 All right. Hello everyone. This is Phil. He is new to San Diego and this is his first tour card. I'll take it away. All right. Thank you. Good morning. Oh Nice. All right. So before I get started, I always have to cover this. I'm not here representing my employer The other disclaimer that I don't put is I'm gonna start shoveling information about mainframes at your brain It's gonna feel rough. Just come talk to me after the talk if you have questions. All right Okay, I only got 25 minutes. Here we go So my name so he introduced me as Phil. My name is soldier or Fortran on Twitter Thank you One fan nice. So I'm a I'm a mainframe hacker. So mainframe security researcher for a large bank I can contribute to a lot of open source projects. So I've contributed to KDE and Matt metasploit Many more right all my code is open source stuff like that I've briefly been investigated by the Swedish secret police Cool not terrifying not scary at all and I'm a serial speaker. So I've I spoke at Schmuckan earlier this year about so that is a buffer overflow written in C that runs in Unix on a mainframe written by a Swedish hacker, hence why I was under investigation because it wasn't me and That's all available online. Feel free to watch it I'm also gave a talk about so main framers like to post stuff on mailing lists and So we took all the things they talked about for like since like 1983 and We threw it all into a database and I made a web interface so I can search for like I wonder I wonder what the TCP IP config for a bank looks like So fun funds out. Oh, you no one can see that. I want to kind of zoom in Oh boy, this is gonna be hard to do who? Oh, here we go. Oh, there we go. Oh, there we go. Okay cool. All right, oh That California Bank. Oh, dang. All right. I also spoke at shell con who here saw my shell con talk Like one nice one person good. I'm not talking about any of that crap in this talk. I Also teach a class called evil mainframe where we teach all like mainframe pentesty type stuff It's a little intense It's the only mainframe CTF in the world that we're aware of So we actually found a person that teaches a class in Spain, but we're not we're not sure what's going on there Anyways, I also run a program called the imp which finds mainframe on the internet Sticker to the first person who can yell out the TLD for this mainframe It's early, but come on dot mill who said dot someone over here said dot mill first definitely dot mill Alrighty and it's more scary to be up here talking than it is to do this anyways So a little bit about mainframes. So who here Has like touched a mainframe Like physically gone up and touched the fridge sized giant Because it's the size of like a giant like commercial fridge Who here so so who here knows how many mainframe vulnerabilities there are Publicly listed on mitre Yeah, I do know how many wrong it's two The answer was he tried zero so it's there's two exploits and It was because the Swedish government forced IBM to release them publicly And the way they did it was stupid. They said it's It's not the mainframe of us. It's actually this other application that though. We're pushing a kernel update Right, so don't worry about it. Don't worry. Anyways, I'm not gonna cover TSO. I've talked about TSO at length so many times It's not even funny. You can watch any of those talks. They're all on YouTube. I'm not gonna talk about rack F There's better talks. I've given about rack F Just know that rack F is the security database, right? So sort of like how like a Like a database or Oracle product might have a database rack F is your security database and it says you have access to this You don't have access to that And memory I'm not gonna talk about memory in this talk I am gonna cover these things with datasets kicks jcl and us less kids are so kicks. So datasets These are what files are on the mainframe. You have 44 characters max eight Characters between the dots That's it the dots. It's not a hierarchical file system. It is a flat file system so when you see like something dot something dot something if I delete this file The rest remain they don't go away. They just stick around. It's flat. The same thing happens for rules if I have a Specific rule that says do not allow anyone access to tour con dot cool But I don't have explicit rules you have a generic rules But if I have a specific rule and I don't have any rules that cover the other two I can access those files All right, that's datasets. So here we go. We delete the file They stick around because that's how the file system is Now jobs JC the the mainframe is a batch driven Operating system. So that means everything is done via batch. So Jcl You have to learn Jcl to use a mainframe and it looks like this So it looks like garbage The person who invented it says it's garbage There's a whole talk at the computer here's through museum where he's goes it sucks He doesn't even like it But it's it's basically these are just like When you're writing like a bash script, that's all they are right. You have standard in standard out all kinds of things Every program you call has like flags and you just declare them in your Jcl. It's not that much more. It's just different Right. It's not bad. It's just different Okay kicks who here's use kicks one person two three Wrong, you've all used kicks. You just don't know who here has flown in a plane ever Right that is mostly driven by kicks based interfaces though You wouldn't know it has Jason it has web based interfaces has all kinds of cool Modern things though, you wouldn't know because everyone thinks it's all cobalt and old and like cobwebs and unusable the reality is like things like the Delta outage were caused because Something couldn't talk to the Delta mainframe not that the mainframe was down. Okay So it's made up. So when I talk about kicks I usually and mainframe or say this I call it It's like the first web app. It's like the first web app server So basically you have this thing called a region Because this is before servers existed as a concept So you have a region a kicks region and each region will have multiple transactions, which are like URLs That's it. That's all and it looks like this. It's not it's kicks All right languages. It's got so many languages. It's got all of them all the cool ones Like unlike Linux with go and other garbage. It's got all the good ones and Way more than that. Like I'm not talking like RPG PLI. There's all kinds of stuff. All right Now Unix this is usually a part of this whole the rest of talks gonna be about Unix stuff and doing Unixy things Because I find that that's the gateway drug to mainframe hacking. So It's Unix. It's literally just Unix. The problem is it's just Posix Unix doesn't come with bash doesn't come with any modern conveniences and it comes with a vi but like the operating system just came out with an update this year and Vi is still not interactive like I'll delete a line and then I got an egg like I gotta do like a Hit escape hit a semi-colon then it will update the screen. Okay. It's super old, but it works And you can actually install bash, but the version of bash is still vulnerable to shell shock so we don't do that but Unix powers the TCP IP stack for the entire mainframe. That's what you need to know As well, it's like literally just Unix. It's just Unix So here's what's really cool. So the file system itself is Actually just data sets that exist on the mainframe But the mount commands are normally do like mount and you show all the mount points doesn't work But you can use DF to show the mount points. So when you run DF it looks like this So you get like a data set. This is important later I'm talking about cool tools that we've both that we've released and new research already. So real quick Slash hackers mounted to user.unix.h. That's the file that contains the file system that Unix uses Everyone following along? All right Okay, so first One of the challenges is that there's no enumeration tools available for the mainframe And I'm slowly working my way in eliminating that gap one of them I just released literally last week is on vs enum.sh It's based heavily on lin enum and like Linux privilege Suggestor exploit Suggestor sort of merged together. It works I was just testing on a system recently it ran for six hours and it gave me a ton of information It is loud. It will generate errors. It'll generate access errors, but nobody's watching Especially because no one's forwarding their unit. So Unix has its own syslog and no one forwards it to Splunk In it if you look up the logic of breach case, they are actually forwarding their syslog to temp And then they they had all we got a hacker and then they rebooted and then they lost their locks So it's it's but it's literally it's meant to be familiar It's supposed to look like lin enum so you can go through the data and you can look at files And then you can be like what the heck is a plus a on a file and you can dig up and what that means Net Epsidic Cat I rewrote in Python 3 so that it supports code pages. Epsidic sucks And it's it has like multiple international code pages and if you get a reverse shell That's an Epsidic you need a way to talk to it So I wrote net Epsidic Cat and then catmap 3 so this is a really cool tool It goes through and tells you every single data set on the system and your access to that data set and I wrote it and sometimes you get like a 400 meg file of just data sets and access rights So I wrote it so it pipes it out to a shell. So here we go. So I'm gonna have a net cat listener Running just a normal net cat not epsidic net cat Just a regular net cat because that's not a thing. I'm gonna run. I'm gonna call this programming to compile it There's instructions how to do that. I'm gonna run the program. It's gonna run And I'm gonna get to see the entire it's basically like a find space slash space exec space LS dash L on every single file That's it. That's what that's how long it took That's the entire file system and all my access rights to it. Okay. Now remember Unix is based on Datasets right it's based on so by default when you run the mount command If there's certain permissions that have to be set and sometimes they're Normally they're set improperly because everyone ignores Unix in the main frame space So if you can mount if you type mount space a data set and it just mounts Then that means you can have set you ID binaries in that data set Ready for you to use to give you like a root ID or an APF authorized program So if you can just mount a data set you're good You've owned the mainframe if you can't mount the data set but You can edit the mounted data sets You can just split it's just a vSAM file and you can just go in and flip the permission bit at the actual file specifically and Then wait for the system reboot and now you have root shell All right, that's big Eddie and smalls figure all this out. So kudos to him Okay, let's talk about Java Java super cool, right? Come on. It's early. I know but all right. It's cool in the mainframe though. So check this out. All right, so come ZOS come to the JVM It runs in the X space Everything that runs in JVM runs in X space Tom cat runs in fact in the class that we teach We have a vulnerable Apache's Tom cat server and you literally just type metasploit And upload the war file and it just works right because it's because it's easy so The thing with Java that's important to know is it's free to run on the mainframe So I got come talk to me afterwards if you want to know learn more about MIPS versus zips But just know it doesn't cost anything. So it's a good area for us to play and we won't get caught for using resources All right, so who thinks we can get a reverse shell using Java, you know, everyone everyone come on All right, who thinks we can use an Android reverse shell on our mainframe Anybody anybody wanted that one two three? Okay, so we're gonna upload it. I'm gonna literally just change the IP import I'm gonna upload it and compile it and and like who think okay, so do you think it's gonna work? It's gonna work. I wouldn't be up here talking about it if it didn't work, right? Of course it works Except the only problem is it speaks epsidic right, but that's fine. That's why I rewrote an epsidic cat. So here's the shell Here's my shell prompt Right. So now that we know that don't appall it don't I literally took some person's code and ran it like applaud this person like All right, because it gets it gets better So okay, so what what what else can we do with Java? So this is actually IBM's Java and they add some extra stuff They add the things called J's us and J util and there's some cool things we can use with that so Here for example, this is all the code I need to flood your master console I don't have time to talk about what the master console is. Just trust me. This is bad if I run this If I compile it and then run it on my test box, I can flood the master console with Turcon The master console is essentially where you control Programs are running. I need to stop them all kinds of cool and important stuff. It's also where all your security messages go So if I'm doing nefarious things, I might just Spam it with a whole bunch of stuff and then in the middle do what I'm trying to do Funny story big any and smalls was messing around and doing the same thing in assembler and then locked his machine Because he couldn't he couldn't kill the process because every time you looked up the process ID His flood would fill the screen again So he couldn't and then it just and then it just got so full it killed the dream. All right now One of the problems that I have when I'm on a mainframe is trying to find like an egress a way to get my stuff Off the mail like I'm stealing data. I'm stealing files I need to find a way to get that stuff off the mainframe and onto my Linux box Okay, so I need to find egress ports that I can use. It's not just like oh, here's all the look It's just all forwarding won't act sometimes they are have no egress filtering, but Hopefully you encounter the mainframe that does so We use Java to find those ports now you might be thinking Why aren't we using any of the other languages that are available to us that would be a faster and Be everyone else knows better, right? Well, the problem is you can't change the socket Timeout on those connections So I literally wrote a port scanner in Rex and if and if when you connect Some egress filtering just doesn't doesn't send a reset doesn't send anything It just doesn't reply just sink holds your your sin and it just sits there for two and a half minutes waiting Right and so over 65,000 porous. That's a long time However in Java so kudos to sir kicks a lot for figuring this out. There's an like it's not in the documentation I looked there. There's an old trick if you use the socket dot connect in Java. You can set a timeout in milliseconds so what we do is We write a this is available. So we run egress buster from trusted sec on a Linux box on the web on The corporate network whatever Then we run this this Java program we compile it and then we run it and we don't care if egress buster sends Like anything back we because what happens is when you connect to egress buster? It just tells you I Have a connection from that port Right, so we run the Java program blind and we have we want the smallest Timeout that we can set so that we can go through all 65,000 ports in literally up like two minutes To find all the all the ports that are available to us for egress and we've done this Like so now that we can do this we've successfully used this and been able to find like There's five ports open for us to use for egress, right and then I'll then it's some of them can go somewhere Okay, now that we able to find ports we can do the Java actually provides access to data sets And remember Unix is just used for like a lot of TCP IP stuff Maybe some web servers the actual data that you care about it's going to be in data sets in the main frame space But that's fine because Java provides methods to say open this data set You just provided a data set name and opens it up you actually search for data set names using the catalog interface It's all available And then you just take that and you just send it over the egress port and if you know it's in ebsidic not binary You can just translate it on the fly with Java now Can't so now that we know kicks is an application server If we have access to Unix and Lily access to one kicks transaction remember kicks transactions are four letters If we have access to that and Unix We can do priv-esque and become the kicks application server with Java Okay, that's good. It's cool. Yeah, so We upload a jar actually it's an OS GI but for sake of argument We upload it to just some folder in Unix somewhere and Then we run literally these three commands and kicks. I don't have much time I don't have the time to go over all these commands and kicks, but basically it's you define the program You define the transaction you're gonna use we're gonna use JTM one and then you define a bundle And that's the jar file that you just uploaded, right? So so long as kicks has access to that folder somewhere in Unix You can now execute this code. So then what you do is We're gonna set up a net cat listener and then we're gonna connect into kicks So we're gonna connect to kicks and we're gonna access now I wrote it to be kind of idiot proof So I wrote it with like a if you call it without anything it shows you a usage in a cool ASCII logo, or I guess ebsidic logo in this case But so we're gonna we're gonna run the JTM one transaction that we just installed It gives you usage on the bottom on how to use this transaction Now we're gonna run it and now I have a shell and I have a shell running as the kicks user Now notice it goes by pretty quick. So notice user ID in Unix now Right, thank you. There we go. Yes. Thank you. Okay Everyone's like I don't What the hell just happened? So But this doesn't really mean anything. Okay one this is because the started test that's running kicks is running with a UID of zero right generally that won't happen in a real application space, but because of the way kicks interacts with databases and stuff if you can act if you can run a shell as Anything like I'm just using a shell as an example because it's nice stunt hacking But like typically like realistically I would write a bunch of dv2 interfaces and then have it run and then use that to access dv2 because that would be running as The kicks user and then I can access a whole bunch of database transactions And guess what there's a lot of stuff in kicks databases like everything you care about isn't a dv2 database or IMS driven by kicks Everything you care about student loans your home mortgage everything all right So but just because I UID zero doesn't mean anything I have to like do other things to do priv esk in the Unix space to do stuff in the TSO world But anyways That'll get detected probably so at this point you're better off just staying as the application ID and just doing normal application II things But since I'm doing all this Java stuff One of the things that that perplexes me there's actually no C2 client for the for the mainframe So I wrote one in Java for a very popular and simple C2 infrastructure I Almost did this because ain't no one's using this be it's easily detectable by any virus if you run the server And also it was open source and easy for me to write for so I wrote a Trevor C2 client in Java So here you're gonna see some I'm running Trevor C2 And I'm gonna interact a little it's already ran like the Java ran already So I'm gonna interact with my my client and I have a valid shell prompt and everything in Trevor C2 And I did that because I'm hoping someone will take that and then implement it in any other of the C2 actual That people use but and this I'm actually just waiting for them to accept my pull request So I think with that first. I want to say thank you for having me out here. This is my first tour con It's been awesome. Thank you and and with the two minutes that I have left some time was up here Are there there's one question already? Do I want me to run them like oh we got three minutes. Oh Any questions? Yeah, you want to yell it out? so so the question was So the permissions in Linux are actually at the file in Unix are at the file system level Right, so it's not it's not it's literally just using Unix commands so it's not so if if So when so when you're accessing a file even though the the permissions are set outside and like a CF2 perhaps It's still gonna show up as your access rates within. I know I know what you mean But it doesn't do that because it's just a Unix tool, right? Like I can't We could do some checking but that once you start doing like ESM commands you start getting like really noisy Because you generally don't have anyway that everyone else has no idea what we're talking about But come talk to me afterwards because I want to pick your brain another question my preferred emulator I Would say probably SNES 9x, but that's a thank you. Thank you. Thank you. Someone got my mainframe joke It's act. It's X. I use x3 270 In fact, I just wrote a Python script that'll take whatever awesome color scheme You have for for bash or like your terminal emulator and it'll convert it to an awesome theme for x3 270 But yeah, you have to use a 3270 emulator for everything you do in In in ZOS like when you're connecting to like TSO and stuff any other questions Everyone's an expert on mainframes now cool and no one has any questions about the mainframe the most Systemically important platform on the planet. No one cares Good Good. All right. Well, thanks again everyone. I want to say thank you for having me If anyone has any further questions fill the outside