 and we are live. All right, we are here in another QA session with Jake LaBelle, talking about ZOS and surrogate chains. Jake, would you like to tell us a little bit about yourself and how you got into mainframe hacking? Hi, I'm Jake, that's yeah. So I guess how I go into it, my company does some jobs in it. I was looking at some of the reports they wrote and I went, Alex, pretty cool. Looked at some pictures of mainframes and was like, yeah, that looks like my type of thing. And yeah, just jumped right into it. It's, yeah, it's, I don't know, I think it looks cool. And so just went for it. That's awesome. And I believe this is your first time presenting a DEF CON, correct? Yeah, first time, yeah. First time. So we have a tradition here at DEF CON. Whenever you do your first talk, we welcome you onto the big stage with a drink. This is for contributing content back to the community and answer taking the time to answer questions. So cheers to you, Jake. Welcome to DEF CON. Cheers. I'm going to tell us we're filling up my drink though, so. All right. Cheers. Yeah. So we've already got a few questions that have been going through the chat. You kind of already mentioned like what got you into hacking mainframes. So I'm going to go on to the next one. Most high security systems, security plans will have periodic audits of rights to make sure that former super user accounts cannot be taken advantage of. Your talk sort of goes into how these permissions get chained between users and how they're just sort of left alone. Is there, do you encounter any of these like issues and audits where like you have to remove these accounts or is it pretty much a no go on touching things? I guess you'll have like in an audit you'll have like, for example, okay, well, we don't want to make some users access this special user, which is basically root, but what about that user, which accesses that user? What about that user, which has access to that user? That's not really possible to audit. You don't really have the ability to, you don't really have the ability when you're, well, you probably could, but they probably should, but they don't. And this, can you use this technique that you had to like, at one point you show like this massive graph is graph of nodes. It looks like you were, you were able to fully enumerate all of those chains. Could you extend that into some kind of like security auditing? Yeah, 100%. So someone, someone else who worked at the company, he made like a tool, which, so this one is more of like a, not an expert exploitation tool, but like one that you would use if you didn't have full access, but if you had full access, what you could do is you're allowed to, you can do what's called unloading the RACF databases, which is all the security. So you can just take that and then offline, you can use that to create all the tools, but this one's more for, because if you didn't have access, so from what, from what, from your user, what can you access? But from offline, you know, there's that, someone else at the company who was making a tool, which takes the RACF database, puts it into any SQL database, and then you can query it however you like. That sounds handy. Someone else is asking, ZOS is tied to IBM. Do you think this could be applied to IBM I? I've never been on an IBM, I need to be on an IBM I system, just to see what it's like, but I've never actually been on it. So I have no clue what the security is on there. So I've got to say that my knowledge of mainframes is fairly weak. When you were at the beginning of your talk, you mentioned a couple, you mentioned partition data sets versus normal ones, as if they were like significantly different. Could you explain what the differences are in those? Yeah, so there's no such thing as folders in ZOS. So I don't know why, but they like to have a flat file system. So instead of having that, you have data sets, and then there's just, data sets can have multiple members in them. So it's kind of like, it acts like a folder, but they're all part of one single file. So it's, I don't know, it's how they do it. So we think of the partition data set as kind of like a file inside of a folder and the data sets the folder. Yeah. Yeah, close enough. Yeah. Close enough, okay, fair enough. When I was going through it, the first thing was like, okay, how do these correlate to like Unix things? And then it was like, wait a minute, nothing correlates, what am I doing? That's kind of where I was going to go with. But you did mention the OMVS subsystem, I believe it was. That is a Unix-like environment. How comfortable with someone that is like Linux centric feel inside this OMVS environment? It's basically exactly the same. The only thing is that once you're in that system, you can run anything on the mainframe as well. So you can just say, you can run a TSO, TSO, which is the, like the normal mainframe part, just go TSO, whatever script you were gonna run in the mainframe thing. So it's exactly the same as any sort of Linux system, like all the privileges are the same. Just, you can also, if you have it, you also have access to that, use this mainframe stuff. Okay, got it, I think. So, Jake, do you think your tool could work on ACF2 or TSS? Again, never been on that. I've only been on a couple of mainframe jobs, so. Okay, I don't know. But if it allows surrogate submission, then yeah, there are words, yeah. So from my kind of understanding of what surrogates are is they are delegating, it's like a tree of delegated permissions, right? So you get the surrogate permission for another user and then you are effectively gaining all the rights of them, right? So depending on what type of surrogate you give, so the main one is you'll have user.star in class surrogate, and that means that you can submit a job as user.star, but there's other type of ones you can have, but a lot of times, if you have surrogate and one person, you can do all the stuff from that, like for example, there's one that I had where you can say surrogate, which allows you to write to do sue, but if you can do sue, you can run any TSO command. So it basically means you have full privileges on there. Got it. Got it. So is it something that you have to like, generally you have to specifically invoke to get the other user's permissions or do they all just like get wrapped up into? So that's one of the things that why it required the tool was that you couldn't just, so if user one had submit on user two, you couldn't just run like, you couldn't just run user two stuff. You have to run a job as user two, and that will get returned sometime later. So that's why the tool was required is that you can't just run the, you don't have the privileges, you can submit a job as that user, but yeah. Okay. I actually think that I like literally have that in my head now. That's awesome. That was really well described. I, what are your thoughts on JCL? It's a great language. It's, what am I, yeah, it takes a while getting used to it because reading the IBM docs is, it's a skill in itself. Like I think I've actually started to, it's really, I don't know if it's something I should be worried about, but I've actually started to be able to understand IBM documentation. And that's worrying me. That does sound a little concerning. I'm like, wait, wait. I get it now, but yeah. So it's a, yeah. So JCL is just a way to submit batch jobs. And yeah. Is there any kind of like tooling that makes like interacting with that, that kind of like languages easier? Or I know that like one of the current hot things is like building languages on top of languages. So yeah, the writing, like whenever I wrote my programs or any type of thing that I use, cause it's just easier. It's the JCL, I don't really understand how, I don't really understand how you pass like parameters to it. So I just put it all in like one little rec script and then it will just run itself. And then, so rex is like, it's just a scripting language. It's just easy to use. So I just, yeah, that's, there was an example. Yeah, JCL. Yeah, that's right. Yeah. It's just, what is it? JCLs, they just, there's lots of like programs that it can run that I have no clue what it does. But I know, I know like it feels like I now know like what the, like the most important ones do. So that's, that's fine. I mean, it's probably enough. Like if you know, if you know like 75% of most systems, you are very comfortable in that system. Oh. So Jake, have you made any other tools that kind of helped to assist with mainframe hacking? Yeah, so I've got, I've got a couple which are varying in their usefulness. So I've got one which is, so the database for all the security is held is just, it's just a database. So if you have access, if you have right access to that, you have access to anything. So I created a quick tool which if you do have right access to it, it will just insert, it will look for your user, find the special flag and just turn it to one. So that's a tool, which it's very unlikely that you'll have access to that. Like that is something that is audited. So it's like, make sure that no one has access to this file because if they do, they have complete access to everything. What are the tools? Oh, I made another, so a, a Sox proxy in Rex. So that allows you to, if there's any, so for example, if there's any like internal ports you wanna hit or if there's any like, because everyone trusts the, everyone trusts the mainframe. So why wouldn't you accept all the firewall stuff from that? So, if there's anything you wanna like hit from the mainframe, then there's a Sox proxy, which you can just run in Rex and then just pass on to any, any port that you can see from there. So Rex is like, it's not just like a scripting language, like bash, which just has like consumes a bunch of tools. Like it is like a language, like it's like fully capable of doing like, hosting like network sockets and stuff like that. Yeah, it can do. So Rex, you can do any, anything you wanna do. And there's also a, I don't really understand what the functionality is, but I know how to use it. So that's like, so if you run, if you write something called address, so for example, so if you wanna write a TSO command, you write address TSO. And that means that any command you run in quotes runs as TSO. So the way I describe it is that you can run a program as another program, but I don't even know if that's actually what's happening. I just know that you can be like address DB2, which is an SQL database in IBM. And so, and that will then run a command as DB2. So it's a fairly useful language you can just be like, this program, I wanna run this command. Yeah, it will do it. Cool. Mainframe is asking, could you talk a little bit more about TK4 and the difference between ZOS? So, TK4 is, it's a beautiful thing. It's a, it's a open source mainframe from, well, for public domain, I don't know what the actual term like specific term is, but it's a, in 1980, they made a mainframe operating system, which is now in the public domain. And so it made some tool, they made from there, they've created TK4. And TK4 just allows you to just muck around with, I think I put in a link in my presentation, but if you want just download that like TK4, you can run it off anything. I've run it off a Raspberry Pi. So it's kind of fun. Yeah, if you want to run like, do you like JCLs? You can install rex on there. You can still kicks, but also not actually, this was actually one of the things in my presentation that like, I didn't know how to say, like, so there's something called kicks with a C, and then something called kicks with a K. And I was trying to say the difference between them. And I was just like, so yeah, my program, this has kicks, but this has kicks on here. And I was like, wait a minute, I've just said this twice. But yeah, so KICS is a open source. If you want to muck around with kicks on there, which is one of the most like, used thing on a mainframe. It's kind of like a web server-ish type of thing. It's, I don't know. There's no like equivalent to it kind of, but yeah, if you, yeah, TK4 is really good. If you want to just muck around with, mainframe bits. Yeah. And it's completely open source. So muck around with that. And do you have, do you know of any like, good resources for like, learning how to use and operate a mainframe? As it's like coming into it cold, which is like booting up a Raspberry Pi image, seems like. So, yeah, yeah. The best place, well, this is 1980s, my mainframe. So even the IBM docs doesn't tell you what to do, how to do on this. So the kind of two places where it's the most, so on, there's a Mattermost community called mainframe.community. Super helpful. If you have any like stuff, asking questions on there, we'll get, why don't you get questions answered instead of just being like, ask your, ask your SME how to do this. It's like, yeah. So mainframe.community, very good place for people to ask just like stuff. But yeah, some other places you might find that your questions don't get answered, but that's good. What other place? I think, so on my YouTube, there's this person called Moshics on YouTube. Very helpful, like TK4, like how to install these things, how to, yeah, how to do a lot of stuff on TK4. Excellent. Now, was there anything for your research or even in your presentation that you didn't get to or that you wanted to look further into, that you maybe will look more into in the future or you think it might be good if other people were to try to build upon what you've done? So on the surrogate chain, so I basically just done the, there's the star.submit privileges and the ppx.serve.store privileges, but like, there's other surrogate classes. I don't really know how they work, but if they could all get, if like, I don't know how, and also how, if those surrogate classes, other classes can get you access to everything, then those should also be added to the program. Like if there's like a, yeah, if there's another surrogate that I've missed, then yeah, that's definitely should be something that should be added. Have you like open source the tool? Is that publicly available at this point? Yeah, and GitHub, I've put my, I think I've, yeah, I've put my tool, it's just, have you actually live made it public? Oh well, I'll fling it on to the, into the track chat. Oh, there's lots of chats. I'm very confused about where it is. Yeah. I'm much of a Discord user. Good luck finding it. It is in the DefCon Talk Tracks group, as you can either put it in track one, I found it. There you go. That's one of the things that, when you're on a client call, and you can't work out how the tech works. It's like, sorry, I'm trying to work out to get Skype working with my, with my audio. Please give me 10 minutes to work this out, please. I am running out of questions. Is there anything in particular that you want to like, talk about or advocate for, or anything else? Anything you want to, any other areas of interest in the InfoSec world, anything like that, anything you want to share? I guess there's the thing about like, I think a lot of people are like, mainframes, why mainframes? What's the point of them? Yeah, it's, so, why mainframes? Incredibly, incredibly efficiently. Like, people are like, oh yeah, just go cloud. It's like, when you're trying to deal with, like millions of like, credit card transactions, it may not be the most cost effective to do it on a, on like a AWS instance. That might be pretty expensive. And you also have the other thing where, all the codes already in, on a mainframe. So like, it's going to be pretty difficult to convert your COBOL code to, I don't know, whatever, whatever that you're trying to convert it to. Yeah. So. The popular language is, Hawkeye is asking you about bricking the mainframe. I guess, with any of the things that you're ever like, play around with or do, do you, is that a concern? Is that something that you have to like, keep in your mind? The, there's the thing where like, on client side, but, so when a web app, when you're in a testing environment, you're like, I'll just keep throwing stuff at it. Let's see what happens. Let's, let's see there. Let's, let's just keep throwing random, like, like scripts at it. On a mainframe, you're like, hello, like person I'm testing this on. Can I throw this at this before I like, I don't want to break your like, your massively expensive system. Oh, let's just make sure this is okay first. Like a major backbone in your, your organization. Can I just, Yeah. Potentially screw it up right now. Yeah. So it's, there's also the, the fun, the fun thing is that, like maybe on like a, on a mainframe, you might, the testing environment, maybe completely different to the, to the actual like production environment, which is great fun where you're like, oh, look, I found something. Is this a thing in your actual like, no. Okay, cool. That was a good, like, six hours looking at that. Great. Thanks. Cool. So it seems as though that, what you're doing is coming probably even more into demand. I'm seeing where people are, are looking for people that can program and cobalt and maintain mainframes. Is this something that you think might be an area that would be good for people to get into? And if so, if somebody with experience wanted to make the jump over, what sorts of things could they look into? So how could they even get started in being able to support or test or work with mainframes? So, there is so, so I guess like if you're in, if you're in like a, like a, like a company, you could just shadow a job. That that's probably like, there's also the, there is a ZOS 1.10 on Pirate Bay, which over the course, I would not be supporting, you know, that and very illegal to never do that. But if you do have that, that might be useful. But yeah. So who does you still use mainframes today? Like what industries or major companies, if you can say any, still make use of mainframes? So basically every bank that's big, still uses mainframes there. Again, they're doing like massive batch jobs and they already have all the infrastructure already. So they're not gonna, when they're like, okay, who do we need to go? Do we need to like, do we want to move everything to cloud or do we want to continue on a mainframe? The answer to that question is, they're not going to change their entire system to get to try and maybe, I don't even know if it would save money, but maybe, I don't know. And then, I guess a lot of governments still use mainframes. Like for example, I think there was a freedom of information request to the UK government about what mainframes are still in use. And one of the things that really got me was, so this was to the people who do like the treasury, I think. And so they were like, okay, here are the four mainframes that are out of date that we use and they're like 10 years old. And they also say, here are three other mainframes that are managed by Fujitsu that we use. So through some research, I'm pretty certain that these are like 20 year old mainframes that have like probably never ever been looked at ever. They're just running like, and I looked at them and I was like, okay, what are the ones that are running? It's like, oh, these do all the customs in the UK. Huh, I bet they never want to ever change that shit ever. They're literally just like, we're never changing this 20 year old mainframe that we have. No one's ever looked at it. It's not even like, it's not even an IBM mainframe. It's a special UK mainframe that got brought out by Fujitsu that is now running the customs in the UK. And I'm like, this has never been looked at. I've even looked at it. Like even if a mainframe specialist looked at it, they wouldn't be able to know anything. It's like, it's written in this weird language that I've never heard of. Maybe other people have heard of SCL. I don't know. Have you guys heard of that? I think that I've come across that in another DEF CON talk. Maybe. I get exposed to a lot of things. We did have another talk related to past talks. K-Hol says, I've enjoyed various ZOS talks at DEF CON over the last few years, but I never hear about mainframe security otherwise. Are they a common attack target or do they tend to go overlooked because of the foreignness of the platform? What does the defense side look like outside of the kind of audits you mentioned? I don't actually know the access that, so it feels like the only people who would actually be able to access this are people who are fairly sophisticated. You wouldn't have just a random attacker going after a mainframe because it's normally hidden in their internal network. So it'd probably be a nation state attacker or that type of level. So I feel like if it's an attack, that they wouldn't be going after financial stuff. So you wouldn't really ever see that it was happening, maybe? I don't know. Oh, sorry, yeah. Oh, sorry, sorry. I mean, so this might have been in us chatting before the actual stream start, but you did mention that you found some mainframes that were just exposed online just by dropping something into Shodan. So maybe not just a deep internal threat. Yeah, the majority of the ones I saw on Shodan were like, there's actually a fun site of that mainframe sent me about all the internet. It's just a bot that people have sent mainframe IPs to it and it just goes straight to the picture of the initial screen of it. As I think it's a fairly fun site, but yeah. There's a couple of government ones, but a lot of them are just emulated ones, but yeah, I think the thing I was gonna say was that if a nation state ever got a hold of something, it's unlikely they would ever reveal themselves in that way that they had got access to that. Like it's not like a criminal organization where they'd be trying to go off to those type of things. So that's also the other thing where, I don't know if there was, in the news recently, the owner of Pirate Bay hacked a mainframe. It was a while ago, but there's the- I must have missed that one. Yeah, it was- But how secure are they from the inside? It would it be as simple as just being able to access somebody's workstation from inside to be able to get to the mainframe? Mainframe saying it's the Logica Breach. Yeah, the Logica Breach. And the fun thing about that one as well is that they released, well, I don't know if they released on purpose, but all of the court documents were released. It's on GitHub, by the way. So you can see what fun tools they used to access all the, to do all the stuff. Yeah, mainframe says it's on WikiLeaks. So anyone out there that's looking for more information, apparently there's a lot more data out there. That sounds pretty fascinating. Yeah, actually, writing a tool, and I looked at Logica and I was like, wait a minute, they did this already. Oh, I got beat out by the hackers. By a jump of random hacker activity. I love it. So you just had to one-up them by presenting at DEF CON. Yeah. So we are approaching the end of the time of our QA session. Is there anything else you want to talk about while you still have the camera? Uh, no, I think I'm all tapped out. Fair enough. Well, thank you very much for doing this Q and A session. Thank you for presenting to DEF CON once again for your first time. Really hope you come back. This was great content. I need to get back to at least go to Vegas at least once. Yeah, you got to experience in-person DEF CON as well. All right, well, thank you very much and we'll talk to you later.