Skip to content

ricardojba/Even-More-Awesome-Mainframe-Hacking

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

92 Commits
LICENSE
LICENSE
 
 
README.md
README.md
 
 
contributing.md
contributing.md
 
 

Repository files navigation

Even More Awesome Mainframe Hacking

Even More Awesome Mainframe Hacking Awesome Hacking Awesome community Creative Commons License

All creds to @samanL33T for starting the list here.

List of Mainframe Hacking/Pentesting Resources. This list is a collection of resources available online to learn Mainframe Penetration Testing & Security.

Special thanks to @samanL33T, @hacksomeheavymetal, @mainframed767, @bigendiansmalls, @ayoul3__ and many other researchers for all their work in this field.

Contributions are welcome !

Table of Contents

IBM zSeries

Books

Tutorials

Acronyms and Concepts

The complete list of z/OS acronyms

  • Username limited to 7 char length
  • Legacy password policy but YMMV
    • 8 char length restrictions
    • No special chars
  • Master Console
  • Everything on a Mainframe is a JOB managed by JES2 (Job Entry Sub-system)
    • Jobs are submitted to JES
    • JES will queue the job and work on jobs in the order and priority they are assigned
    • JES then takes the output and places it where it belongs
  • Network JOB Entry (NJE) - Can be used to send a JOB or multiple JOBs to a remote Mainframe for processing
    • Runs over TCP/IP
    • "Speaks" NJE Protocol
    • Port 175/TCP or 2252/TCP (TLS)
    • NODE - Name of a remote Mainframe system running NJE
    • RHOST - Remote calling system name
    • OHOST - Current system name
  • External Security Managers (ESMs) - ACL, RBAC, etc
    • TOP-SECRET
    • ACF-2
    • RACF
      • The "racf.db" file stores all password hashes, provides access control and more
      • There are three main security attributes on RACF:
        • Special : can alter RACF rules and access any resource
        • Operations : access all files unless being forbidden from doing so
        • Auditor : access audit trails and manage logging classes
  • CLIST - The equivalent of scripting language like Python
  • REXX files
    • The equivalent of scripting language like Python/Ruby
    • REXX Sockets have ASCII translation built in
  • JCL files
    • The equivalent of shell scripts (sort of)
    • You can submit JOBs in JCL over FTP
    • Has a "JOB card" or header and a "PMG" or program to exec
  • TSO - z/OS cli (Linux bash equivalent)
    • Login has a user enumeration flaw via on-screen error messages
    • "Traditional" process accounting
    • CLIST/REXX/JCL scripting
    • OMVS / USS – Unix
    • ISPF - Menu Screens (GUI)
  • LPAR or Logical partition - Allocation of cpu, disk and mem resources (z/OS VMs equivalent) - Each LPAR can run different stuff e.g. IBM z/OS (mainframe) or with z/VM Linux (RedHat)
  • SYSPLEX - Multiple LPARS (across hardware too)
  • CICS / IMS
    • Transaction Managers
    • CICS is a middleware of sorts
    • If we manage to "exit" the application running on CICS, we can instruct CICS to execute default admin programs (CECI, CEMT, etc.) => rarely secured
  • Applications - Run COBOL, Fortran or Java
  • TN3270/E - 3270 terminal emulation over Telnet
    • Telnet-like protocol introduced in 1971
    • Allowed "green screen" terminals to go over network TCP/IP rather than hardwire
    • Transmits "screens" made up of fields
    • Response submits modified screen & fields
    • Synchronous & Stateful
    • All apps presented in same way – i.e. TSO, CICS, IMS, REXX etc. all use it
    • Emulator client can be modified to reveal HIDDEN/non-display fields and edit PROTECTED fields
  • SNA - Systems Network Architecture
  • VTAM
    • Virtual Telecommunications Access Method Subsystem that implements SNA
    • Multiplexer of sorts
    • Often the first thing you connect to on a mainframe
    • Lets you connect to different application – Can connect you to other LPARs & sysplex’s
    • Uses APPLIDs or "macros"
  • LU / PU - Logical/Physical Unit – Connections to VTAM (wired vs multiplexed) – TN3270 to mainframe usually gives you a LU
  • DATASETS - The "file" z/OS concept
  • PDS or PARTITIONED DATASETS - The "folder" z/OS concept
  • OMVS
    • TSO command that gives you a /bin/sh shell
    • Its a Unix subsystem for network, FTP, webservices support
    • You can "su" to root (and run other Unix commands) without a password, if the account is in 'BPX.SUPERUSER'
  • ISPF - Interactive System Productivity Facility
    • TSO command that gives you the Menu screens (GUI)
    • What everyone uses to interact with TSO
    • Includes file browser & editor
  • APF - Programs that are setuid 0
  • TPX - Similar to the gnu-screen
  • App Creds
    • User enumeration flaws are common
    • Sometimes weaker password policies
  • Other stuff
    • Databases: DB2 & IMS
    • Unix: FTP, HTTP, WebSphere
    • MQ
    • Etc

Reference 1

Reference 2

Typical TCP Ports

  • TN3270
    • 23 - default, often VTAM
    • 992 - default, SSL enabled
    • 1023-x0xx - application environments (direct to CICS/IMS regions)
    • 2323, x023, x992 - other ports to check
  • FTP
    • Provides access to both worlds (TSO & OMVS)
    • Respects wildcards (.RACF.*)
    • Awesome brute forcing point
  • Other
    • DB2 (5023) & MQ (1415)
    • HP/BMC/Tivoli monitoring
    • WebSphere
  • Note: One host can have lots of IPs (Order of 10-20)

Reference (slide 12)

Web based Thin Clients Terminal Emulators

Emulate zOS

zOS booting, logging and working environments

Logging in:

  • On the login screen enter credentials, e.g.:

    login: ibmuser

    pass: sys1 or <empty>

    proc: ISPFPROC|OMVSPROC|IKJACCNT

  • On the welcome screen enter userid and see 2.1., e.g.:

    logon ibmuser

  • In some cases you may need to confirm that you are in VTAM or CICS - run this:

    ibmtest

  • VTAM returns the following alphanumeric sequence:

    IBMECHO ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789

Working environments: Depending on the chosen procedure you will end up in on of the working environments.

  • ISPF: Courses-like environment with various panels. Allows to perform various tasks on its own, execute commands in TSO, run installed utilities in the z/OS etc.
  • OMVS: Also known as Unix System Services is a POSIX compliant unix that runs within the z/OS itself. Similar to other unices. Execute "omvs" in TSO (may not work if you don't have a pseudo terminal allocated, e.g. via SSH. In such case remove and create symlink in / to dev).
  • TSO: Time Sharing Option is like a login session on linux. Very basic. You can run various commands and applications including "omvs" and "ispf". By typing "ishell" you can run ISPF shell that allows you to run commands in the OMVS.

Basic navigation: In the ISPF-like programs:

  • PF10/PF11 shifts screen view right/left to see all displayed info
  • PF7/PF8 scrolls screen view up/down to see all displayed info
  • PA1 attention key on the virtual keyboard that terminates the execution of the current command in TSO (e.g. when in the '***' prompt).
  • use "File -> Save screen contents" in x3270 (or similar) to save output from the terminal to a local file
  • you can abbreviate some of the commands, e.g. setropts -> setr, listcat -> listc etc.

Reference

Top Ten Security Vulnerabilities in zOS Security

  • Excessive Number of User ID’s w/No Password Interval
  • Inappropriate Usage of z/OS UNIX Superuser Privilege, UID = 0
  • Data Set Profiles with UACC Greater than READ
  • RACF Database is not Adequately Protected
  • Excessive Access to APF Libraries
  • General Resource Profiles in WARN Mode
  • Production Batch Jobs have Excessive Resource Access
  • Data Set Profiles with UACC of READ
  • Improper Use or Lack of UNIXPRIV Profiles
  • Started Task IDs are not Defined as PROTECTED IDs

Reference

Scripts and Tools

Default Accounts and Transactions

Pentesting

This is a small pentest guide based on my limited experience testing Mainframes and also several Talks and Presentations available on the Internet, namely tasks and tools to run for each steps listed bellow and some advice.

Mainframes are just computers... costing ungodly prices with also ungodly high specs and availability capacity. That said, unless theres something very wrong, it will hold high loads.

As with every typical security assessment, there is always lots of reservations by the teams or person managing the systems. This is especially true with these systems, since they are very expensive, handling probably the most mission critical operations in the company. Remember to tell them that you are there to help them secure their systems and not to make their lives harder. Respect them and win them over, because they probably are the same age as your father or mother (or even older) ;)

Before starting, ask the Team or Person that manages the Mainframe, if there is a TEST or QA LPAR(s) or Sysplex(s) that mirror PROD. Its preferable to test those.

Initial Recon and Gaining Access

First off... without valid credentials not much can be done, so it is important to find valid creds and enumeration is very important in obtaining them.

Start with a full TCP port Portscan and enable Service discovery e.g.:

nmap -sTV --allports --version-all --version-intensity 9 -p- -v --open -Pn -n mainframe.com -oA mainframe.com

The mainframe can be running webservers (e.g. web based 3270 clients), so try all the usual web attacks and reverse engineer (java applets) shenanigans.

Next take a screenshot of all TN3270 enabled ports. That way you can get an ideia of what the Mainframe is exposing without having to manually use a TN3270 enabled terminal like X3270. You can for example rapidly spot where TSO is running.

nmap -sV --version-all --version-intensity 9 -v --open -Pn -n -p- --script tn3270-screen mainframe.com

Now try to enumerate VTAM to check if TSO is enabled. Again this is a completely unauthenticated scan. Do a scan per port and use diferent output folders, so you don't overwrite the output files. Also notice the Nmap script argument vtam-enum.command and vtam-enum.macros. Sometimes you won't be dropped right in a TSO login screen after connecting to a TN3270 port. You will need to issue a command first to access VTAM. In the examples bellow I've included some typical examples, but YMMV depending on what you are testing (you might not even be in VTAM or they running CICS) - If you can't figure out the command, you can try to ask someone from the mainframe team (I warned you to win them over ;) ).

You can run this with or without a idlist=yourlist.txt

nmap -sV --version-all --version-intensity 9 -v --open -Pn -n -p 23 --script vtam-enum --script-args brute.threads=5,idlist=yourlist.txt,vtam-enum.path="\VTAM-OUT-23\" mainframe.com

nmap -sV --version-all --version-intensity 9 -v --open -Pn -n -p 23 --script vtam-enum --script-args brute.threads=5,idlist=yourlist.txt,vtam-enum.command="tso",vtam-enum.macros=true,vtam-enum.path="\VTAM-OUT-23\" mainframe.com

nmap -sV --version-all --version-intensity 9 -v --open -Pn -n -p 23 --script vtam-enum --script-args brute.threads=5,idlist=yourlist.txt,vtam-enum.command="logon tso",vtam-enum.macros=true,vtam-enum.path="\VTAM-OUT-23\" mainframe.com

nmap -sV --version-all --version-intensity 9 -v --open -Pn -n -p 23 --script vtam-enum --script-args brute.threads=5,idlist=yourlist.txt,vtam-enum.command="exit;logon applid(cicsfake)",vtam-enum.macros=true,vtam-enum.path="\VTAM-OUT-23\" mainframe.com

nmap -sV --version-all --version-intensity 9 -v --open -Pn -n -p 23 --script vtam-enum --script-args brute.threads=5,idlist=yourlist.txt,vtam-enum.command="ibmtest;logon applid(cicsfake)",vtam-enum.macros=true,vtam-enum.path="\VTAM-OUT-23\" mainframe.com

When you finish, check the output files.

Reference

Next step let's enumerate some TSO Users.

This is a very common issue in TSO because it explicity indicates on error messages, if the user exists or not. IBM has issued a fix for this (turn PASSWORDPREPROMPT ON)

nmap -sV --version-all --version-intensity 9 -v --open -Pn -n -p- --script tso-enum --script-args brute.threads=5,userdb=default_tso_accounts.txt,tso-enum.commands="logon applid(tso)" mainframe.com

nmap -sV --version-all --version-intensity 9 -v --open -Pn -n -p 23,992,1023,7023 --script tso-enum --script-args brute.threads=5,userdb=default_tso_accounts.txt mainframe.com

Remember that TN3270 web clients can also be used for this, especially if they mimic the same default behavior of TSO. That said you can use Burp Suite to also perform this.

If you can see the error messages being shown and/or found a valid user, well then you have probably your first reportable finding "Username Enumeration" :)

Reference

CICS Transaction Enumeration

Use the Default CICS Transactions for the Nmap script argument idlist scan parameter.

Brute Force TSO Users Creds

Use the Default Accounts for the Nmap script argument userdb and passdb scan parameter.

Reference

Get creds:

  • Test Default accounts
  • Reuse - If you have creds from, for example, Windows try them - they could be synced with with Active Directory
  • Steal - Phishing, Social Engineer, Check Config Files, Keepass, Confluence, Sharepoint, SMB Shares, Wikis, etc - search for terms associated with Mainframes (TSO, LPAR, CICS, etc)
  • Sniff - MITM TN3270 on port TCP/23 is plain text... yes in 2021.
  • Brute-Force - Be careful doing this because you can lock accounts, depending on the implemented password policy.

So you got some valid creds, but remember when trying to login, that some users might only have access to TSO or Unix, but not both.

Local Recon

[todo]

Privilege Escalation

[todo]

Presentations and Talks

2011

2012

2013

2014

2015

2016

2017

2018

2019

2020

2021

2022

ACF2 Specific references

STIGs

Miscellaneous

AS400 / IBM i Series server / IBM System i

iSeries Books

Tutorials and Checklists

Tools

iSeries Presentations and Talks

Miscellaneous

About

No description, website, or topics provided.

Resources

Readme

License

CC-BY-SA-4.0 license
Activity

Stars

9 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published