The command used to get to the
CICS region.
cics-enum.path=‘/home/test’
Successfully idenFﬁed
transacFon screenshots will be
placed in this folder.

Metasploit Framework
• Developed by H.D. Moore 2003
• Moved to Ruby in 2007
• Created an easy to use exploit
platform
• Chad Rikansrud
(@bigendiansmalls) add JCL and
z/OS architecture support in 2016

Using MSF
• Run ‘msfconsole’
• To list all exploits: show exploits
• Run the ONLY z/os ‘exploit’
use exploit/mainframe/ftp/ftp_jcl_creds
• Show the options with: show options
• Fill in the options you need
• Select which ‘payload’ you want to use

Set options
• Exploit options:
Op5on Deﬁni5on
FTPUSER User ID to use.
FTPPASS Password to use.
RHOST
FTP Hostname/IP address of
target LPAR
RPORT FTP port (use Nmap)

Metasploit Payload
Options
Now select a payload:
set payload cmd/mainframe/reverse_shell_jcl
Change the payload options:
Op5on Deﬁni5on
LHOST Our Hostname or IP address
LPORT
The port you want metasploit to
open a listener on.

CICSpwn
• Release this year by Ayoul
• Relies on CEMT/CEDA
transaction IDs (for now)
• Uses CEMT to upload and
execute JCL/REXX
• Can be used to assess CICS and
break in to environments
• Requires Python 2.7

Interesting Options
Invoke with: python cicspwn
Flag Deﬁni5on
-i Gather informaFon
-A Test all opFons
-s
Upload JCL to be executed by
CICS user (requires CEMT)
--bypass
Will bypass RACF if CEDA is
available.

Escalation
• So far only network based
• What happens after access is
granted?

Some Ideas
• Storage ‘scrapers’ to gather system
information (think ‘IPLINFO’ but built in to
metasploit)
• Automated APF tools to attempt privilege
escalation through zapping APF
authorized modules
• Data dumping tools to grab all datasets
• SMP/E corruption

Why Not?
• Make your own tools?
I’d prefer the tools come with what
the experts need, so they have it
without knowing about it

Contact:
mainframed767@
gmail.com

@mainframed767

Thank you!
SECURITY & COMPLIANCE
CONFERENCE 2016

Advanced mainframe hacking

More Related Content

What's hot

Similar to Advanced mainframe hacking

Recently uploaded

Advanced mainframe hacking