VANGUARD SECURITY & COMPLIANCE 2016 Philip Young ZedSec 390 CST08 Advanced Mainframe Hacking SECURITY & COMPLIANCE CONFERENCE 2016
VANGUARD SECURITY & COMPLIANCE 2016
Philip Young ZedSec 390
CST08
Advanced Mainframe Hacking
SECURITY & COMPLIANCE CONFERENCE 2016
VANGUARD SECURITY & COMPLIANCE 2016
Disclaimer
I’m not here in the name of or on behalf of my employer. All opinions expressed here are my own.
VANGUARD SECURITY & COMPLIANCE 2016
Purpose
This session will: • GooverthetoolsintroducedinMondayskeynote
• Explainwhat’sgoingonbehindthescenes
• Showyouhowtousethetools
VANGUARD SECURITY & COMPLIANCE 2016
Kali Linux
• A Linux distribution • Comes pre-loaded with multiple tools:
• BURP• Metasploit• BeeF• Manymore
VANGUARD SECURITY & COMPLIANCE 2016
Nmap
• Created in 1997 • By: Fyodor • Mostly ‘C’ • Includes Service Detection • Added Scripting Engine in ‘07
VANGUARD SECURITY & COMPLIANCE 2016
Nmap
• Network MAP • Uses various techniques to discover open ports
• E.G. “Syn Scan”
VANGUARD SECURITY & COMPLIANCE 2016
Service Probes
• Identify what is running on a port • Uses TCP/UDP probes
VANGUARD SECURITY & COMPLIANCE 2016
Nmap Probes
• Use the flag: ‘-sV’ • Null Probe:
MatchesdatasenttoNmap• Approx 4,000 ‘Null Probes’ Let’s look at TN3270*: match tn3270 m|^\xff\xfd\x1d| p/IBM Telnet TN3270/ i/3270-REGIME/
* line 4606 in nmap-service-probes
VANGUARD SECURITY & COMPLIANCE 2016
TN3270 Null Probe
match -> ‘Matchthefollowing’ Tn3270 -> ‘with tn3270’ m|^\xff\xfd\x1d| \xff\xfd\x1d = IAC DO TN3270E p/IBM Telnet TN3270/ = Set to ‘IBM Telnet…’
VANGUARD SECURITY & COMPLIANCE 2016
Other Probes
• TCP Probes • Send Data, inspect reply • For example Network Job Entry Probe:
VANGUARD SECURITY & COMPLIANCE 2016
NJE Probe
• Sends an invalid NJE ‘OPEN’ packet
• Waits for either ‘ACK’ or ‘NAK’ in EBCDIC
VANGUARD SECURITY & COMPLIANCE 2016
Nmap Scripting Engine (NSE) • Composed of Libraries and scripts • Over 530 scripts available • 121 Libraries • Uses Lua
VANGUARD SECURITY & COMPLIANCE 2016
NSE Categories
AUTH BROADCAST BRUTE DEFAULT DISCOVERY DOS EXPLOIT
EXTERNAL FUZZER INTRUSIVE MALWARE SAFE VERSION VULN
VANGUARD SECURITY & COMPLIANCE 2016
TN3270 NSE Library
• A ‘virtual’ TN3270 terminal written in Lua
• Available: https://github.com/zedsec390/NMAP
• Allows for the following:
VANGUARD SECURITY & COMPLIANCE 2016
Invoke
• To invoke scripts use the flag --script
(\ is line continuation in linux)
nmap -sV\ --script tn3270-screen
VANGUARD SECURITY & COMPLIANCE 2016
Additional TN3270 Scripts • VTAM Applid Enumeration • TSO:
• UserIDEnumeraFon• PasswordBruteForce
• CICS: • TransacFonEnumeraFon• UserIDEnumeraFon• UserPasswordBruteForcing
VANGUARD SECURITY & COMPLIANCE 2016
Additional TN3270 Scripts • VTAM Applid Enumeration • TSO:
• UserIDEnumeraFon• PasswordBruteForce
• CICS: • TransacFonEnumeraFon• UserIDEnumeraFon• UserPasswordBruteForcing
VANGUARD SECURITY & COMPLIANCE 2016
TSO User Enumeration • Let’s walk through the arguments:
• NotetheLibraries:brute&unpwdb
Argument Defini5on
brute.maxthreads=100MaxnumberofconcurrentconnecFons.Setto100.
userdb=‘/tmp/users.txt’Filewithusernamesyouwanttotest.
tso-enum.commands=‘TSOL5’ThecommandusedtogettoTSO.
VANGUARD SECURITY & COMPLIANCE 2016
CICS Transaction Enumeration Argument Defini5on
brute.maxthreads=100MaxnumberofconcurrentconnecFons.Setto100.
idlist=‘/tmp/users.txt’FilewithCICStransacFonsyou’relookingfor.
cics-enum.commands=‘CICSTS29’ThecommandusedtogettotheCICSregion.
cics-enum.path=‘/home/test’SuccessfullyidenFfiedtransacFonscreenshotswillbeplacedinthisfolder.
VANGUARD SECURITY & COMPLIANCE 2016
Metasploit Framework
• Developed by H.D. Moore 2003 • Moved to Ruby in 2007 • Created an easy to use exploit platform
• Chad Rikansrud (@bigendiansmalls) add JCL and z/OS architecture support in 2016
VANGUARD SECURITY & COMPLIANCE 2016
Using MSF
• Run ‘msfconsole’ • To list all exploits: show exploits • Run the ONLY z/os ‘exploit’ use exploit/mainframe/ftp/ftp_jcl_creds
• Show the options with: show options • Fill in the options you need • Select which ‘payload’ you want to use
VANGUARD SECURITY & COMPLIANCE 2016
Set options
• Exploit options: Op5on Defini5on
FTPUSER UserIDtouse.
FTPPASS Passwordtouse.
RHOSTFTPHostname/IPaddressoftargetLPAR
RPORT FTPport(useNmap)
VANGUARD SECURITY & COMPLIANCE 2016
Metasploit Payload Options Now select a payload: set payload cmd/mainframe/reverse_shell_jcl Change the payload options: Op5on Defini5on
LHOST OurHostnameorIPaddress
LPORT Theportyouwantmetasploittoopenalisteneron.
VANGUARD SECURITY & COMPLIANCE 2016
CICSpwn
• Release this year by Ayoul • Relies on CEMT/CEDA transaction IDs (for now)
• Uses CEMT to upload and execute JCL/REXX
• Can be used to assess CICS and break in to environments
• Requires Python 2.7
VANGUARD SECURITY & COMPLIANCE 2016
Interesting Options
Invoke with: python cicspwn Flag Defini5on
-i GatherinformaFon
-A TestallopFons
-sUploadJCLtobeexecutedbyCICSuser(requiresCEMT)
--bypass WillbypassRACFifCEDAisavailable.
VANGUARD SECURITY & COMPLIANCE 2016
Escalation
• So far only network based • What happens after access is granted?
VANGUARD SECURITY & COMPLIANCE 2016
Some Ideas
• Storage ‘scrapers’ to gather system information (think ‘IPLINFO’ but built in to metasploit)
• Automated APF tools to attempt privilege escalation through zapping APF authorized modules
• Data dumping tools to grab all datasets • SMP/E corruption
VANGUARD SECURITY & COMPLIANCE 2016
Why Not?
• Make your own tools? I’d prefer the tools come with what the experts need, so they have it without knowing about it
Contact: [email protected] @mainframed767