 So we're going to get started with the last talk of the day. So this talk is about mainframe hacking in 2019. And to answer any of these questions, we have Philip Young, sorry for that, who we probably know as Soldier of Fortran. He was a leading expert in all things, mainframe hacking. So stay focused. There's some swag to be won during the talk. So, yep, keep those brains on. Yeah, go for it. Ooh. No, it's... I haven't done anything yet. I just showed up. Easiest crowd. So let's try this. How you doing, Norsak? Oh, awesome. Okay, good. Yeah, that side did great. That's so much. Okay, so before I get started, this is like the thing I have to say. Oh, my slides aren't up yet. Let me... I'll wait until they... There we go. Okay. So before I get started, this is sort of my standard required. My employer makes me do this. I'm not here representing my employer. I'm not here speaking in the name of or on behalf of my employer. I am just a concerned citizen who happens to care deeply about mainframe security. If you fly, if you go to a bank, any bank, if you ride a train, if you pay your taxes or don't, a mainframe is involved in some way. You're like, if you use ADP as your payment processor, heavy mainframe shop, okay? The most important platform on the planet today is still the mainframe. I was at an OASP event at Twitter, like in their building. And this guy comes up to me and he's like, hey, what do you do? I go, oh, I do mainframe security research. I'm like, cool. I didn't know those still mattered anymore. And I was like, you know, if Twitter went offline like right now, it would be in the news for three days and then Facebook would have like whatever they built to replace Twitter and it would be up and running and everyone would be land grabbing for user IDs on that and Twitter would be gone and no one would care. If all the mainframes, this is legit. If all the mainframes went offline like right now, it would be global economic chaos, right? Trades wouldn't happen. Checks wouldn't get paid. Bills would not get paid. Paychecks like if a mainframe goes down Thursday afternoon, people are gonna be really upset come Monday morning. Then planes won't go like global grounding of airlines. Let's see what else. Hospitals stop working. You don't have to pay university tuition because that's a plus. The whole world just shuts down. In fact, some large retailers in the States, they will literally stop being able to fill their shelves because the trucks aren't showing up because all their logistics is run by mainframes. Okay, so it's a very important platform that I care a lot about. So I started out how to get on this journey to mainframes, right? So I started out on BBS as an X25 networks. Who here has used an X25 network? One, two, three, four, wow, five? That's the most I've ever had. I actually started reading these kind of guides on BBSs. Mind you, I was 10, 12. I had no idea what I was doing. Also, when you are a Canadian who is like 12 and the internet's coming up and you read about Telnet, and then you read this guide written in the 80s about a thing called Tel-E-Net. And for like five years, you just think they're the same thing, not great. But anyways, it doesn't matter because in Canada we have Datapack. Did anybody use Datapack? A handful of people, okay. So Datapack was a Canadian X25 network. It meant if you had a modem, you could dial into it and then connect to likely modems or like Vax VMS machines and all kinds of fun stuff that I definitely didn't touch when I was a 14-year-old hacker wannabe. But I definitely did read this. Like this is one of the first really formative books of my life. I even printed it on a dot matrix printer. Yeah, whoa. Alrighty, so fast forward, super fast. Eight, like college, get a degree in computer science, move on to audit, right? Because there was no cybersecurity jobs in my graduated college. I was working on this audit for a large payment processor in the States. And we get this guy from a three-letter company. I'm not gonna name them. I have named them in other talks previously. And we bring this guy in and he's built to us as like a PCI certified mainframe expert. He is the guy. He's the guy. And he comes over and I'm like, okay, cool. I'm gonna get your knowledge, you're gonna dump it into my brain and I'm gonna actually be able to really audit a mainframe instead of what I was doing before, which is quite literally a checklist, and going, do you have this? Good. I don't know what I'm looking at. I don't know why an APF authorized library matters, but I have to do it on a checklist. So this guy comes back and I'm like, okay, cool. Your PCI certified. How do I see what ports are open on a mainframe? Easy question. Oh, well, you have to pull the communication server memory region and read the bits by hand to figure that out. I'm like, that sounds stupid. I wonder if you can run the netstat command. And you could. You just type netstat. So I told one of the system programmers to run the netstat command and this guy, no lie, goes to me and goes like, hey, what's netstat? And that's when I was like, holy moly. The reason no one's talking about this platform at DEF CON or anyone else is because no one cares to talk about it, right? There's no security expert in the space. Like literally, I would love it if someone else was up here talking about this because I've been doing it for like five years. So I've spoken everywhere, too many places. DEF CON, RSA, BlackHatch, Moocon, all kinds of places. I've actually spoken about NorthSec before. Typically, so this is not supposed to be like a super in-depth dive into like O-Day hacking on the mainframe. That's just for the mainframeers who are watching this later online because typically this is an email that will end up on a mainframe mailing list that I'm on. And you usually see stuff like this. It's very amateurish, which it definitely is. I am not a system programmer by trade. I am literally doing this with just a bunch of free online books and like a gumption, okay? I also run what's called the internet mainframe program called the imp. It's quite literally Mascan, Nmap, S3270, and a bunch of Python that sort of glues it all together. And it takes screenshots of mainframes that it finds online. I have a database of 600 screenshots, typically things that look like this. Who can tell me who owns this mainframe? That was not in my class. Come on, someone, I know, this is not the prize winning question. Like literally on the screen. Yeah, it's the, yeah. Do you know who the joint service provider is? What do you think that little shape is? It's a pentagon. Cool, huh? Alrighty, so I teach a class on mainframe pentesting. It is an intense, who here was in the class? I know a couple of people up front. I see one in the back. Yeah, okay. No, you guys can't answer the quiz question. That's not fair. How many system programmers we have in the room? Okay, good, that's not, okay, fine. Because then the question, no one's gonna get it. Alrighty, cool. So I teach a two-day class on how to actually put your mainframe through its paces. But since only three people took the class, I'm gonna have to give you a 101 on mainframes. Typically when I travel, I ask people, I ask the hotel, you know, in those little hotel things, you're gonna ask for special requests like, oh, it's our anniversary, let's get some flowers. And I put, draw me a picture of a mainframe without looking it up on the internet. And I see things like this, right? Like it's a mainframe for a car. Or this, this is a cool, this is a good one. This is the state of main. And then this last one is the closest one. It is a sun microsystem, not a mainframe, but at least it's a computer, right? Like, they knew enough to do that. But what, okay, so, this is what an actual mainframe looks like, okay? This is no lie, this is what it looks like. It's what the size of an industrial fridge. It comes with that person. That's, it's funny, it is a joke, but it's no joke. And it comes with people. They just live underneath the keyboard section there, they just stay in your data center. But that's a mainframe. It is a modern piece of architecture. It's super resilient, it's designed to handle earthquakes. You can quite literally rip out CPU cards and it just continues processing transactions on a different CPU, doesn't matter. It is really quite a modern piece of technology. The reason you don't hear about it at all, it's cause it's got like five, six, seven, nines of up time. Okay, that's why we don't hear about it going down all that often. Cause when it does go down, it's cause someone like me or someone like people in the room have screwed up. But it's just a computer. It's just a computer that has, give me a second, this is gonna take a bit. It has system network architecture, virtual telecommunication access method, resource access control facility, time sharing option, restructured extended execute, job control language, customer information control system, virtual storage, open multiple virtual storage, high level assembly, Telnet 3270, authorized program facility and network job entry. Any questions, we'll get there, don't worry. We're good? I'm gonna move on to the cool hacking part now and you'll not, okay, so. So Telnet 3270, that is really just the window into the mainframe, okay? It lets you connect to VTAM, we'll get to VTAM in a bit. Typically, when I'm doing anything on the mainframe, I use the client X3270. It is open source. It is freely available and it is awesome. It is probably the best 3270 client that there is. And I prefer it over the commercial enterprise options because it supports things like special characters and graphics. This is an honest to God TN3270 mainframe log-on screen that I built. You can do graphics, you can do colors. The challenge with this kind of art is you, I'm gonna get way in the weeds here, but basically with a TN3270 stream protocol, you can't change the color. It takes up one character, so one character is changing the color, that's why now the colors change. There's always a space between them. That's just how it works. Anyways, so you can do stuff like that. For the demos today, I will be probably doing them like this because it's easier to see, right? It's white on, it's like black on white. It's easier for everyone in the room to see versus this kind of hard to read, especially red text we found. Sorry, so that's it. It's X3270, it's a town that based protocol. That means it's in clear text. But it's encrypted with EBSDIC. So that's not encryption, that's literally, there's a switch in Wireshark to go decode EBSDIC, right? It's just ASCII, but in whatever ancient format IBM decided on. The predominant reason that I use it, especially for mainframe pentesting, is because I can record every single thing I do in a session, right? So I can go back and take screenshots, I can go and do whatever I need to do, and it takes it in nice HTML formatted things so I can do grep, I can look through it. That's why I use X3270. I prefer it over the other clients. It's also scriptable, so if you have a whole bunch of tasks that you need to do, like I had one program, I had one place literally could not download a file off the mainframe. So I quite literally catted it and had X3270 just hit enter for like five hours, right? Instead of me doing it. But that's possible with this, okay? That's why I prefer it over the other ones. Okay, system network architecture. Does anybody know anything about SNA? I'm like, no one. There's people who took my class and they didn't put their hands up. That's terrible. Okay, so SNA, basically you needed a way to identify things before TCPIP existed. Okay, it was invented in like the 70s, 80s. Essentially a terminal gets an ID and then you say I want to connect to this ID over here with this terminal and then it routes it where it needs to go. The important thing to know for like when we talk about SNA is that every time you connect with X3270, you get a logical unit. So if you go back a couple of slides here, you can see on the very bottom there there's like a thing called smog LU25, that's the identifier for that terminal connection. All right, and I say that because that's important for when you're looking at logs and you're trying to like blue team this because the logs don't sort of match up. So it's important to know that SNA logical units. Okay, VTAM, no one calls it virtual telecommunication, whatever, okay, just VTAM. When you connect, so that screen that you saw me show, that's VTAM, that Pentagon one, that's VTAM. When you connect on TN3270, you're connecting to VTAM. VTAM is like the router that controls where you're gonna go, where you want to go. It's your first like, there have been places where I've connected into a dev or sandbox environment and then known how to get to prod through VTAM. Okay, just do it over the SNA network. So that's VTAM, that's what VTAM does. What's cool is, one, it doesn't log anything, that's cool. Two, it has all these various commands, all three commands that you can do stuff. Log off is quite literally just close the connection. Log on is how you actually route your terminal to an application. So if I want to get to TSO, time sharing option, that's where it's gonna take me. That's where that command's gonna take me. The other one is IBM test. So to tell if you're in VTAM or not, and nine times out of 10 you are, you can type IBM test and it'll reply IBM echo, dot, dot, dot, dot, and the whole alphabet and all the numbers, right? It's a debug command that allows you to identify that you're in VTAM, but that's how I can tell. So all my scripts and stuff that I've written, it checks for that first for VTAM so that it can move on. Okay, you heard me here talk about TSO. TSO stands for time sharing option. The reason it's called time sharing option is because it used to be optional. You used to be able to buy a mainframe and it didn't come with this, but this is the shell. This is when you're on it, you're typing commands. This is TSO is the shell environment, like for lack of a better term that you're connecting to. That's time sharing option. When you want to run programs, there's two ways you can call compiled programs. They're called load modules, but you can call compiled programs or you execute scripts. So that's the two main differences. Here's an example of me calling a compiled program that I've written in TSO. Say I type call and then I type the file. It's called the dataset. I call the file and it's gonna run, right? That's calling a binary compiled program. Next, same thing, but this is an execute. This is a script, it's a rec script. I'll get there in a bit. So this is how I would run a rec script. Say type EX, enter, boom. You get a totally different skull. Now, if you're wondering what programs in the background ran these and drives these, the first one was a similar and that's what it looks like. It is a mess. The next one was written in recs. Look how easy that is. And so you can imagine I prototype all my stuff in recs. All my scripts that I start with are prototyped in recs. They're easier to read, easier to wrap a prototype. Recs is like the Python. Well, it's more like, it's like if Perlin, Bash and Python had a kid, an older kid. Because this was created in the 80s as a 10% project by someone at IBM, like long, long time ago. So this was like an optional thing that they built and now it's a super powerful scripting engine and it comes installed default on every single mainframe. Period. You know it's gonna be there, it's installed by default. JCL is typically what we use to submit jobs. So the operating system is actually batch driven. So if I need to do something that's, you heard me say I have to hit enter a billion times. Like that sucks. So if I'm gonna make a report or if I'm going to do things like run commands in Unix or run commands in TSO, like Headless, I would use JCL, you submit the job and it goes in. It looks like garbage. And it takes you a while to figure it out. But like list looks like crap too, so it's fine. This is JCL. This JCL does exactly what the previous TSO command does. It executes a rec script. And instead of the output going to my screen, it goes to SDSF which prints out and looks like this. So you can imagine this is pretty useful to do stuff where you can submit JCL but not might not have an interactive terminal. Okay, so that's JCL. Some pro tips with JCL. You always need to put two slashes on every single line unless you're doing inline commands for the program you're running. There's also a program there. You can see it program IKGF 01. That's the program that we're running with this job step in JCL. Fantastic. Everyone here is like, this is the why am I still here? This is too late to be, why are you doing this to us? I'll get, trust me, we'll get there. So how do we secure the mainframe? We use RACF predominantly. There's also ACF2 and Top Secret. They only have together 25% of the market. RACF controls the other 75% of the market. If you're thinking, what are you talking about? How are there three security products for an operating system? And they're atomic, right? They're not like you can't install one on top of the other. It's because the way the operating system works is every time you try to do something, it asks a thing called the SAF. And then the SAF will ask your security product if you can get access, right? So you can just swap in and out security products. And the reason some people have been using ACF2 for like 40 years and they're never gonna switch. But that's the RACF is predominantly what we see. Now, when you try to do something on the mainframe, it's gonna ask the RACF database. It's just a database. So it's not like built in the operating system. There's no bit set on files or anything. When you have access to the database, that means you can change your permission to any file. Because it's just a database. So if I have system special, which is one of the attributes that exists on the mainframe, that doesn't mean I can do anything, but it just means I can give myself the ability to do anything, right? So sometimes you'll encounter an audit like some of that system special and you're like, oh, that's like root. It's not like root. It's more like someone has the ability to suit a root if they know the right command to type. That's what system special is. System operation is the best. It literally lets you touch, read, edit, access, any file. And the logic flow in RACF is quite literally is it operations? Okay, I'm not gonna check anything else, right? Cause why would I bother? Okay, virtual storage, there's like 6,000 pages documenting everything that's in memory. Everything that's in memory is documented very clearly. I'm telling you all this stuff cause it's important later when we start breaking this apart, okay? So very important, virtual storage is amazing. But there's a lot of documentation and I have maybe read 12 pages of it, okay? Alrighty, APF. You heard me say APF authorized. It's basically a folder and anything in that folder, and yes, main framers, I know, it's a PDF, it's a folder. Anything in that folder is essentially ring zero. It's a program that runs with the capability of getting into ring zero without having to do anything special. It's not UID zero. It doesn't give you like set UID but it gives you the ability to change any region in memory. We'll get to why that's important in a second because we just talked about Rack F. And Rack F, when you log in, takes your access rights from the database and puts it into a place in memory that's right protected. So you as a normal user cannot change it and then when you go to access a file, it doesn't go to the database. It checks your memory to see if you're allowed access to the file, right? To save on CPU cycles and all that stuff. So if we can change our memory, then we can give ourselves access to whatever we want. In fact, special and operations is one bit each in memory. And if you can change those two bits, you can effectively own the entire mainframe. I'll show you how to do that when we get to the demo section. Okay, Kicks. The customer information control system. I like to say it's websites before websites existed. They're transactions, they have four characters. This is what Kicks looks like. It's like websites before websites existed. Okay, you give it a four character transaction. Alrighty, now it's time for the prize. Little break here. Literally anyone yell it out. Just like even the dumbest guess. It is not memory. It's so obviously not memory. Why would you think it's memory? Who yelled out memory? I'll give you the prize anyways. Thank you. All right, so it's actually Unix. So OMBS refers to Unix. Just Unix. But Unix runs all networking on your mainframe. So there is a Unix part. So just like you log in to TSO, you can SSH into Unix. Unix runs Java, runs all web stuff, unless it's rex. It allows you to do all kinds of cool stuff. But it's, look, it's quite literally just Unix. This is it. Nothing special. In fact, I call it, and people call it OMBS, not open multiple virtual storage because that doesn't make any sense. So they call it OMBS or Unix system services. It's just Unix. But you also run rex from Unix that's in TSO. So for example, here's the exact same thing, rex script we ran earlier in JCL. We ran it in TSO, and now we're able to run it in Unix by just passing the slash bin slash TSO command and then whatever TSO command we wanna run. So it's easy to get around the operating system from various locations. And TSO has the same thing. There's a whole bunch of commands in TSO that will run things in the Unix environment. It's like O shell, O commands. Alrighty, so you can actually also run Unix stuff in JCL. So just like we could run TSO commands, you can also run Unix commands in JCL. This is very important to understand that you can run commands through JCL because for whatever reason, there is this really cool feature that IBM implemented on the FTP server that allows you to switch into what's called Jez mode. Okay, so you can switch into Jez mode, and anytime you upload a file now through FTP, instead of going to the file system, it's gonna go to the job execution system and run your job. So if you have a mainframe, I'm assuming some people do in their corporate environment, probably wanna check who they're letting you're letting FTP from the outside into your mainframe because even if you blocked out access for everything else, I can still submit jobs to FTP. Network job entry, look, I swear I'm like look, the next slide we're gonna get into fun stuff. Okay, so bear with me for like one more slide. Okay, everyone looks so dour, or everyone's just super day hungover. So network job entry, so long, the only thing to know here is when two nodes, like you have two mainframes on your environment, you use network job entry to submit jobs between the two. Why would you do that? Because switching mainframes is a pain in the butt and it's easier just to say, I have a job, I want it to run on four mainframes, so I'm gonna just change one line in that JCL and it's gonna run on the different mainframe every time. It's the only real interesting, that's the only real key thing to know before we start breaking it apart. Okay, so that's network job entry. It allows mainframes to submit jobs on other mainframes. If you have, if you're letting your clients like business to business submit jobs through network job entry, we definitely need to talk later because that's not good. Okay, now the fun begins because now I'm gonna talk about stuff everyone in the room understands, right? So we're gonna talk about using NMAP to map out a system, to understand and use all these scripts that I wrote to map it out. And we're gonna talk about like Hydra, like just use Hydra to do brute forcing, nothing fancy. I'm gonna talk about Kix-Pone, which is a super cool tool. Who here knew that Metasploit had some mainframe exploits in it? There's three people who took the class, come on. What? Thank you, God. And then we're gonna talk about network, we're gonna talk about injecting jobs using the network job entry subsystem. So that's what we're gonna talk about for the next like half an hour. Alrighty, so NMAP. In like 2015, I created a Lua library that is a TN3270 emulator because NMAP only talks Lua and I had a lot of free time, I guess. So I did this and it was finally accepted into the, so this is in your NMAP, if you have Cali on your laptop right now, this is all there, this is not like super new. But let's just do cool stuff like TSO user numeration, Kix transaction ID brute forcing. So remember I said Kix, four characters, four characters. I've actually done this, I've enumerated the entire character space on an enterprise main frame, it took three days. But then I knew exactly every single transaction ID that was on that system because I was using Kix enumeration. VTAM application ID enumeration. So remember I told you, VTAM has a command, the logon, Apple ID, whatever, you don't know what the application IDs are. They don't tell you. So I wrote a script that tries to enumerate them all. Or you can just go read their logon documentation and it'll tell you. And then gathering Kix information. So that script goes and uses one of the transactions instead of trying to brute force the names, you can use it and it'll just dump all the names to the screen for you. So how do we do VTAM enumeration? So typically if you wanna find Kix, TSO, DB2, IMS, they're gonna use a common name. TSO1, TSOdev, let's go start with TSO. Kix, they always start with Kix. Or maybe CIC. They can only be eight characters long so they get kinda creative, but they try to keep it simple. So the best place to find that information, to be honest, is to just go look on SharePoint for user guides. And then you can see like, there'll be one that's like, okay, to log into our HR system type, logon, Apple ID, Kix HR1. You're like, oh cool, so then I'm gonna try Kix HR1 through 99. Kix HRD for dev, like I'm just gonna try to enumerate the entire space. This is it, I mean that's literally all it takes. Kix has a whole bunch of scripts that exist. So you can do Kix enumeration, Kix boot forcing, and Kix info, IBM pushed out a fix quietly that prevents me from doing user enumeration. So that was good. Found that out like two weeks ago. TSO, so what's cool about TSO is you can actually do user enumeration in TSO. Because I'll show you, I'm actually gonna do some live demos. You actually, when the logon process, it tells you if you fact fingered your user ID. So I just use that to enumerate the entire user space. And it takes like 10 minutes. I've done it before, I've done it multiple places now. You just get the whole user ID list in 10 minutes. FTP, so typically what we'll do is once I've identified accounts in TSO, I'll use Hydra to brute force the passwords in FTP because it's much faster than in MAP. And then I'll use that and Metasploit together to get a reversal. Because remember, if I can submit jobs through FTP, because I can issue the site file equals jes command, now when I upload that JCL, it'll execute as the user I'm logged into FTP with. Now we didn't talk about kicks. So we sort of said kicks is like an application server, like a web app maybe. In kicks, if you have access to the CECI transaction, you can actually upload code like JCL into the internal reader. And when you do that, it'll execute the code, the JCL, and it runs it as the application ID of the kicks region that's running. So very similar to how if you could do a local file include or some kind of vulnerability on a web server, that is the exact same thing we're doing here. I'm gonna show you exactly what it looks like. So IU built this tool. It's super, just look how impressive that is. Look how many options there are to pass. Any questions about the options? No, great. So basically what you do is like, you don't have to pass all these, it's really, really good. So, but this is me using kicks.pwn to just gather system information. So you can see we have access to the CEMT, CEDA, CECI, CECS, CBR. These are all the built in transactions from IBM. You can see it tells us the version of the operating system. It tells us all kinds of information. Also tells us the user ID, that is the default kicks user. Now, what gets really cool is I wanna show you the next demo here. When we're logged in, we are not on the system as kicks user. We're on the system as the program that's running kicks to start a test. So here we go. So kicks.pwn has the ability. I'm gonna let this loop a couple of times. So kicks.pwn has a option that you can pass it that takes a job and IU has created a bunch of jobs. And one is called direct TSO. So you launch kicks.pwn, it connects, uploads the JCL. The JCL has a rec script inside it that allows you to get a bind or a reverse shell in kicks. So here I'm doing a bind shell. So I run it. It's gonna upload. It's a bind TSO shell. He actually has bind UNIX shells as well, reverse UNIX shells. And I'm gonna use NCAT to connect to that port. So port four for five. Now I'm TSO. So I'm in the system as TSO. And if you look, I listed the user here. Probably can't see it because of all this garbage, but my user ID is start one here. And if you notice, you might see an attribute. There's two attributes on that account. One was protected and one was operation. So operations means I can read a file now. I can literally access any file I want. Protected is funny because protected means you can't actually log in and use the account interactively. But if I can trick the operating system into running a job as that user, I can execute whatever I want as that user. So effectively, just kicks point, I've owned the mainframe already. Metasploit. So this is the only right now exploit. And I call it an exploit, but you're just using the credentials and you're using what you want it like, you're just following the application process flow. We're using it in a way that I don't think people expected us to use it. And when I say we, I did not write that, it was all Chad. So Chad Reconstrued or at beginning and Smalls, definitely follow him on Twitter, the world's greatest mainframe hacker. He'll get a kick at me saying that. But he wrote all this. He actually had to add a ZOS architecture to Metasploit to get it to work. And again, if you were in Cali or you installed Metasploit today, it's included with Metasploit. So you can just, this is just part of your toolset now. There's like a handful of payloads. There's like a buying shell, reverse shell. And this is a full on unit shell. And then there's generic JCL if you just want to upload whatever JCL. It's just Metasploit. See, Metasploit. But now I'm in Unix. So instead of being in TSO, like we were for Kixpone, this gives me a shell in Unix. You can see I can run all kinds of stuff. I can run NetStat, I can search for data sets in warning mode. I can do all kinds of stuff. Okay, so remember I talked about network job entry and how network job entry is used to send jobs from one mainframe to another mainframe. And you might think like, well, how do they authenticate and they do all that stuff? They quite literally, if you know the name of the two nodes, then you can impersonate both nodes. Because the authentication is quite literally, you go up to a mainframe with Python, and you say, hey, I know that your name is smog and my name is water. And then the mainframe smog goes, cool, come on in. You know the secret word. Part of network job entry. And this only works for trusted nodes. So if you've got a, but no one has really super complicated node security. Basically if I can connect as a node in your mainframe node network, I can send jobs to any node in that network using Python script. But what's cool is I control the header for the jobs, like before the job part, and I can control which user is submitting the job. So when I connect and the job goes in, it goes in as a user that I control. So I just say the most privileged user on the planet and run commands and do whatever I want. So here's an example of me running, like using the Python library. It's gonna have debug on, so it's gonna look like a ton of information. But I'm gonna connect with network job entry, and let's see here. And it's gonna submit, it's gonna actually run a jess2 command, a simple one because I'm just demonstrating that it works. But you can do crazy complicated things with this. It actually comes with a Python script that will submit JCL as any user you want into whatever that node. So this is just running a jess2, although I didn't authenticate it at all. I didn't need to know a password or anything. Now, you can set a password on your nodes in the jess2 configuration file called the parmlib. People predominantly don't do that. And if they do, the password is actually in the configuration file. So if you can read the configuration file, you can read the password. Okay, so cool, we got a shell. Cool, now what? It's time for enumeration and privilege escalation. Yeah, come on guys, come on. I know it's the last talk. Yay! There, thank you. Trying to get some blood flow. Everyone looks so dour. They're like, oh my God, are you telling me this is what controls our whole infrastructure? Oh no. So, first of all, I try to live off the land. IPL Info shows the OS, these are the commands I typically run. It dumps a crap ton of information on my screen. IPL Info, you just type IPL Info and it dumps literally everything you wanted to know about the operating system to your screen. Right, just tons and tons and tons of information. Same thing with shows the OS. So these are actually open source programs that people have written and most shops have installed them. I don't know why, I don't know why I, as a pretend developer user, need to know all the details about the operating system that I couldn't just ask someone for, but whatever. There's other commands that we run, typically. List user, so LU. So you know when you connect and you type, you're like, I don't know what my user ID is and you type ID to see who you are, like what your UID is. Same thing, type LU in RACF. That shows you all this detail about user ID, like what attributes you have, all kinds of stuff. Then I'm gonna look for, like I can use ISR DDN or DDList to look at the path variable. This is an actual usable attack on the mainframe. Sometimes, you know like in the path variable, if I can control that variable, like if I can edit a user's like bash RC, I can put a folder that I own as the first folder to search for. Same thing can happen on the mainframe. It's not called path, it's called data second catnation, but you can definitely do that. The thing is that list is usually quite large and if I can edit a data set that's higher up, like a file that's higher up on the list, and I know people are using programs that are further down on the list, I just drop a malicious program in the upper area and now I can wait for users to log on and now I have like a bunch of reverse shells. And the net set, like it's this net set. You can use the tool that I wrote. So I wrote this tool last year to help me enumerate things on the mainframe. So things that I care about. So it's just called enum. I'm not very creative and you only get eight characters. So you run it and it has all this information you can display all the APF authorized libraries, you can display information with the security system. So for example, here I am displaying information about the setup of the security. Because all this information, remember I was harping on you, there's 6,000 pages for storage information. All this information is in memory. So my script is not touching files, it's touching memory. And I'm allowed to read all that memory. This does not generate any alerts, this does not generate any warnings, it's silent. And I can profile the system and get information that I want. And I have a whole bunch of other tools that I've created. Access, so access will check, your access to a file but it does it quietly. Instead of trying to run a command to check your access, it's actually a similar, you'll see in a second. APF checks, same thing, but it just gets all the APF authorized libraries and tries to figure out, do you have access to one of them? Quietly. Catmap, maps out all the files on the entire file system and tells you what they are. Takes a while. I did it once on a production mainframe and I got a 350 meg file back. Just file names, huge. And then Sysone, so remember I said you use DDList to map out your path variable. I wrote a tool called Sysone that puts in a nice little visible table and you can see exactly what ones you have author access to. So here I am using access. Now I have to call a compiled program. So I'm calling access and I enter, don't worry about the specifics for volume, I really don't have time to get into it, but you have to enter the file name of the volume and you can see I have author access to that file. User.clist happens to be the first program that people run when they log in. Now I can control people's login process. Access, oh APF check is gonna check my access to all the APF authorized libraries. If I have read or better, or if I have update or better on any of these, I can totally take control of your mainframe. Now when I said these run quietly, it's because they're using a request in a rack route and it may or may, depending on how you set it up, may or may not leave a record of you checking your access. It just depends on how, most people haven't set up the granularity in the rack of database to check. So whereas if you're running the commands, for sure that's gonna generate an alert. So this tries to quietly check access. IUB again created this script. ELV.APF, if you have write access to a APF authorized library, this program gives you system special and system operations. Literally run it, give it a data set, hit enter, you've owned the mainframe. It's how easy it is. There's all the options you pass it, there's a whole bunch of flags, but here I am, it can check to see what you have access rights to. Now typically I don't use it because it's relying on you having rack F to do that check. I use APF check to check my access first and then I will use ELV APF to escalate my privileges. What does it do? It creates JCL that is a bunch of assembler programming that escalates your privileges, submits the job, job runs, comes back, you've got supervisor access. Okay, let's see, how are we on time? We got like what, 15 minutes? Should we do it live? Should we try? Should we try? Let's see. Here we go. Okay, so I am in just a normal, like normal Unix box, nothing special. So first thing I'm gonna do, see I actually did all of this before because I'm super smart. See here. Okay, so the first thing I'm gonna do, remember I told you that you can enumerate users in TSO? So I'm gonna connect into TSO, I'm gonna type TSO here. Log on, Apple ID, TSO. I'm saying type in a username. Someone yell out a username to try. Opera, done, opera, Phil would work, that's not fair. Opera. User ID, opera is not authorized to use TSO. This is what I'm checking for in NMAP when I'm doing my TSO log on enumeration. That's, it's okay. So first thing I'm gonna do, I need to find where TSO is, right? Sometimes it's not TSO. So I'm gonna use my VTAM enumeration script in NMAP to quickly enumerate all the transaction IDs. That's super fast. So you can see here now we found three valid application IDs. So we found TSO, A06 TSO and KIX TS52. First thing I'm gonna do is try to see if KIX is locked down. If KIX isn't locked down, then it's game over. So we'll do, let's see, cut, demo star. So we'll run the KIX info script. And what this script is gonna do, it's gonna connect into the mainframe. And you can see here I'm using the, that runs. I'm using KIX TS52 to run it, right? So remember we found that. We just found it in the VTAM step. And now I have a list of every single transaction that's on this and enabled on this environment. Plus a whole bunch of information. Now I know because I set this up, the system up that it's vulnerable to KIX Pone just by virtue of me being able to access various data sets, right? I would typically run KIX Pone at this point, see what I have access to. Okay, now we know we have access to TSO. Let's see what was demo two. Let's enumerate all the users in TSO. So now we're trying, and now I have a, now mind you, my system has 20 users. A real enterprise environment could have anywhere from thousands to hundreds of thousands of users, okay? So it won't be that fast, it'll take maybe 20 minutes instead of half a minute. But here we go, so now I have a list of all the user IDs on the system. By the way, this doesn't leave a record, this doesn't say invalid access attempt. So when I do this, now I have a list of all the valid users, so when I do brute forcing, I'm not creating extra noise. I'm gonna create a shit ton of noise, but I'm not creating more noise. Maybe everyone fat fingered their password Monday morning, it happens, right? So I have a list of all the valid users. We're gonna use, let's see here. I'm gonna use, oh, I already did kicks info. Okay, we're gonna use TSO brute now to see if we can get a, guess a password. Super complicated password. By the way, we're limited to eight characters in our password. That's the maximum password blank we can have. So I'm gonna run this brute force script, and it's first gonna try the user ID. Typically I don't do that. There's a flag, you can pass it and turn that off. Now we're gonna try the password in NorthSec, and it's gonna hopefully work, or I've killed it. This is why you record your demos. We'll see here, it's my connection, guys. Let's see, can I still connect with, I really don't want to have to log back in. Let's see. Okay, so good thing is, in case of failure when this blows up in my face, I recorded all of this. So jokes on you, whoever's messing with my internet. Alrighty, so I'm gonna do brute force. I'm gonna brute force the user IDs. This one works, not like I must have lost internet. So here you're seeing me try the password NorthSec across the entire user space, and boom, I have a valid password on one user. So all I need is just one user. So here you can see valid user ID InfoS10 NorthSec. Next I'm gonna use Hydra. This is, you could have used Hydra instead of, I don't have the other one, so I'm gonna use Hydra. Hydra's much faster than doing TSO. Typically, they might limit how many TN30, do 70 connections you can have, but not FTP, or who knows, right? So same thing, using a password InfoS10, the password is NorthSec. And then we already kicked in. So now I'm gonna log in with that account. So I'm gonna connect, I'm gonna connect it. Now, for sake of time, I've already uploaded all the scripts I'm gonna use. So let's just keep that in mind. So I'm gonna log in, I'm gonna pass it the user ID that I've already cracked, and I'm gonna log in with that user ID into the mainframe. So now I'm in TSO. First, I'm gonna execute, assuming I already know it has no access to anything for sake of time, I'm gonna execute the sec flag and get where the location of the rackf databases. Because the rackf database holds all the hashes. So if I have read access to the rackf database, I can crack all the password hashes. So we're gonna run this, so I need the volume name, right, for access. So I'll run the listDS command to list that data set. And now I'm gonna use, I'm gonna call my access script to tell me do I have read access to that data set, or that file. We're gonna run this command, put in the right volume, and I have read access to that data set. So I would typically, at this point, connect it with FTP, download the database, throw it on a password cracking rig, and use John the Ripper or Hashcat to crack the passwords. Because it supports rackfdes and KDFAS password hashes. So yeah, it's pretty cool. All right, so assuming that's running in the background, let's see what else we can do with this account. Let's go see if we can access some of the administrator's files. Maybe I can screw around with him. So we're gonna go into ISPF, we're gonna go to the file browser, and we're gonna go to filled North, we're looking for NORSEC files, say, right? So I'm gonna go to filled.n, I'm gonna go to, oh, there's a NORSEC file. Let's see, I can't read the file. I do not have sufficient authority. I'm not allowed to read that file. Well, dang. All right, so let's exit ISPF, and now we're going to list, see if I have APF authorized access, if I have access to any APF authorized libraries or folders, and I do, turns out there's one that I have update access to. Why? Maybe it's an old data set, maybe it's on a dev system, who knows. Now I'm gonna run IUBScript, the EOVAPF, and I'm gonna pass it that data set name, and that's it. Now if you look at my user access, you can see I am special in operations. Okay, now, hurry up, Phil, let's go. Let's go look at the file, and we'll go edit that, we'll go view the file. I still can't access the file. That's because the way APF authorized runs, it doesn't actually change my access in my current session. It just changes my access in the RACF database. I need to log out and log back in for the changes to take effect. Once I log back in, I'll be able to access that file. Let's see here. So we'll go in, we'll view the file, and we'll see what's in others. There's a file called secret, so now's my chance to see what's in the secret file, and now I can read this file, okay? And I'm gonna put a comment in it, and then we'll just log off the mainframe. So now I have full control of the entire environment. At this point, I could turn it off, download any data set I want, just full, full control. Okay, no, thank you, thank you. It feels so weird. The live demo totally worked, right? We'll just pretend it worked, awesome. Okay, so I have like literally six minutes left, seven minutes left. There's not enough time on the planet to cover everything. Listen, I teach a two-day class, and even in the two-day class, we're like, I wish we had like more time. There's just so much content to cover here. It is a largely unexplored system. I know all the mainframe hackers on the planet because there are seven of us, okay? So the reason I give talks like this is because I'm trying to get other people interested in the platform, get other people interested in giving talks because I can't, I just can't keep traveling and giving talks on this thing. Now, I wonder if I can show something really cool. Let me see, I got the time. Give me a minute, all right. Yeah, thank you. Okay, so I know this was rough. I know the beginning of the talk was super rough. Like sitting up here and watching everyone go from this, like, oh, this could be a cool talk, and then being like, AP, what is, 6,000 pages, what is he, why did I have a beer after lunch? I feel awful, right? So I'm gonna show the cool, so this is, so with Zbit 31 and Jira, please stand up so I can say, so these are the other, these are the two others, you can thank them for helping out. These are the two of the seven mainframe hackers. They just happen to be here, but here's sort of like the list of all the people you should typically follow on Twitter. If you're on Twitter, yes, there is a mainframe Twitter. No, there was no mainframe Twitter in 2013, so I'm super proud of the mainframe community for getting on Twitter in like the last six years. But if you have, if you follow people, follow these people on Twitter, they're posting all kinds of cool shit. Now, any questions while I try to do this other dumb demo?