Uploaded byPriyanka Aash
Defcon 22-philip-young-from-root-to-special-hacking-ibm-main
This document discusses hacking mainframe systems like IBM z/OS. It describes how the speaker was able to gain access to mainframes through methods like credential theft, exploiting vulnerabilities in programs like Tivoli NetView, and escalating privileges using tools to ultimately achieve root access. The speaker demonstrates hacking tools they have created like BIRP, TShocker, and Maintp that can be used to conduct reconnaissance of mainframes and execute code through techniques like FTP.
More Related Content
![[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...](https://cdn.slidesharecdn.com/ss_thumbnails/cb16bohannonen-161109042710-thumbnail.jpg?width=640&height=640&fit=bounds)
Similar to Defcon 22-philip-young-from-root-to-special-hacking-ibm-main
![Vibe Coding vs. Spec-Driven Development [Free Meetup]](https://cdn.slidesharecdn.com/ss_thumbnails/vibecodingvsspecdrivendevelopment-251209105622-43f455e7-thumbnail.jpg?width=640&height=640&fit=bounds)
Defcon 22-philip-young-from-root-to-special-hacking-ibm-main
- 1. From ROOT to SPECIAL HackingIBM Mainframes Soldier of Fortran @mainframed767
- 2. DISCLAIMER! All research wasdone under personal time. I am not here in the name of, or on behalf of, my employer. Therefore, any views expressed in this talk are my own and not those of my employer. This talk discusses work performed in my spare time generally screwing around with mainframes and thinking 'what if this still works...' @mainframed767
- 3.
- 4.
- 5. Who are you? • Security Guy • Tired of 90’s thinking • Eye opening experience @mainframed767
- 6. PCI Security Expert Mainframe Security Guru ISO 27002 & PCI Certifier “What’s NETSTAT?” -Our Horrible Consultant
- 7.
- 8. z/OS? WTF • Mostpopular “mainframe” OS • Version 2.1 out now! Legacy my ass! @mainframed767
- 9. z/OS Demo • Let’stake a look at this thing • It’ll all make sense @mainframed767
- 10. zOS or PoS? • Hard to tell, identifying sucks • Scanner have “challenges” nmap -sV -p 992 167.xxx.4.2 -Pn @mainframed767
- 11. Nmap 6.40 PORT: 992/tcp STATE:open SERVICE: ssl VERSION: IBM OS/390 @mainframed767
- 12. Nmap 6.46 PORT: 992/tcp STATE:open SERVICE: ssl VERSION: Microsoft IIS SSL @mainframed767
- 14.
- 15. Other Methods • WebServers: IBM HTTP Server V5R3M0
- 16.
- 17. Lets Break in • Steal Credentials • Web Server • 3270 Panels – Usin’ BIRP @mainframed767
- 18.
- 19.
- 20. CGI-Bin in tyool 2014 • REXX / SH still used • Injection simple, if you know TSO commands @mainframed767
- 21.
- 24.
- 25. B.I.R.P. • Big IronRecon & Pwnage – By @singe – HITB 2014 • 3270 is awesome @mainframed767
- 26.
- 27.
- 28. Only FTP? • NoProblem! • FTP lets you run JCL (JCL = Script) • Command: SITE FILE=JES
- 29. Access Granted • Now wehave access • FTP Account • Asking someone Now what? @mainframed767
- 31. Escalate! • Let’s escalate ourprivilege • Connect with telnet/ssh/3270 @mainframed767
- 32. Getroot.rx • rexx script • Leverages CVE-2012-5951: Unspecified vulnerability in IBM Tivoli NetView 1.4, 5.1 through 5.4, and 6.1 on z/OS allows local users to gain privileges by leveraging access to the normal Unix System Services (USS) security level.
- 33. Tsk tsk • IBMnot really being honest here • Works on any setuid REXX script! @mainframed767
- 34.
- 35.
- 36.
- 37. THANKS • Swedish Black Hatcommunity • Oliver Lavery – GDS Security • Logica Breach Investigation Files
- 39. Keep ACCESS • Geta copy of the RACF database • John the Ripper racf2john racf.db john racf_hashes @mainframed767
- 40. Steal • Use IRRDBU00to convert RACF to flat file • Search for SPECIAL accounts • Login with a SPECIAL account @mainframed767
- 41.
- 42. Welcome to OWN zone • SPECIAL gives access to make any change to users • Add Users • Make others SPECIAL, OPERATIONS @mainframed767
- 43. Give r UID0 @mainframed767
- 44.
- 45.
- 46. INETD • Works justlike Linux Kill inetd: - ps –ef|grep inetd - Kill <id> @mainframed767
- 47. Connect with NETEBCDICAT • EBCDIC! @mainframed767 • Use NetEBCDICat
- 48. BPX. Wha? • BPX.SUPERUSER – Allowspeople to su to root without password
- 49. BPX.SUPERUSER • As SPECIALuser type (change userid): PERMIT BPX.SUPERUSER CLASS(FACILITY) ID(USERID) ACCESS(READ) And SETROPTS GENERIC(FACILITY) REFRESH
- 50. Tools • CATSO – TSOBind/Reverse shell • TSHOCKER – Python/JCL/FTP wrapper for CATSO • MainTP – Python/JCL/FTP getroot.rx wrapper @mainframed767
- 52.
- 53. Maintp • Uses GETROOT.rx +JCL and FTP and NetEBCDICat to get a remote root shell @mainframed767
- 55. Thanks • Logica Breach Investigation Team • Dominic White (@singe) • The community
- 56.