 Alrighty, well, first I want to say thanks for staying to the last talk of the conference. I know it's the most exciting topic, so that's why everyone's here. It's very exciting to talk about mainframes for me. Before I get started, there's a standard disclaimer. I'm not here in the name of, we're on behalf of my employer. Any views are just mine, not my employer's, just getting that out there. So a little bit about me, I'm not hiring. Just so you know, I'm the only one. This is all a passion project, as badly as I want to be, this isn't me, nor this, nor this. I want to be this so bad. Actually, the last guy was doing this, this is how I feel. Watching the last guy. But basically I'm just a regular old dude who got into security years and years ago, pretending to be this guy. And then I got interested into computers pretending, like mainframes, pretending to be this guy. So I'm sort of, you know, just a one-trick pony. Don't really do much else, I just do mainframe security research. That's about it, that's all I do. I work for a large finance institution, specifically doing mainframe security research. I got into mainframe security research because, my previous employer, we were doing a lot of work on penetration testing and security on the mainframe. We had a consultant come in from, maybe one of the sponsors here, and they didn't know anything about mainframe security and they were hired as a mainframe security expert. And I asked them questions like, hey, how do I find out what IP addresses, like what IP addresses and what ports are open on this mainframe? Oh, you can't do that, that's impossible. You have to open up a binary file and read it. Like that doesn't make sense. Things like that, or how do I find out where the password hashes are stored? Oh, they're stored in a database. Yeah, okay, which one? Well, this database, okay, how do I find it? You can't find it. I'll show you how easy it is to find it later. So that sort of kicked off a passion for me of like, well, wait a minute, if this expert from a certain organization that I'm not gonna name, came and doesn't know anything about security, he's billed as a security guy. And I know a little bit more than he does. Maybe I should start talking about this to other people and start telling other people about it. So I started talking, the first talk I gave at B-Side Las Vegas, it's online, it's terrible, don't watch it. Then I gave a talk at Shmucon, a little bit better. This was my favorite talk, just because of the title, because that's how most people feel when I talk about mainstream, like what the F is that about? Then I, luckily enough, gave a talk at Black Hat, which was a really good experience. And then this past year gave a talk at DEF CON about how you go from taking over a mainframe. And then SHARE, if anybody know what SHARE is? Anybody, yeah, one person, two people? So SHARE is like sort of the equivalent of DEF CON but for mainframe people, okay? Not security though, like it's like their big conference, right? And they invited me to give a keynote. And people from two and three-letter companies that deal in mainframes were not excited about me even talking at the conference, let alone giving a keynote. So that was a wonderful experience. And then just this month, I'm not gonna name where I was. But earlier this month, I was invited out to give another, a similar talk on sort of how I feel the current state of security is. And so I've given all these talks and on top of that, I've also started a project called the Internet Mainframes Project, which goes online and finds mainframes that are connected to the internet. Funny story, I was doing it for my house at first, colossally stupid, but I was doing it for my house and I needed to scan the whole internet. So nmap slash zero in a way we go. And then like three weeks later, I'm still in like the 12s, like slash 24, whatever. And I'm like, what's it taking forever? So then I started doing some research and I find mass scan, I'm like mass scan, that's what I'm gonna use, that's great. So I run mass scan and the Comcast cuts off my internet and sends me an email saying I have a virus and so on and so forth. So then I reached out to the people who actually invented the tools, like the guy who runs Shodan and the guy who runs a mass scan and they actually did scans from their clusters for me and I found a whole bunch of mainframes on the internet. This is one example, I have a whole website called on Tumblr called mainframesproject.tumblr.com full of mainframes but this is one of my favorites. Impossible to read with all the light in here but can you guys read that word up there? Can you guys see that that says Egypt Air? And so on Twitter someone called out Egypt Air and they're like, hey, do you know this guy has your mainframe on his website? And they're like what, what the hell? It's offline now but it was online for months and this is one of my favorite mostly because it tells you, hey our migration completed, congrats guys, but also all of the systems that were migrated including things like let's see the cargo system, ooh the accounting system, let's see is the boarding system on here, I know it is, oh the fuel system, all the fun things that an airline probably needs and not only that but it also tells you all the apps so if you have to type something to go to an application on the screen you just have to type one of these apps up in the top here and it'll take you to one of those applications. Now you may or may not have to log in, I don't know, I'm not going past this screen, but that's the kind of cool stuff I've been finding online. So what's this talk about? This talk is about, let's see, this talk is about a product made by this company, over here, can you guys see that? Used by companies like this company here and this company here, okay? I've done the research, I was doing it right there, furiously trying to figure out, yes I know 100% that those two companies are using ZOS, they're using Top Secret, I think Desjardins is using Top Secret. It's mostly a talk about, it's almost entirely a talk about ZOS. ZOS is the main platform, I'll get into it a little bit. I'm gonna talk about RACF only, there's multiple security products that you can put on here. I'm just gonna talk about RACF, I don't have access to other tools. Someone from Computer Associates which makes the other security tools for the platform thanked me for not doing research on them and I told them it's not by not, I want to, you just haven't given me the products and they're like, oh, well thanks anyways. So yeah, up until recently, one of the products let you decrypt passwords. Like a system of memories you could just type decrypt the password and it would decrypt it for them in case someone forgot their password, yeah. Yeah, I think where all your money is, it's all in these systems like this. Oh and there's gonna be some ASCII art as well because why not? Now, these systems are generally protected by sort of like the old guard, right? It's all these old main framers and they're protecting the system as best they can and it's scary because you see things like this. There's a lot of absolutes in the community. I mean all the mailing lists, I'm on a lot of forums and you see a lot of absolutes, things like this. Now you guys can't read that in the back, so I'll just cut it out. So this is a question about like, mainframes that are on the internet, unknowing that I run this project and he says also all the DOD mainframes are behind firewalls and VPNs and that's why they're safe, right? All of the DOD mainframes are behind a firewall and a VPN, ergo they are safe, who cares what their settings are. So then I sent him this screenshot. Impossible to read, I realized because it's green text and a black background but what's interesting is I didn't even know what it was, I just get an IP address when I do my scans. I don't, because I don't bother, it's too slow to bother with the domain name until later. And then I did a look up on the domain name and sure enough, now ha ha, I was doing this over Tor, thank God, so, although I am talking about this on camera, so, but these are the kind of systems, so I sent this to this person. That's one example of, so this is another one. IBM recently changed the way they do the password hashing algorithm and I'll talk about that later. They changed it, they released it this year and we just saw, you've seen a lot of talks, crypto is kind of easy to do when you understand it but really easy to screw up if you don't do everything correctly. That's why you publish whatever you're doing in crypto, whatever you're doing in hashing, you publish it to have all the experts look at it so they can find all the problems and fix it. Well, IBM doesn't do that, of course, so they released a new algorithm. Now it sounds pretty good, what they've told me sounds really good, like they shot 256 like 10,000 times or something. But questions on the mailing list for security about it were like, hey, can we see the algorithm? And people were like, why would you wanna see the algorithm? And the person said, as long as IBM is not going to open up the exact spec of this secure algorithm, we are not going to trust that, are we? And the answer he got back on the mailing list, and this is not just one, he got multiple of these, yes we are, yes we are going to just trust it. Who here trusts Microsoft to write an algorithm without any review and just take it? How about Oracle? Would you guys trust Oracle if Oracle just came up and was like, hey, we wrote this awesome ass algorithm. Trust us, it's really good. Do you think people who do DB work would say, no, but just trust them guys, it's really good. I don't even think they would do that, but for some reason, in the mainframe community, they're just like, no, it's good guys, don't worry about it. Software vendors know what they're doing. This is another post, so the other problem you deal with in this community is absolute misunderstandings of security products. So this person, don't read the whole thing, it's not really worth it, this is at the very bottom. They're talking about cracking offline password cracking. Okay? And he says, it doesn't matter if you can do offline password cracking because you can't compile the tool on the mainframe. Like yeah, but that's not where you would do it, that's the opposite of offline. So the worst is, this is just the community. This is IBM. IBM has a policy to not release any security details for any security patches. Okay, I know I realize, everyone can see that in the back, right? Yeah, so basically there's an important passage here that reads, let's see if I can even read it. There are pros and cons to each approach. They're talking about releasing CVSS scores and CVEs and actually details about a patch that's a secure related patch. We believe that public release of this data was not in the best interest of the system Z community. Right, yeah, what's funny is, I actually confronted IBM about this because I was there and I was talking to them about it and I told them, I was just thinking, why doesn't it say the enterprise community? Why does it say system Z community? Because that to me means they went to talk to a bunch of mainframe experts and mainframe users, the people who work in operations and asked them and said, hey, would you be okay with us releasing patch details and stuff? And they said, well, that's gonna make my job harder, so no, I don't want you to do that. So, this is how I feel that this is sort of going. Right? Now, what the people at these two companies, if you work for one of them, or you can in offering jobs, if you work for one of those companies, IBM does publish a little bit of details about patches that are security related. You have to sign up for the IBM security portal and I implore you to do so until they start releasing public releases, which they never will. I had a three hour discussion. If you want to have information about the patches, you have to sign up for the security portal. The security portal takes at least executive management sign off. You may have to go through your mainframe department. If you work for a pen testing team and don't have a mainframe, you're not getting access to the portal. The only way to get access to the portal if you're a licensed ZOS user, they only give you the name of the patch, not even the name, a number of the patch, and then a CVSS score. That's all they give you. If you see a score higher than 7.2, you run to your system programmers or your administrators on the mainframe and you install that patch. You do it, no question. That's the only way you can score these things. They don't give you the details enough to be able to actually risk score the issues. So that's a nice little brief overview of the current state and how it works and how magical it is. So now I'm gonna talk a little bit about the actual platform, how it works, what it looks like, how many people here have been actually exposed and worked on a mainframe? Nice, okay. So this will be, you guys, not see anything new. So ZOS, like I mentioned, is IBM's flagship operating system. It's actually, I think, the only one they still sort of make and create for. They have other products, but it's the only operating system they still own. It's not legacy. If someone at your company, an engineer, perhaps, has told you, oh, we can't, we don't need to worry about good password settings on this because it's a legacy system. That's bullshit, pardon my French. It is completely state-of-the-art. A new version is released almost every other year now. The most recent release came out this year it's modern, it's new, it is not legacy, it's using agile development to release new sources, new code, it's a modern operating system. Just because you guys don't know about it, doesn't make a legacy. Just because it's been around for a long time, does it, I mean, Windows NT, that's legacy, right? This is not. So this is what it looks like. You guys can see that, right? Red text on a black screen, that's fantastic. Let me see if I'll show you a demo here. So here I'm gonna launch a TN32 emulator. And connect to the mainframe. Let's see. So here it's doing the handshake, where it's just using Telnet, right? And now I'm trying to connect to the system. I'm gonna log in as IBM user, which is the default user account. This is a test system that we have. And I'm gonna log in as IBM user to the system. This is the TSO login panel and we'll talk about what's awesome about this panel later. Here I'm logging in just as the default user and now it's gonna launch me into TSO. TSO is sort of the standard way people interact with the operating system. It's gonna drop me straight into a program called ISPF. ISPF is what everyone uses to do actual work. It has a file browser, which I'm taking you to now. You can see I'm gonna search for files that start with sys1. I'm gonna look for all the files on the file system that start with sys1. Specifically I'm looking for a file called sys1.ipaleparm. So I'm gonna see if I can find that file. So I type find. IPL, okay that didn't really work too well so let me exit out of this. I'm gonna type, I'm gonna put IPL star instead now. And now I'm searching for file there. I found it. Now this is not technically a file, it's actually a folder. Because when I go into it, it's all full of files. So that's what file browsing and that's sort of what it looks like. This is how hundreds of system programmers, thousands of them interact with the mainframe daily. You can turn syntax highlighting on, it's got a really nice editor. It's no more difficult to learn than VIM or Emacs or whatever, right? I mean it's just a command line based. You can also issue things like ping. I'm gonna go to the red screen that you guys can barely see and show you what ping looks like, let's see. So I'm gonna exit out of this. It's all through command, you have to touch the keyboard every time you're doing this. And then I'm gonna ping Google from here and then I'm going to show the IP address. The netstat home is the equivalent to IP config. So I type netstat home and it shows me the IP address configuration and then I'm gonna list the catalog. Listing the catalog is sort of like saying like, oh, what directories can I see and that kind of thing. And then I'm gonna list the data set. Listing a data set just shows me some information about a data set. Well, let me also show that later. So you saw it, it's just a regular computer, right? It has files and folders, just like every other computer that exists today. Except, not really because that would be way too easy. Keep in mind they invented these things when the term file and folder wasn't a concept that existed. So of course they didn't have the word files, they came up with the term data sets. And if you go to a main framer and you say, show me the configuration files, they will say configuration files don't exist on this platform. And you'll say, okay, done and done. And then you go read a bit and you come back and say, give me the parm live data sets. Well, why didn't you say that the first time? Speaking from personal experience. So files made up of a high level qualifier, so that was the sys one you saw earlier. This is an example of a data set. So you have a high level qualifier here and then the other qualifiers, they have names but it doesn't really matter. That's what a file looks like. You also have what's known as a partitioned data set, AKA a folder. And a partitioned data set is made up of the high level qualifier again. The other qualifiers, it doesn't matter what they are. And then a member of a partitioned data set. Now what's interesting, when it comes to security on the platform, you can only secure, for a partitioned data set, you can only secure up to this point. You cannot secure the members individually. So when you're doing mainframe security, if someone has access to like configuration files that are in one partitioned data set, they have access to all the files in that partitioned data set. There's just no way for some reason to actually further lock down files within a folder. Now you guys saw the interface, it's TN3270. TN3270 was an extension on top of Telnet, so they took Telnet. So basically what they had is they had hard terminals, like hard-coded terminals with a line running through a building over SNA. And then they were like, well everyone's using TCPIP. Maybe if we made an emulator, what are we gonna put it on? So of course they put it on Telnet. What else? It's clear text. It's a clear text protocol. Technically, ebsidic, but that doesn't matter because ebsidic's really easy to translate. It, SSL has been around for the platform since the 90s and of all the internet mainframes I have found, only less than 50% are using SSL today. The Egyptair one, not using SSL. I'll show you guys another one with a tool I made. They're also not using SSL. So, super easy. This is what it looks like in Wireshark. When you, there's a little button you click, ebsidic, and it just shows you all the clear text. This is my username, and that's my password. Super easy. It's, I mean there's a lot of data there and it looks like it's challenging, but once you know how to look at it, it's really easy to tell what's going on. So you saw TSO. TSO's a time, it's called time sharing option. It was sort of the first multi-user operating system that existed. It was, it's used by everyone. If you have a mainframe, you're using it unless you're using ZVM or whatever, just ZOS. It looks like Commodore 64, right? It just says ready, and then you type your commands. It allows for simple manipulation, but it's nowhere near as complex or as valuable as a shell prompt, unlike Unix. Mostly because the concept of piping and all that stuff didn't exist. So you can't really do much. There's an editor from the command line, and you can type edit whatever. It's a line editor, so you say show me line 21. Okay, this is line 21. And then you type change line 21. And then you type what you want to put in line 21 and it replaces line 21 with what you just typed. You can't show all the lines unless you type like show me line one, show me line two. That's why there's a good editor. So you can do commands like this, list catalog, show me the data sets. Here's a me listing the members of a data set. You can also write scripts and execute them. You can ping, I mean it's just commands. Once you learn the nomenclature of the commands, you can figure out how to do it. It's just like the first time you learn Linux. But speaking of Unix, this is part that usually blows people's minds, is the system comes with Unix. Regular old Unix. This is what it looks like. I was stupid I didn't have anything in my home folder when I did this, so that was a waste of a command. But it's just a regular old Unix prompt. Some of the commands don't work the same, but it's just a regular, look like PS, whatever, it's just regular Unix. All mainframes are running Unix. It's not a VM, it's part of the operating system. It takes a little bit getting used to, but it's running in the operating system. So you just type a command and then all of a sudden you're interacting with the POSIX environment instead of the TSO environment. It powers TCP IP. Therefore, every mainframe has it, because every single mainframe is on TCP IP. Guaranteed. Even like weird ass ones in weird countries, they like airgapped it, it still has this running for something. All the web servers, FTP servers, SSL, it's all coming from here. And what's interesting, there's a service, now we didn't talk about jobs yet and we'll talk about JCL in a bit, but everything sort of happens on the mainframe through jobs. Like you write a script and then you submit it and then the mainframe goes and it runs that script for you and it does timekeeping and all that stuff. And then it comes back with the results of the script. The idea was sometimes it would take forever to run a command, so you type multiple commands in a row in a script, you submit it and walk away and come back the next day. If you had, say, multiple mainframes spread across the country, right? Like say you had one in Toronto, one in Montreal, one in Halifax, and you need to get the fisheries report into the government mainframe in Toronto to then send that report to Ottawa, you use a function called network job entry. Network job entry is trusted nodes in a network. They are trusted because in each one you have a configuration file that declares this machine is a trusted node. If they connect, they are a trusted node, okay? All the settings have to be identical across the board and other passwords and stuff you can put in so that if they connect they have to like a challenge response, but those passwords are usually like eight characters long and it's very, very, very important to secure this lock of this down. This is what the NJE configuration file looks like. Here you can see I'm declaring nodes so I'm New York and the other node is Washington DC and Washington DC has an IP address of 1010-02110. That's what, that's how you just, that's it, that's all you need. Now you can put in other stuff like passwords and whatnot, but that's the bare bones that you need. That's network job entry. Then you have the concept, and I know I'm going through this real quick because there's so many things to go through and then we'll talk about breaking some of it down. APF authorized libraries. So we talked about files and folders and that kind of thing. When you have APF authorized libraries, you have the concept very similar to set UID, except instead of permissions, APF authorized libraries allow you to edit and touch whatever ring you want in memory. So basically you can set yourself up to access ring zero, the equivalent of ring zero, it's called key state zero actually, but basically if you can access key state zero, you can change your personal, so when you log into the main frame, you have like a little access token that declares your groups and your flags and all that stuff on your account. If you can access key state zero, you can just change those flags to whatever you want and then access whatever you want on the main frame. In fact there's a setting, one of the flags is stop logging what I'm doing and you can turn that on and then just do whatever you want on the main frame. That's if you're able to get to key state zero. So that's why APF authorized libraries are so important to be secured. If you're an auditor and you're looking at these things, you look, that's why they say to look at those things. No one really explains that very well, but that's why you're looking. Now, the way to secure it all down is through Rack F. Rack F also known as resource access control facility controls all the security. And I say almost here because there's certain things that you can bypass like SSH keys don't rely on Rack F. If you set up SSH and put in SSH keys, it's gonna bypass Rack F, which is fun when you disable an account but you still have access because they didn't delete your SSH keys. It contains the password hashes in the same database as all the security settings and all the user IDs. Every file, every folder, every access, even access to ports, everything is controlled through Rack F, which is great because it's super easy to find. All you have to do is type one command. You type our vary and it gives you the location of both the primary and backup Rack F database. Sort of cut off here because I want to get it as big as possible but I know it's hard to read. But basically that's the name of the dataset there. It's just one Rack F something. It's super easy to get and if you have access to it, you can just download it and then you can do all kinds of fun stuff with it like crack the hashes and I'll show you how to do that. Now also we have JCL. Like I already talked about it, it's made up of a thing called a program and then the parameters to pass the program. So here we have an example of a JCL. You have a job card, right? This is sort of like the shebang at the beginning of a bash script. Much longer of course but everything has to be almost pixel perfect. Like you can't have anything in column seven. If you're like this would be column eight here. If all any of this text goes over here, your job fails. And then I'll tell you why. They just said your header's wrong. And you're like well what? Everything's right in here and then you're like oh shit it was this stupid fucker. So next you have what's called the program or PGM. And this program is BPX Batch. BPX Batch is a program that once you submit the job it'll execute whatever you put in the parameters inside Unix. So why it's called BPX Batch? They name their things in same names. So this one for example is running, I'm sure you guys can read that. It's running Netcat which I've uploaded to my user folder. Opening up a listener and executing a shell through JCL. And this will come into play later. That's why I'm making sure you guys understand it. Rex, Rex is a scripting language that's built in the operating system. Both runs in the Unix and TSO side of the fence. It's phenomenal. It's as good as Python or Ruby. Which means it's okay. But it's a good scripting language for the platform. It's serviceable. You can do survive and wrote a metasploit interpreter in Rex for fun. And then I lost it. Because I had a hard drive crash. And I said, well, I'm not doing that ever again because that was such a colossal pain. So that's sort of a good technical overview of the mainframe. Any questions? You guys got it, right? You guys, now you're all mainframe experts, you're gonna go back to Morgan Stanley and say, we're gonna do this today. I know what I'm doing, right? No? No? Okay. I know it's a lot. A lot of my talks are online. A lot of blog posts. It just takes time to learn it. That's all it is. Okay, so we're done. We've learned all there is to learn about the mainframe now. We're gonna go and hack this, mother, okay? We're gonna go after this thing. So, first we're gonna start with the easiest thing. We're gonna steal some credentials. There's two really easy ways to do it now. Ettercap and John the Ripper. So, a couple, well, a year ago, I created a Python script to do this and Durakolia added it to Ettercap. You just do R Poisoning and it'll steal credentials. So here you'll see it steal the FTP credentials for mainframe, which is fine. It should do that. That just works out of the box. And then you can see me logging in to TSO with the username and password. So that ugly piece of garbage that you saw in Wireshark, you don't have to worry about it. You can just run this and it'll steal the credentials for you. In case you missed it, here it is in the nice little gooey that Ettercap has. John the Ripper, you guys remember hearing me mention it was DES? Did I mention that? Yeah, it's DES, single DES. It takes your user ideas, the salt, and encrypts it with DES using your password as the key. Okay, so far so good. So it's a hash, technically. Anybody know what the key limitation of using single DES for the password would be? It's 64 bits. Technically, you're right, they drop one bit off of it for every, I can't remember, but basically you're limited to eight characters. You cannot have more than eight character passwords, period. Hard-coded, into the operating system, cannot do it. Now, back when they invented this, that was fine, but that's what they came up with a new algorithm, but it didn't really fix the length issue. So, really easy to crack with John the Ripper. There's a program that, so Deer Coley and Nigel Pentland and I worked together to get this going. There's a program in John the Ripper now called Rack F2 John, and you run it and it dumps all the hashes into it, like I piped it to a file, but basically it dumps all the hashes to a simple file, and then you run John the Ripper on it and it gives you all the users and passwords. It's really easy. Of course these ones are stupid easy, right? But there was a breach in Sweden, which I'm gonna talk about a little bit later, where they had 100,000 plus accounts, and he had literally cracked almost all of them. He had one file that they found in the investigation that had 105,000 cracked accounts. One file, he had other files that were like 24,000. The investigators repeated what he did with John the Ripper, and in two days had cracked 35,000 accounts. Yeah, so it works, it works well, it's great. So you saw me log in to TSO earlier. Anybody wanna tell me what's wrong with this login panel, other than it being zoomed in a little? Yeah, exactly. It tells me whether or not the username exists. So with a simple script, I told you there'd be ASCII art, with a simple script that I wrote, it's Python, you can find out if a username exists or not. Now what's really interesting, I didn't show it here, is if the user's logged in, the TSO panel will tell you, do you want to reconnect your account? Cause it assumes you lost your connection, you wanna reconnect and start off. So this will actually tell you, not only will it tell you, is the username valid, but also tell you that user's currently logged in. So you can start to profile accounts. Now, mind you, when you run it, it doesn't look like this. You have to add the special flag to show Kulaski art and stuff, because otherwise it looks ugly when you're just doing a pen test. But for sake of slides, it's nice. I also wrote another tool that just, I was like, well, I'm already done, a user numerator just might as well just do a password brute-forcer. And this just goes through one user account and tries to brute-force the single account. Now mind you, you'll get kicked off if they have turned on account threshold lockouts, but some places don't. I'm not gonna name them, they're not one of the sponsors, but there was a company on the RackF mailing list that posted the entire security configuration, cause they were having problems with their security for a production mainframe. And in that configuration file, it contained things like no lockout threshold, so you could just keep trying accounts until you got the password, and it didn't have case sensitivity turned on. Case sensitivity is turned off by default. So if you don't, it just changes everything to uppercase when you log in. So, yeah. Got scared now? All your money's sitting on a mainframe somewhere, just know that. All your paychecks rely on a mainframe somewhere. Now, I talked about FTP briefly. FTP, it's an interesting vector. Mostly FTP is great because, and I say FTP, some places have implemented FTP-S. A lot of places have, a lot of places haven't. I don't know, I do know why, because they have batch processes that they can't change or they lost the source code for. So FTP is great cause it allows you to do wildcard searches that you can't do through the regular panel. So if you wanna find, say, all social insurance numbers, you would just type like star, sin, star, and see if there's any datasets that have that in it. Or if you wanted to search for rackf or taxes, or that kind of stuff, you can use FTP to do those searches where you couldn't, just can't do, without writing a very specific program in rex to kinda do that, FTP just does it for you. What's also interesting about FTP on the platform, it allows you to execute JCL through FTP. I see someone on the front hanging their head in shame. Yeah, when I found this I was like, I was like, I was in the shower actually. Don't picture it. And then, and I was thinking, I was like, wait, you can submit JCL through, what? What the, and my wife came and she was like, what are you yelling about? I'm like, oh, I got this great idea. So, I wrote a script that takes the JCL that you saw earlier, right, with Netcat. And if all you have is access to the FTP server, which a lot of places have exposed their FTP server to the internet and to their clients because they're doing file transactions and stuff, you can upload a piece of JCL and it'll execute it and give you a shell prompt. So that's what this code does. It just, you just type main TP and it connects. You have to give it a username and password and then it connects to FTP, changes. There's a file called, there's a command called site file equals jazz that switches into JCL mode and then you upload your JCL and it executes it for you. It even tells you the job ID and stuff like that. And then, this will actually do reverse shell or bind shell, whichever one you want to do. You want to, you want it to phone home. You want to connect to it, either or. It's just a regular user shell, but it creates the JCL for you and you can read that, there's actually a mode where you can just dump the JCL if you want to see how it works. I mentioned it briefly, but in 2011, 2012 there was a breach of a couple of main frames in Sweden and Denmark. And part of the breach involved now the, do you guys know Pirate Bay? Yeah, you guys know Pirate Bay, come on. Do you guys know who Anacata is? Yeah, have you guys seen away from keyboard? He's one of the three guys that sort of found Pirate Bay. In Cambodia, he allegedly broke into Swedish government main frames and stole, amongst other things, the source code for their tax processing software, like what processes your tax returns. He stole the source code for that. He stole the witness protection database. Yeah. Now mind you, I'm summarizing. He actually stole a whole bunch of different data sets that when you put them together would give you enough information to find out witness protection, because there were keys linking all these different data sets. And he also stole their equivalent of the Sincard database, going back to the 60s. So it's kind of a big deal. He put in a lot of back doors, but he also discovered a couple of zero day attacks against the platform. Some super technical, one not technical at all, he just put a semi-colon in a URL and that worked. So yeah, when I found this out, I was blown away. What's interesting about the case though is I was actually under investigation for the breach for a bit, because when you're the only person who publicly talks about mainframe hacking, you're stupid enough to go break into a mainframe somewhere, right? So I actually met the guys who did the investigation and they bought me a couple of beers to apologize, but they were like, look, we didn't know who you are. You were anonymous. I hadn't done any talks at the time. And you were talking about things that this guy was doing. So of course it's you. And then, yeah. So, fun times. But anyways, so part of the breach, he also broke into a bank in Denmark called Nordia and using the exploits he learned on the Swedish government mainframe, he broke in, stole, was able to break into their banking application and transferred 5,000 euros to a bank account in Sweden, which then he transferred to Cambodia. The next day, okay, allegedly, because I've gotten in trouble for not saying that, allegedly, he then transferred 800,000 euros and got stopped because the bank was like, what? Who's transferring that much money? And that's what caught them. It wasn't like some super secret awesome sim product that they were running, which they were. Of course it doesn't catch this. So the only two CVEs that came out of this, because it was such a big deal, the banks actually forced a certain three-named entity to actually publish the CVEs because they were that concerned about the security for the platform. So the first one is a local privilege escalation. Basically, if you have a rec script running in Unix that has set UID and you use the recs command spawn, it'll spawn whatever commands you put after that, the first spawn script, as the same permissions as the first one. So here's the script he wrote. It was called cuckoo.rx. Oh, also I'm proving on ZOS because people have gotten upset with me for not doing that. They're like, oh, you're just showing a demo in Unix. So here there's a file I can't access called arf.txt. I'm gonna run his exploit, gonna get me root, and now I'm UID zero and I can access the file. So how did he do that? He figured it out, he went through and he did it. Now how did I figure out how he did it? In the breach investigation paperwork, which they publicized and put it on, and it's on WikiLeaks today, there's code snippets, and in one file that's in English is the first half of the program, but it's broken, it's really broken, and you have to know what you're doing in Rexx to figure it out. But first half of the code is in one investigation file and then the Swedish file, the bottom half of the code is in the Swedish file. And so when I was talking to the investigator, he was like, how'd you figure that out? And I'm like, well, you put half of it in one place and then half in the other place. He's like, oh, damn. So, and all of that is actually on GitHub. If you just look for mainframed on GitHub, one of the repositories is Logica, and all the code that was in the investigation paperwork is in GitHub. So I took that and sort of weaponized it and it works against, so his only worked against a very specific Rexx script, and I took it and made it for any Rexx script. So if there's any Rexx script that's set UID0 on the mainframe, you can run this. Now I also put the mainTP JCL wrapper around it and then made it execute a C program that creates a shell. So now you just get a root shell with mainTP. So all you need is FTP access. You still need to use your password, yes, but once you get those, and everyone saw the CTF talk yesterday and everyone has a password of password one, once you've figured that out, you're able to get a shell just from an exposed FTP port, okay? Now, this one was amazing because it took me so long to figure out because they made it sound way more technical than it was in all the paperwork. Even in the CVE, they make it sound really technical. Basically, if you use a CGI bin parser, you pass a semicolon to it, and if you pass a semicolon to it, it will execute whatever you put after the semicolon. So he wrote a script called UTCam, which, let's see if this is gonna play. Okay, again, I'm on ZOS. Oh wait, is this? Oh, okay, never mind. So basically, he wrote a script, it's actually not that great of a script, but basically what it does is you type a command, it runs that command and gives you the results back on the screen. Now you saw me talk about NGE earlier, network job entry. This is not part of the breach, this is something that I've been doing in my spare time. You remember this setting, right? This node, node name New York, node name Washington DC, node two IP address is 1010, zero, two, 10. That doesn't mean that if Washington DC connects, it doesn't have to have that IP address. That's just saying when you, when I need to connect to you trusted host, I'm going to use that IP address, but you can connect to me from any IP address you want. Yeah. So I wrote Python script that sort of emulates the NGE environment because all this stuff is published online in all their docs. And so long as I know the node name, I can kick the other node off and reconnect with the Python script and there's things you can do as that node. Now I did it in Nmap and the challenge is you have to figure out the node name. So what I did was I wrote an Nmap script that also does node name brute forcing because if you send a connect, it doesn't actually tell you that the node name is bad but there's one byte on the end that changes from zero one to zero four when you have the right name. It still gives you an error because you're not sending anything else but it's just enough information for me to brute force it. So here you can see I also wrote a script to identify NGE ports because nothing on the mainframe exists in Nmap. There's nothing. So here you can see, okay, identified an NGE port. Now it runs NGE brute and figures out the node name here. So from that, I can actually issue a disconnect command from Python and say, hey, I'm node whatever disconnect me. It'll disconnect and I can reconnect with this. You guys saw TN3270 earlier. The interesting thing about TN3270 is you saw a lot of black area on those screens, right? Behind every single byte in that screen, it's a buffer of 1920 characters. Every single one of those bytes has a field attribute and those field attributes include a lot of things but most importantly are these three really. Locked, invisible and input area. Locked means you can't change it. Invisible means you can't see it and input area means it's an area where you can input stuff. In DerbyCon last year, Dominic White gave a great talk and released a tool called Big Iron Reconnaissance and Ponage. Big Iron Reconnaissance and Ponage allows you to ignore those flags and change whatever you want and what he found was there was an IBM tool called NetView that had, it was using like a session ID in the top left that was hidden and locked and once he turned off the hidden lock feature, he changed it from saying user one to admin one, refreshed and now he was an admin. In the application, okay but he was still technically his user account that like the guest user account so it hid the fields so like you can't run any commands because they're hidden except he could see them and so he just went to them and typed number three beside the number three and it would launch admin user because it wasn't hidden to him because they were relying on the client for security which we know you don't rely on the client for security, right? But they do and they have for years. So I've been working, I don't know if you saw me yesterday I was working fiercely on getting this working but I wrote for Nmap in Lua of all things, I've written a TN3270 emulator and the TN3270 emulator can be used to scan for mainframes now, identify TN3270 sessions and print out the login screen and what I've circled here in yellow is what's hidden from the user, it's not supposed to be displayed to the user. This is an actual system that exists on the internet today. Now this is not a big deal, this kind of stuff but this is just an example of what you can do once you understand and know the protocol and I'm hopefully gonna be releasing this library soon when it's done, it works but I need to add more functionality actually do stuff with it. So that's sort of an idea of the kind of stuff you can do. I also have a friend, he's doing exploit development on the platform, he's learning assembly and he's writing shell code, he's actually gotten some working recently. So there's stuff going on. What's exciting to me about the platform is no one else is doing research in this space so it's all virgin territory. Nothing's been done, there's nothing for me to leverage. I'm just taking like, well this worked in Windows, what if this works on the mainframe? Oh it totally did, okay cool. This worked, oh that didn't work, why didn't it work, that kind of thing. So what can you guys do to protect against these kind of attacks? There's nothing you can do. If you work for one of these two companies, please start doing pentests. Chances are you're not allowed to do pentests, you're not allowed to do them because the system programmers are worried about their precious uptime. You guys know the CIA model, the common neutrality, integrity and availability. On mainframes availability is a giant A and CI is like a tiny microscopic piece. They're more concerned with availability than they are with any other facet of the platform because they get killed on availability. Oh, your checks didn't process today because someone did a pentest, it's not really acceptable, right? But you have to start doing it. If IBM and IBM claims it's super secure, it's the most secure platform in the world, if it's so secure doing a simple pentest should not take it off the planet. It should stay online, it should stay up and we've done testing and it does and it's fine. There's no reason you cannot be doing pentests in that environment. If you find something that gets taken down by a simple port scan, fix it because what you don't want is a piece of malware taking off your main banking or financial application offline, right? So you need to start doing pentests. I'm working on PTAZ for the platform, which I'm gonna release, which will walk through steps you need to take, tools you can use and all that kind of stuff. But question is why aren't you doing pentests? There's no good reason other than political force of the mainframe people. If you're doing compliance, you need to get a copy of the Disastig from the Department of Defense in the US. It outlines all the best security practices for the platform. It's a pain, it's really an audit guide, but if you're doing compliance, you need to go through and you need to use that. There's products, it's a lot, it's like 178 controls. If you have it and you have a product called Zsecure or Vanguard, they have Disastig built in so you can just run the report and it will tell you everything that you're missing and failing as a control. It's really easy to do, but there's no reason to not do it other than, again, the political will behind the mainframe operators. The other important thing for you, for this audience specifically, is getting access to the platform. This is the legal way. You're gonna, if you work for a company that has a mainframe, or you happen to have $45,000 just laying around, better to work for a company that has a mainframe, you can get what's called rational developer and test for system Z. It has changed names every year. I don't know why, sometimes they change it twice a year. It changes its name all the time. I'm almost certain every time I talk about it, they change the name. It is a, basically, you get 12 DVDs with the full ZOS operating system on it. You get a USB stick, which is a crypto key, and you get one CD that has software that you install in Linux and it will emulate a mainframe environment that you then install ZOS on top of. It runs on commodity hardware. We're running in a data center. It works, it's great, and it acts and performs just like a real mainframe. And it's great because if you bring it down, nobody cares. It's your mainframe. Even on, like, people say, oh, just test the dev mainframe. You can't test the dev mainframe because what happens when your developers can't work for 24 hours, right? That's costing the company money. There's no system you can just take offline for a bit during a test. This system you can, this system you can go, what do you think all my tools are developed on? They're not developed on production systems. Now, some of you don't work in a mainframe environment, so I'm gonna tell you they're not so legal way. You can use a product called Hercules. I say product, but it's an open source tool. This piece of software emulates the Z architecture really well and is used by people all over the world to emulate a mainframe environment for test purposes or for whatever. There's a freeware operating system out there called, well, it's called MVS, Turnkey MVS. There's a whole bunch of different names. Basically, this operating system is so old there are versions of it that are public domain, right? So the public, this, so there's a version out there, if you really, if you're just interested and you don't wanna go deal with quasi-legal things, which people have pointed me at where to find them and you don't have 17-ish gigs on your computer, you can go download this 500 meg image just to play around and get familiar with like, well, how do I launch, how do I boot this thing, how do I do this, how do I use that? It's all free, it's available, it's easy to download, it's really good, and it's a great learning tool. If you're actually just interested in a platform, it's a great learning tool to get started without really having to invest a lot of time because getting ZOS working on this environment, I've been told, is really challenging. And if you don't know how the emulator works and you don't know how to run things, it's a huge, it's like a massive step, right? So I've hope, I've put the fear of God in some of you. And I hope some of you are now thinking like, man, I would really like to do some research in this space. There are some people I need to thank, like, Nicholas, he helped translate, well, he didn't help. He translated some of the documents from the breach from Swedish to English, which helped me out immensely when I was reading up about it, the case, and what was going on. Dear Colleen, I mentioned them earlier, they were immensely helpful when I started out, because they were the only people that would talk to me, even. Nigel Pentland is a mainframe guy going back decades, and he was sort of the only person to really talk to me. Oliver, who I misspelled there, he really helped to get that rex script working because it was all, even though it was two halves put together, it was still obfuscated, they still broke it. And he was instrumental in pointing out like, well, what if we tried this and that, so he helped me work that out. And then Dominic White developed big iron reconnaissance and ponage, the tool to do application, pen testing essentially on the mainframe. And that's about it. There's, if you have any questions, I'm sure you won't. You can send me questions on Twitter, email, on blogs, all kinds of ways to reach me. I always answer emails from people. It's always amazing when I get an email from someone and like, hey, I was doing a pen test on an application that I found. And it turns out that all I need to do is give it a user ID and it lets me execute commands as a user ID. And then I'm like, here's my PGP key. What application is it? Right, because I want to know. But every once in a while, I get an email like that. So if you're encountering things, one of the good things is I started doing this early. So I know a lot of people. So if you have challenges with ACF2, if you have challenges with Top Secret, I can put you in contact with other people who are doing the same kind of work within reason. Like if you're coming from Tor, with like a Tormail email address, I don't know if I'm gonna be like, yeah, sure, here, go talk to this guy at RBC. But I'm definitely open to discussion if you have challenges. Some guy sent me some picture. I think he legitimately broke into, in the United Arab Emirates, a mainframe over there. And he was sending me screenshots over email. And I was like, I don't want these. He's like, give it, give it, you showed me how to do some of it. And I was like, I don't want to hear that. But so other than that, feel free to reach out to me for questions, comments, follow me on Twitter. That's where I post a lot of my stuff. Twitter and Tumblr is basically where I post all my research and screenshots and stuff like that. Any questions?