Back to All Events

Evil Mainframe: Mainframe Hacking for Penetration Testers


Course Schedule

IN-PERSON or ONLINE attendance is available.

Dates:

  • May 16 - 17 (Monday, Tuesday)

2 day course at 8 hours per day.

 

Brief Course Abstract

Mainframes make up the lion’s share of back-end systems at fortune 500s. Come learn the techniques and exploits you can use to successfully test your mainframes security. This course will expose attendees to a live mainframe environment with hands-on lab experience. The areas explored in this course include VTAM, CICS, TSO, and Unix. Students will be given access to this mainframe environment for the duration of the course where they will learn to navigate the operating system, learn misconfiguration targets and privilege escalation techniques. They will get introduced to the open source tools and libraries available for all the steps of a penetration test including Nmap, python, and metasploit as well as writing their own tools using REXX, JCL, and C. This class is outlined as a beginner class to mainframe hacking the attendee should have knowledge of IT security, penetration testing and very basic Python.

 

Full Course Abstract

Have you ever been mid pentest with mainframe credentials and thought 'now what?' Or were you ever asked to do a mainframe pentest and didn't even know where to start? Maybe you're a sysprog and think your systems are impenetrable. Are you hoping to someday include your orgs mainframe in a red team op? Well, no matter your background this course is for you!

This course provides training on mainframe penetration testing using the most recent and up to date attack vectors. Walking through techniques for gaining system access, performing end-to-end penetration tests, and teaching you to 'own' the mainframe.

After a quick overview of how z/OS works and how to translate from Windows/Linux to "z/OS" the instructors will lead students through multiple real world scenarios and labs against a real live target mainframe brought on site for the training. The areas explored in this course include  VTAM, CICS, RACF, JES2, NJE, LU, TSO, Unix and Web. Students will be given access to this mainframe environment for the duration of the course where they will learn to navigate the operating system, learn some of the misconfiguration targets and privilege escalation techniques. They will get introduced to the open source tools and libraries available for all the steps of a penetration test including Nmap, python, kali, and metasploit as well as being able to write their own tools on the mainframe using REXX, JCL, C and CLISTs.

The majority of the course will be spent performing instructor led hands on mainframe testing with tools provided by the instructors. Goals for each segment will be laid out with appropriate time afforded to students to allow them the ability to gain a deep understanding of how a mainframe pentest could and should be performed. Exercises will be based on real world attack scenarios.

While this class is outlined as a beginner class to mainframe hacking the attendee should have knowledge of IT security, penetration testing and Python.

 

Course Prerequisites

Familiarity with Linux commandline and tools such as nmap, metasploit etc

 

Intended Audience

  • Mainframe system programmers

  • IT Security managers

  • Penetration testers/Red team members

  • IT Auditors

 
 

About the Instructor: Phil Young

Philip Young, OSCP, is a leader in information system security, who has an extensive background in cybersecurity. He has worked for multiple global financial institutions and big 4 consulting firms as an IT auditor, security specialist, and is currently an adversarial consultant. He is a founding member of the Mainframe Hacking Society and co-founder of Evil Mainframe, a consultancy dedicated to mainframe cybersecurity. He has presented around the world on the topics of cybersecurity, adversarial consulting, audit, and governance. Some of his notable appearances include DEFCON, Black Hat, and RSA. He was also a keynote speaker at InfoSec World's MISTI conference, Guide Share Europe Netherlands, and at SHARE Seattle & Sacramento. In addition to his speaking engagements, he has built mainframe cybersecurity programs for multiple Fortune 100 organizations, such as Visa Inc, starting from the ground up to create repeatable testing programs using both vendor-specific and public toolsets. Philip is democratizing access to mainframes by releasing tools to aid in the testing of mainframe security and contributed to both the Nmap and Metasploit open-source projects. Philip also helped re-engineer multiple processes to provide the most effective controls infrastructure while maintaining a strong security posture for IT systems supporting global mission critical applications.

 

Course Agenda

Day 1: (7h+ depending on labs) Mainframe Basics, User Interaction, Scripting, Network Protocols & Security

  • About us and the course (15m)

  • Mainframes: A *brief* History (15m)

  • Mainframe OS: z/OS (1h30m)

    • Networking

    • TN3270

    • SNA

    • VTAM

    • TSO (running commands, calling compiled programs, executing rexx)

    • Dataset Concatenation ($PATH)

    • Datasets

    • EBCDIC

    • UNIX

    • SEND command

    • ISPF navigation

    • SMF/SYSLOG

    •  LAB 1 - Basic Interaction: Login, create a folder, copy a script to that folder, execute the script (in ISPF and then TSO). Login through SSH, run the same script through Unix.

  • Scripting in z/OS (1h30m)

    • CLISTs - automating tasks with CLISTs

    • REXX - Writing powerful scripts in REXX

      • The REXX language

      • 'executing' REXX scripts

      • How to pass and parse arguments

    •   LAB 2 - Create REXX Unix reverse shell

  • JOBS and JES (2h)

    • Understanding Jobs in z/OS

    • JES2

    • Configuration (parmlibs)

    • Network Job Entry (NJE)

    • SDSF

    • Writing JCL

    • JCL Syntax

    • Writing a Job

    • Job Card

    • Input/Output

    • DD statements

      • Obtaining Output

      • Sending output to UNIX

    • Libraries/Steplibs

    • Programs: IKJEFT01, BPXBATCH, IXRJCL, SUPERC and more

    • Remote Job Entry (FTP)

    •  LAB 3 - Write JCL to create a reverse TSO shell in REXX, submit in ISPF, submit over FTP

  • Security (RACF) (40m)

    • History

    • Format

    • Location

    • Classes (Surrogat, Facility)

    • SEARCH commands

    • WARNMODE (follow along live)

    • ACEE

    • LAB 4 - Submit a job as someone else (reverse TSO shell)

  • Storage (memory) (40m)

    • Key's

    • Walking memory

    • Reading IBM documentation

    • LAB 5 - REXX to read ACEE, what happens when write?

  • Authorized Programs (20m)

    • APF

    • LPA

    • Link lib

  • CICS (1h)

    • What is CICS?

    • Regions

    • Transaction IDs

    • LAB 6 - Logging on to CICS and getting information

    • BONUS LAB: Day 2 Preview - Use msfvenom to make JCL and submit with FTP

  • Review (20m)


Day Two: (8h) Let's Hack a Mainframe

  • Reconnaissance (2h30)

    • OSINT and the Mainframe

    • Using Nmaps *new* tn3270 library

    • LAB 1 - Using Nmap to enumerate LU, VTAM Application IDs, CICS transactions.

    • System Interaction/Shells

    • Breaking in through TSO, CICS, Web

    • Using Python for infil/exfil

    • Using x3270 & s3270 scripting

    • LAB 2 - using s3270 to run the 'ListUser' command and parse the output in bash

    • CICS Security Bypass

    • Using CICS to get a shell

    • LAB 3 - CICSPwn reverse shell

    • FTP and JCL for evil

    • Automating it all with metasploit

    • Lab 4 - Metasploit and JCL and SURROGAT

    • Attacking Web servers

    • Lab 5 - Attacking Tomcat

  • System Enumeration (1h30m)

    • Gathering system information

    • RACF SEARCH

    • WARNMODE

    • SURROGAT

    • FACILITY CLASS

    • UNIXPRIV

    • Living off the land (showzos/iplinfo/tasid)

    • Uploading and running yourself

    • SuperC

    • Pulling from storage

    • Reviewing parmlibs for other places to look at

    • Enum (rexx script)

    • SETRCVT (rexx script)

    • SYS0WN  (rexx script)

    • Unix Enumeration

    • LAB 6 - Identify all APF authorized libraries

  • Cracking Password and Passtickets (40m)

    • How passwords are stored

    • Where they are stored

    • Understanding the hashing algorithm

    • Cracking the passwords with John/Hashcat

    • How z/OS uses Passtickets

    • Cracking Passtickets

    • Using the hash to make your own ticket

  • Privilege Escalation (1h)

    • JCL

    • NJE

    • BPX.Superuser

    • SURROGAT authority

    • Search/SuperC

    • APF Authorized

    • Unix Mount

    • Lab 7 - Use python to become a fake mainframe

  • Review (20m)

    • Cover any questions/remaining items

  • CTF (2h)

    • The last two hours is a mainframe CTF which uses everything learned in the class to 'own' a mainframe.

    • Students attack the in-house mainframe to gain points. First team to get the highest wins a prize!

    • Cover all the CTF items and answers for the class

 

Hardware and Software Requirements

Laptop with Kali Linux installed and at least 5 GB hard drive space available.

 
 
Previous
Previous
May 16

Black Belt Pentesting / Bug Hunting Millionaire: Mastering Web Attacks with Full-Stack Exploitation

Next
Next
May 16

Heap Exploitation