VANGUARD SECURITY & COMPLIANCE 2016

Philip Young Zed Sec 390

Session #1

The Current State of Mainframe Hacking

SECURITY & COMPLIANCE CONFERENCE 2016

VANGUARD SECURITY & COMPLIANCE 2016

DISCLAIMER

I’m not here in the name of or on behalf of my employer. All opinions expressed here are my own.

VANGUARD SECURITY & COMPLIANCE 2016

VANGUARD SECURITY & COMPLIANCE 2016

VANGUARD SECURITY & COMPLIANCE 2016

VANGUARD SECURITY & COMPLIANCE 2016

Question

Who here has seen my previous talks?

VANGUARD SECURITY & COMPLIANCE 2016

The Un-hackable?

VANGUARD SECURITY & COMPLIANCE 2016

Word on the Street

• I’ve heard all kinds of reasons why mainframes are “Un-hackable”

• Let’s walk through some of them now

“It’s not on the internet”

VANGUARD SECURITY & COMPLIANCE 2016

“It’s not on the internet”

• 2013 Started “finding” mainframes on the internet

• Using tools called masscan, nmap and x3270

• Various techniques found: 458

Welp

“Well, the ESM is impenetrable”

VANGUARD SECURITY & COMPLIANCE 2016

the ESM is impenetrable!

• This is true! • Lot’sof(memoneyandtes(nginvestedin‘hackproofing’ACF2,RACF,TopSecret

• Other impenetrable Security Products • MicrosoBAc(veDirectory• SELinux

VANGUARD SECURITY & COMPLIANCE 2016

the ESM is impenetrable!

• Misses the point

• Organic growth over decades

• I only need 1 malformed entitlement out of 600,000+

“You can’t just download a mainframe file and read it!”

VANGUARD SECURITY & COMPLIANCE 2016

Reading EBCDIC

• EBCDIC is easy to read with python!

print ’"%s"' % d.decode('EBCDIC-CP-BE').encode('ascii')

• Multiple tools exist to read XMI files, find strings in large files and decode EBCDIC.

• Fixed length makes this even easier

“IBM doesn’t publish vulnerabilities”

http://seclists.org/fulldisclosure/2016/Oct/43

VANGUARD SECURITY & COMPLIANCE 2016

Vulnerabilities

• This doesn’t make it safer.

• Please sign up for the IBM Security Portal

• I can understand IBMs position

“There’s never been a successful hack”

VANGUARD SECURITY & COMPLIANCE 2016

Stole

• $6,000 • Entire ‘social security’ database • Witness protection DB • Federal Tax source code

http://bit.ly/zbreach

Current State

VANGUARD SECURITY & COMPLIANCE 2016

New Tools!

• Network Job Entry Testing • Nmap (VTAM, TSO, CICS) • Metasploit • CICSpwn

VANGUARD SECURITY & COMPLIANCE 2016

Network Job Entry

• Used all over the world

• Facilitates management of different LPARs

• Allows transferring files, JCL

VANGUARD SECURITY & COMPLIANCE 2016

Configuration

• Declare ‘nodes’ in SYS1.PARMLIB(JES2PARM)

• Start NJE • Connect two systems together • Default port 175 • More Info: POC||GTFO #12

VANGUARD SECURITY & COMPLIANCE 2016

Attacking

• Identify port

• Identify OHOST/RHOST

• Emulate

VANGUARD SECURITY & COMPLIANCE 2016

Nmap Additions

• Service Identification • TN3270 Library:

• VTAMApplica(onEnumera(on• CICSTransac(onIDEnumera(on• TSOUserEnumera(on/Bruteforce• CICSUserEnumera(on(ACF2/TSS/RACF!)

VANGUARD SECURITY & COMPLIANCE 2016

Nmap TN3270 Library

• Nmap has a very powerful scripting engine • Uses LUA and custom libraries • Created a TN3270 emulator in LUA • Created it in to a library for Nmap • Opens up multiple possibilities!!

VANGUARD SECURITY & COMPLIANCE 2016

VTAM Enumeration

• VTAM allows a few commands: IBMTEST LOGON LOGOFF

VANGUARD SECURITY & COMPLIANCE 2016

CICS Transaction ID

• Using the same technique:

VANGUARD SECURITY & COMPLIANCE 2016

TSO User Enumeration

• TSO logon process allows for user enumeration

• Very slow by hand • Automate with Nmap!

VANGUARD SECURITY & COMPLIANCE 2016

TSO User Enumeration

• IBM has issued a fix!

• Turn PASSWORDPREPROMPT ON

• I’ve heard ACF2 and TopSecret have also resolved this!

VANGUARD SECURITY & COMPLIANCE 2016

CICS User Enumeration

• CICS logon process has same issue

• All three SAFs affected: • RACF• ACF2• TopSecret

VANGUARD SECURITY & COMPLIANCE 2016

Metasploit

• Used for penetration testing • Helps with centralized exploit management

• JCL libraries and first ‘exploit’ added to metasploit this year!

Source: http://securityweekly.com/2015/08/26/episode-431-interview-with-phil-young-and-chad-rikansrud/

Source:h*ps://github.com/rapid7/metasploit-framework/pull/6834

VANGUARD SECURITY & COMPLIANCE 2016

Chad Rikansrud

• Added support for FTP + JCL execution to Metasploit

• Added JCL library to Metasploit • Currently working on TN3270 library

VANGUARD SECURITY & COMPLIANCE 2016

CICSpwn

• New Tool!

• Python tool for attacking CICS

What Can I Do?

VANGUARD SECURITY & COMPLIANCE 2016

Hardest Challenges

• Compliance

• Secure Coding Guidelines

• Attack correlation

VANGUARD SECURITY & COMPLIANCE 2016

Compliance

• No clear industry best practice

• What does exist may be old and not inclusive

• Security Requirements written by non experts

VANGUARD SECURITY & COMPLIANCE 2016

Compliance

• Base yours on best practice •  Redbooks–all11kpages•  DoDDISASTIG

• Continuous Assessments •  Ensureaccidents/maliciousac(vi(esaredetected•  Appeasesauditors/audits

• Use available tools

VANGUARD SECURITY & COMPLIANCE 2016

Secure Coding

• Rare for widely used languages • PL/I• REXX• COBOL• HLASM

• Despite vulnerabilities existing!

VANGUARD SECURITY & COMPLIANCE 2016

Logging / Monitoring

• Export the logs • Real time monitoring a MUST! • Current monitoring process vs. Open Systems

• Use available tools!

VANGUARD SECURITY & COMPLIANCE 2016

Develop with me!

• New Tools and Techniques • New Best Practice • Better Audit Guides • Better Tutorials

VANGUARD SECURITY & COMPLIANCE 2016

Contact

• Twitter: @mainframed767 • Email: mainframed767@gmail.com • More Talks:

• VanguardSessionCST08• SHARESanJose

VANGUARD SECURITY & COMPLIANCE 2016

Thank you!

SECURITY & COMPLIANCE CONFERENCE 2016