Professional Documents
Culture Documents
"
Not So Mysterious
January 2012 - PitA RACF Consultant Frustrated with lack of tools Given talks at:
Bsides LV/Austin Shmoocon Local meetups
RIGHT!
IBM Security Admins age! 75% are older than The AVERAGE age is
50! 55!
WRONG!
IBM Security Admins age! 75% are older than The AVERAGE age is
50! 55!
This can happen (in 2011): "Can someone tell me how to find the server name from the IP address." - I don't think it is possible - You need to implement something to lookup domain names by IP - I only know of FTP, NETSTAT, TELNET & TRACRTE do these not work?
General TSO
Used to interact with the mainframe Similar to a shell, like 'bash' Standard networking commands: FTP NETSTAT REXEC Username max: 7 chars Password max: 8 chars With limited characters: A-z, 0-9, #,@ and $
General TSO
It's a command prompt!
UNIX? In my Mainframe?
General TSO
General TSO
But don't forget ISPF: IBMs answer to the GUI What everyone uses to interact with TSO Includes file browser & editor
ISPF
General TSO
SSL Released mid 90s About half actually use SSL Default ports:
23 for cleartext 992 for SSL (or telnets)
RACF'em
Everything security related is in the RACF database. It also stores the password hashes Super User access is called "SPECIAL" Only a few people need this! Default User/Pass: IBMUSER/SYS1
RACF'em
Account passwords are 'hashed' with DES, single round, not 3DES Username is the 'salt' (i.e. the text which becomes a cryptogram) Obfuscated by XORing with x/55 shifting left 1 bit
RACF'em
Very easy to find where the database is with the TSO command "RVARY":
Frustrating!
Most tools don't work nor exist Internet information is out of date Frameworks don't include z/OS
No Tools!
No Tools!
No Tools!
No Tools!
Turns out
Making tools was easy Updating tools was easy Easy things to take advantage of Older attacks still work!
FTP Bounce by default? WTH?
NMAP Update
Patch to NMAP to Identify z/OS From:
To:
NMAP NSE
First 3270 NMAP script? Takes a screenshot of the mainframe
NMAP NSE
Ettercap
Ettercap now sniffs TSO logons
racf_fmt_plug.c
Convert with:racf2john
TSO Brute
Python Script using x3270/s3270 Exploits this friendliness Oh my god it's slow Ignores invalid TSO User IDs
TSO Brute
MFSniffer
Python Script using SCAPY TSO uses same process for logon User Ettercap instead
MFSniffer
On the Mainframe
z/OS has scripting languages
CLIST - like bash script REXX - like perl or python
P-REXX
netcat
OMVS:
Linux:
DD Converts
netcat
NetEBCDICat.py
MainTP
FTP Only! Uses FTP command "site file=JES" Uploads and executes netcat /bin/sh listener on rndm port Connects with NetEBCDICat.py
MainTP (demo)
MainTP (demo)
SHODAN
SHODAN Can be used to find IBM MFs Using search terms like: IBM V5R, IKJ56700A or FTP CS V1R Use the NSE screen grabber
Hercules emulator let's you create a virtual mainframe on your computer: Supports z/OS architecture Still updated/maintained OpenSource
Special Thanks
Dhiru Kholia (@DhiruKholia) Nigel Pentland (@nigelpentland) PabloDraw Art from sixteencolors.net: 4D, iCe, ACiD, CIA, GRiP, EU, grymmjack, atb, krinkle, RaW, bugflu1d, MiST, Dept 38, LBo... probably more
mfbbs.us:1312
(t) File Transfer
http://mfbbs.us for instructions
BBS: mfbbs.us:1312 (http://mfbbs.us) Email: mainframed767@gmail.com Twitter: @mainframed767 Blog: http://mainframed767.tumblr.com GitHub: https://github.com/mainframed/ IMGUR: http://mainframed767.imgur.com/