Philip young current state of mainframe hacking - vanguard - 101016
-
Upload
philip-young -
Category
Technology
-
view
171 -
download
0
Transcript of Philip young current state of mainframe hacking - vanguard - 101016
VANGUARD SECURITY & COMPLIANCE 2016
Philip Young Zed Sec 390
Session #1
The Current State of Mainframe Hacking
SECURITY & COMPLIANCE CONFERENCE 2016
VANGUARD SECURITY & COMPLIANCE 2016
DISCLAIMER
I’m not here in the name of or on behalf of my employer. All opinions expressed here are my own.
VANGUARD SECURITY & COMPLIANCE 2016
VANGUARD SECURITY & COMPLIANCE 2016
VANGUARD SECURITY & COMPLIANCE 2016
VANGUARD SECURITY & COMPLIANCE 2016
Question
Who here has seen my previous talks?
VANGUARD SECURITY & COMPLIANCE 2016
The Un-hackable?
VANGUARD SECURITY & COMPLIANCE 2016
Word on the Street
• I’ve heard all kinds of reasons why mainframes are “Un-hackable”
• Let’s walk through some of them now
“It’s not on the internet”
VANGUARD SECURITY & COMPLIANCE 2016
“It’s not on the internet”
• 2013 Started “finding” mainframes on the internet
• Using tools called masscan, nmap and x3270
• Various techniques found: 458
Welp
“Well, the ESM is impenetrable”
VANGUARD SECURITY & COMPLIANCE 2016
the ESM is impenetrable!
• This is true! • Lot’sof(memoneyandtes(nginvestedin‘hackproofing’ACF2,RACF,TopSecret
• Other impenetrable Security Products • MicrosoBAc(veDirectory• SELinux
VANGUARD SECURITY & COMPLIANCE 2016
the ESM is impenetrable!
• Misses the point
• Organic growth over decades
• I only need 1 malformed entitlement out of 600,000+
“You can’t just download a mainframe file and read it!”
VANGUARD SECURITY & COMPLIANCE 2016
Reading EBCDIC
• EBCDIC is easy to read with python!
print ’"%s"' % d.decode('EBCDIC-CP-BE').encode('ascii')
• Multiple tools exist to read XMI files, find strings in large files and decode EBCDIC.
• Fixed length makes this even easier
“IBM doesn’t publish vulnerabilities”
http://seclists.org/fulldisclosure/2016/Oct/43
VANGUARD SECURITY & COMPLIANCE 2016
Vulnerabilities
• This doesn’t make it safer.
• Please sign up for the IBM Security Portal
• I can understand IBMs position
“There’s never been a successful hack”
VANGUARD SECURITY & COMPLIANCE 2016
Stole
• $6,000 • Entire ‘social security’ database • Witness protection DB • Federal Tax source code
http://bit.ly/zbreach
Current State
VANGUARD SECURITY & COMPLIANCE 2016
New Tools!
• Network Job Entry Testing • Nmap (VTAM, TSO, CICS) • Metasploit • CICSpwn
VANGUARD SECURITY & COMPLIANCE 2016
Network Job Entry
• Used all over the world
• Facilitates management of different LPARs
• Allows transferring files, JCL
VANGUARD SECURITY & COMPLIANCE 2016
Configuration
• Declare ‘nodes’ in SYS1.PARMLIB(JES2PARM)
• Start NJE • Connect two systems together • Default port 175 • More Info: POC||GTFO #12
VANGUARD SECURITY & COMPLIANCE 2016
Attacking
• Identify port
• Identify OHOST/RHOST
• Emulate
VANGUARD SECURITY & COMPLIANCE 2016
Nmap Additions
• Service Identification • TN3270 Library:
• VTAMApplica(onEnumera(on• CICSTransac(onIDEnumera(on• TSOUserEnumera(on/Bruteforce• CICSUserEnumera(on(ACF2/TSS/RACF!)
VANGUARD SECURITY & COMPLIANCE 2016
Nmap TN3270 Library
• Nmap has a very powerful scripting engine • Uses LUA and custom libraries • Created a TN3270 emulator in LUA • Created it in to a library for Nmap • Opens up multiple possibilities!!
VANGUARD SECURITY & COMPLIANCE 2016
VTAM Enumeration
• VTAM allows a few commands: IBMTEST LOGON LOGOFF
VANGUARD SECURITY & COMPLIANCE 2016
CICS Transaction ID
• Using the same technique:
VANGUARD SECURITY & COMPLIANCE 2016
TSO User Enumeration
• TSO logon process allows for user enumeration
• Very slow by hand • Automate with Nmap!
VANGUARD SECURITY & COMPLIANCE 2016
TSO User Enumeration
• IBM has issued a fix!
• Turn PASSWORDPREPROMPT ON
• I’ve heard ACF2 and TopSecret have also resolved this!
VANGUARD SECURITY & COMPLIANCE 2016
CICS User Enumeration
• CICS logon process has same issue
• All three SAFs affected: • RACF• ACF2• TopSecret
VANGUARD SECURITY & COMPLIANCE 2016
Metasploit
• Used for penetration testing • Helps with centralized exploit management
• JCL libraries and first ‘exploit’ added to metasploit this year!
Source: http://securityweekly.com/2015/08/26/episode-431-interview-with-phil-young-and-chad-rikansrud/
Source:h*ps://github.com/rapid7/metasploit-framework/pull/6834
VANGUARD SECURITY & COMPLIANCE 2016
Chad Rikansrud
• Added support for FTP + JCL execution to Metasploit
• Added JCL library to Metasploit • Currently working on TN3270 library
VANGUARD SECURITY & COMPLIANCE 2016
CICSpwn
• New Tool!
• Python tool for attacking CICS
What Can I Do?
VANGUARD SECURITY & COMPLIANCE 2016
Hardest Challenges
• Compliance
• Secure Coding Guidelines
• Attack correlation
VANGUARD SECURITY & COMPLIANCE 2016
Compliance
• No clear industry best practice
• What does exist may be old and not inclusive
• Security Requirements written by non experts
VANGUARD SECURITY & COMPLIANCE 2016
Compliance
• Base yours on best practice • Redbooks–all11kpages• DoDDISASTIG
• Continuous Assessments • Ensureaccidents/maliciousac(vi(esaredetected• Appeasesauditors/audits
• Use available tools
VANGUARD SECURITY & COMPLIANCE 2016
Secure Coding
• Rare for widely used languages • PL/I• REXX• COBOL• HLASM
• Despite vulnerabilities existing!
VANGUARD SECURITY & COMPLIANCE 2016
Logging / Monitoring
• Export the logs • Real time monitoring a MUST! • Current monitoring process vs. Open Systems
• Use available tools!
VANGUARD SECURITY & COMPLIANCE 2016
Develop with me!
• New Tools and Techniques • New Best Practice • Better Audit Guides • Better Tutorials
VANGUARD SECURITY & COMPLIANCE 2016
Contact
• Twitter: @mainframed767 • Email: [email protected] • More Talks:
• VanguardSessionCST08• SHARESanJose
VANGUARD SECURITY & COMPLIANCE 2016
Thank you!
SECURITY & COMPLIANCE CONFERENCE 2016