You are on page 1of 79

"What the F$#K is That About?


"What the F$#K is That About?"

Not So Mysterious

Who are you again?

About me: Phil aka "Soldier of Fortran" Always been in to mainframes
Since my datapac days (dot dot enter)

January 2012 - PitA RACF Consultant Frustrated with lack of tools Given talks at:
Bsides LV/Austin Shmoocon Local meetups

But Seriously, WTF

Runs an OS called: z/OS

Current version: z/OS V1R13 (or

1.13) - Released in late 2011!

70% of fortune 500s run an IBM z/OS Mainframe

For critical business functions

So what, who cares?

*thanks DICE, SHODAN and Google

But Why should I Care?

Other than the fact that it's the company's key systems Other than the fact that its never been under scrutiny Besides the fact that it manages my pay, flights, debt & Arby's

IBM Security Admins age! 75% are older than The AVERAGE age is

50! 55!

RSH Consulting Survey #014

IBM Security Admins age! 75% are older than The AVERAGE age is

50! 55!

RSH Consulting Survey #014

This can happen (in 2011): "Can someone tell me how to find the server name from the IP address." - I don't think it is possible - You need to implement something to lookup domain names by IP - I only know of FTP, NETSTAT, TELNET & TRACRTE do these not work?

General TSO
Used to interact with the mainframe Similar to a shell, like 'bash' Standard networking commands: FTP NETSTAT REXEC Username max: 7 chars Password max: 8 chars With limited characters: A-z, 0-9, #,@ and $

General TSO
It's a command prompt!

It's a UNIX system! I know this!

z/OS comes with UNIX (aka OMVS) You can su (to root) without a password!
If the account is in 'BPX.SUPERUSER'

UNIX? In my Mainframe?

It's a UNIX system! I know this!

You can run tso commands from UNIX / OMVS using /bin/tso

General TSO

General TSO
But don't forget ISPF: IBMs answer to the GUI What everyone uses to interact with TSO Includes file browser & editor


General TSO

TN3270 is the interact with

Cleartext: In 2013. main way to Yep. mainframes

SSL Released mid 90s About half actually use SSL Default ports:
23 for cleartext 992 for SSL (or telnets)

Cleartext: In 2013. Yep.

'One more Thing'

JOBS: JCL is the equivalent of scripting (sorta) Programs (or PGM) are called and executed Best of all: You can submit jobs over FTP!

'One more Thing'

'One more Thing'

Everything security related is in the RACF database. It also stores the password hashes Super User access is called "SPECIAL" Only a few people need this! Default User/Pass: IBMUSER/SYS1

Account passwords are 'hashed' with DES, single round, not 3DES Username is the 'salt' (i.e. the text which becomes a cryptogram) Obfuscated by XORing with x/55 shifting left 1 bit

Very easy to find where the database is with the TSO command "RVARY":

Permission to even read these datasets needs to be limited!

Most tools don't work nor exist Internet information is out of date Frameworks don't include z/OS

No Tools!

No Tools!

No Tools!

No Tools!

Turns out
Making tools was easy Updating tools was easy Easy things to take advantage of Older attacks still work!
FTP Bounce by default? WTH?

NMAP Kinda Works

Identifies Mainframes, but...

OS/390 was decommed in 2004

NMAP Update
Patch to NMAP to Identify z/OS From:


First 3270 NMAP script? Takes a screenshot of the mainframe


Ettercap now sniffs TSO logons

Thanks to Dhiru Kholia @DhiruKholia

John the Ripper

The tool that started it all! Thanks to Dhiru Kholia and Nigel Pentland john supports RACF databases


Convert with:racf2john

The TSO panel is too friendly!

Allowing us to enumerate users

Hardcoded/unconfigurable since the 90s And yet no support: THC-Hydra or Medusa

TSO Brute
Python Script using x3270/s3270 Exploits this friendliness Oh my god it's slow Ignores invalid TSO User IDs

TSO Brute

Python Script using SCAPY TSO uses same process for logon User Ettercap instead


On the Mainframe
z/OS has scripting languages
CLIST - like bash script REXX - like perl or python

P-REXX A PoC REXX script

Pings a /24 for hosts


Netcat for OMVS

OMVS comes with a C compiler Compiles with 'make omvs' Includes the -e flag

One problem: You need OMVS

*sigh* EBCDIC


DD Converts


FTP Only! Uses FTP command "site file=JES" Uploads and executes netcat /bin/sh listener on rndm port Connects with

MainTP (demo)

MainTP (demo)

SHODAN Can be used to find IBM MFs Using search terms like: IBM V5R, IKJ56700A or FTP CS V1R Use the NSE screen grabber

Hercules emulator let's you create a virtual mainframe on your computer: Supports z/OS architecture Still updated/maintained OpenSource

Special Thanks
Dhiru Kholia (@DhiruKholia) Nigel Pentland (@nigelpentland) PabloDraw Art from 4D, iCe, ACiD, CIA, GRiP, EU, grymmjack, atb, krinkle, RaW, bugflu1d, MiST, Dept 38, LBo... probably more

All Files available on my BBS:
(t) File Transfer for instructions

BBS: ( Email: Twitter: @mainframed767 Blog: GitHub: IMGUR: