Course Schedule
IN-PERSON or ONLINE attendance is available.
Dates:
May 16 - 17 (Monday, Tuesday)
2 day course at 8 hours per day.
Brief Course Abstract
Mainframes make up the lion’s share of back-end systems at fortune 500s. Come learn the techniques and exploits you can use to successfully test your mainframes security. This course will expose attendees to a live mainframe environment with hands-on lab experience. The areas explored in this course include VTAM, CICS, TSO, and Unix. Students will be given access to this mainframe environment for the duration of the course where they will learn to navigate the operating system, learn misconfiguration targets and privilege escalation techniques. They will get introduced to the open source tools and libraries available for all the steps of a penetration test including Nmap, python, and metasploit as well as writing their own tools using REXX, JCL, and C. This class is outlined as a beginner class to mainframe hacking the attendee should have knowledge of IT security, penetration testing and very basic Python.
Full Course Abstract
Have you ever been mid pentest with mainframe credentials and thought 'now what?' Or were you ever asked to do a mainframe pentest and didn't even know where to start? Maybe you're a sysprog and think your systems are impenetrable. Are you hoping to someday include your orgs mainframe in a red team op? Well, no matter your background this course is for you!
This course provides training on mainframe penetration testing using the most recent and up to date attack vectors. Walking through techniques for gaining system access, performing end-to-end penetration tests, and teaching you to 'own' the mainframe.
After a quick overview of how z/OS works and how to translate from Windows/Linux to "z/OS" the instructors will lead students through multiple real world scenarios and labs against a real live target mainframe brought on site for the training. The areas explored in this course include VTAM, CICS, RACF, JES2, NJE, LU, TSO, Unix and Web. Students will be given access to this mainframe environment for the duration of the course where they will learn to navigate the operating system, learn some of the misconfiguration targets and privilege escalation techniques. They will get introduced to the open source tools and libraries available for all the steps of a penetration test including Nmap, python, kali, and metasploit as well as being able to write their own tools on the mainframe using REXX, JCL, C and CLISTs.
The majority of the course will be spent performing instructor led hands on mainframe testing with tools provided by the instructors. Goals for each segment will be laid out with appropriate time afforded to students to allow them the ability to gain a deep understanding of how a mainframe pentest could and should be performed. Exercises will be based on real world attack scenarios.
While this class is outlined as a beginner class to mainframe hacking the attendee should have knowledge of IT security, penetration testing and Python.
Course Prerequisites
Familiarity with Linux commandline and tools such as nmap, metasploit etc
Intended Audience
Mainframe system programmers
IT Security managers
Penetration testers/Red team members
IT Auditors
About the Instructor: Phil Young
Philip Young, OSCP, is a leader in information system security, who has an extensive background in cybersecurity. He has worked for multiple global financial institutions and big 4 consulting firms as an IT auditor, security specialist, and is currently an adversarial consultant. He is a founding member of the Mainframe Hacking Society and co-founder of Evil Mainframe, a consultancy dedicated to mainframe cybersecurity. He has presented around the world on the topics of cybersecurity, adversarial consulting, audit, and governance. Some of his notable appearances include DEFCON, Black Hat, and RSA. He was also a keynote speaker at InfoSec World's MISTI conference, Guide Share Europe Netherlands, and at SHARE Seattle & Sacramento. In addition to his speaking engagements, he has built mainframe cybersecurity programs for multiple Fortune 100 organizations, such as Visa Inc, starting from the ground up to create repeatable testing programs using both vendor-specific and public toolsets. Philip is democratizing access to mainframes by releasing tools to aid in the testing of mainframe security and contributed to both the Nmap and Metasploit open-source projects. Philip also helped re-engineer multiple processes to provide the most effective controls infrastructure while maintaining a strong security posture for IT systems supporting global mission critical applications.
Course Agenda
Day 1: (7h+ depending on labs) Mainframe Basics, User Interaction, Scripting, Network Protocols & Security
About us and the course (15m)
Mainframes: A *brief* History (15m)
Mainframe OS: z/OS (1h30m)
Networking
TN3270
SNA
VTAM
TSO (running commands, calling compiled programs, executing rexx)
Dataset Concatenation ($PATH)
Datasets
EBCDIC
UNIX
SEND command
ISPF navigation
SMF/SYSLOG
LAB 1 - Basic Interaction: Login, create a folder, copy a script to that folder, execute the script (in ISPF and then TSO). Login through SSH, run the same script through Unix.
Scripting in z/OS (1h30m)
CLISTs - automating tasks with CLISTs
REXX - Writing powerful scripts in REXX
The REXX language
'executing' REXX scripts
How to pass and parse arguments
LAB 2 - Create REXX Unix reverse shell
JOBS and JES (2h)
Understanding Jobs in z/OS
JES2
Configuration (parmlibs)
Network Job Entry (NJE)
SDSF
Writing JCL
JCL Syntax
Writing a Job
Job Card
Input/Output
DD statements
Obtaining Output
Sending output to UNIX
Libraries/Steplibs
Programs: IKJEFT01, BPXBATCH, IXRJCL, SUPERC and more
Remote Job Entry (FTP)
LAB 3 - Write JCL to create a reverse TSO shell in REXX, submit in ISPF, submit over FTP
Security (RACF) (40m)
History
Format
Location
Classes (Surrogat, Facility)
SEARCH commands
WARNMODE (follow along live)
ACEE
LAB 4 - Submit a job as someone else (reverse TSO shell)
Storage (memory) (40m)
Key's
Walking memory
Reading IBM documentation
LAB 5 - REXX to read ACEE, what happens when write?
Authorized Programs (20m)
APF
LPA
Link lib
CICS (1h)
What is CICS?
Regions
Transaction IDs
LAB 6 - Logging on to CICS and getting information
BONUS LAB: Day 2 Preview - Use msfvenom to make JCL and submit with FTP
Review (20m)
Day Two: (8h) Let's Hack a Mainframe
Reconnaissance (2h30)
OSINT and the Mainframe
Using Nmaps *new* tn3270 library
LAB 1 - Using Nmap to enumerate LU, VTAM Application IDs, CICS transactions.
System Interaction/Shells
Breaking in through TSO, CICS, Web
Using Python for infil/exfil
Using x3270 & s3270 scripting
LAB 2 - using s3270 to run the 'ListUser' command and parse the output in bash
CICS Security Bypass
Using CICS to get a shell
LAB 3 - CICSPwn reverse shell
FTP and JCL for evil
Automating it all with metasploit
Lab 4 - Metasploit and JCL and SURROGAT
Attacking Web servers
Lab 5 - Attacking Tomcat
System Enumeration (1h30m)
Gathering system information
RACF SEARCH
WARNMODE
SURROGAT
FACILITY CLASS
UNIXPRIV
Living off the land (showzos/iplinfo/tasid)
Uploading and running yourself
SuperC
Pulling from storage
Reviewing parmlibs for other places to look at
Enum (rexx script)
SETRCVT (rexx script)
SYS0WN (rexx script)
Unix Enumeration
LAB 6 - Identify all APF authorized libraries
Cracking Password and Passtickets (40m)
How passwords are stored
Where they are stored
Understanding the hashing algorithm
Cracking the passwords with John/Hashcat
How z/OS uses Passtickets
Cracking Passtickets
Using the hash to make your own ticket
Privilege Escalation (1h)
JCL
NJE
BPX.Superuser
SURROGAT authority
Search/SuperC
APF Authorized
Unix Mount
Lab 7 - Use python to become a fake mainframe
Review (20m)
Cover any questions/remaining items
CTF (2h)
The last two hours is a mainframe CTF which uses everything learned in the class to 'own' a mainframe.
Students attack the in-house mainframe to gain points. First team to get the highest wins a prize!
Cover all the CTF items and answers for the class
Hardware and Software Requirements
Laptop with Kali Linux installed and at least 5 GB hard drive space available.