Evil Mainframe Hacking

Course Schedule

Dates: May 14 - 15 or May 16 -17

2 day course at 8 hours per day.

Brief Course Abstract

Mainframes make up the lion’s share of back-end systems at fortune 500s. Come learn the techniques and exploits you can use to successfully test your mainframes security. This course will expose attendees to a live mainframe environment with hands-on lab experience. The areas explored in this course include VTAM, CICS, TSO, and Unix. Students will be given access to this mainframe environment for the duration of the course where they will learn to navigate the operating system, learn misconfiguration targets and privilege escalation techniques. They will get introduced to the open source tools and libraries available for all the steps of a penetration test including Nmap, python, and metasploit as well as writing their own tools using REXX, JCL, and C. This class is outlined as a beginner class to mainframe hacking the attendee should have knowledge of IT security, penetration testing and very basic Python.

Full Course Abstract

Have you ever been mid pentest with mainframe credentials and thought 'now what?' Or were you ever asked to do a mainframe pentest and didn't even know where to start? Maybe you're a sysprog and think your systems are impenetrable. Are you hoping to someday include your orgs mainframe in a red team op? Well, no matter your background this course is for you!

This course provides training on mainframe penetration testing using the most recent and up to date attack vectors. Walking through techniques for gaining system access, performing end-to-end penetration tests, and teaching you to 'own' the mainframe.

After a quick overview of how z/OS works and how to translate from Windows/Linux to "z/OS" the instructors will lead students through multiple real world scenarios and labs against a real live target mainframe brought on site for the training. The areas explored in this course include  VTAM, CICS, RACF, JES2, NJE, LU, TSO, Unix and Web. Students will be given access to this mainframe environment for the duration of the course where they will learn to navigate the operating system, learn some of the misconfiguration targets and privilege escalation techniques. They will get introduced to the open source tools and libraries available for all the steps of a penetration test including Nmap, python, kali, and metasploit as well as being able to write their own tools on the mainframe using REXX, JCL, C and CLISTs.

The majority of the course will be spent performing instructor led hands on mainframe testing with tools provided by the instructors. Goals for each segment will be laid out with appropriate time afforded to students to allow them the ability to gain a deep understanding of how a mainframe pentest could and should be performed. Exercises will be based on real world attack scenarios.

While this class is outlined as a beginner class to mainframe hacking the attendee should have knowledge of IT security, penetration testing and Python.

Course Agenda

Day 1: (7h+ depending on labs) Mainframe Basics, User Interaction, Scripting, Network Protocols & Security

• About us and the course (15m)

• Mainframes: A *brief* History (15m)

• Mainframe OS: z/OS (1h30m)

  • Networking

  • TN3270

  • SNA

  • VTAM

  • TSO (running commands, calling compiled programs, executing rexx)

  • Dataset Concatenation ($PATH)

  • Datasets

  • EBCDIC

  • UNIX

  • SEND command

  • ISPF navigation

  • SMF/SYSLOG

  •  LAB 1 - Basic Interaction: Login, create a folder, copy a script to that folder, execute the script (in ISPF and then TSO). Login through SSH, run the same script through Unix.

• Scripting in z/OS (1h30m)

  • CLISTs - automating tasks with CLISTs

  • REXX - Writing powerful scripts in REXX

    • The REXX language

    • 'executing' REXX scripts

    • How to pass and parse arguments

  •   LAB 2 - Create REXX Unix reverse shell

• JOBS and JES (2h)

  • Understanding Jobs in z/OS

  • JES2

  • Configuration (parmlibs)

  • Network Job Entry (NJE)

  • SDSF

  • Writing JCL

  • JCL Syntax

  • Writing a Job

  • Job Card

  • Input/Output

  • DD statements

    • Obtaining Output

    • Sending output to UNIX

  • Libraries/Steplibs

  • Programs: IKJEFT01, BPXBATCH, IXRJCL, SUPERC and more

  • Remote Job Entry (FTP)

  •  LAB 3 - Write JCL to create a reverse TSO shell in REXX, submit in ISPF, submit over FTP

• Security (RACF) (40m)

  • History

  • Format

  • Location

  • Classes (Surrogat, Facility)

  • SEARCH commands

  • WARNMODE (follow along live)

  • ACEE

  • LAB 4 - Submit a job as someone else (reverse TSO shell)

• Storage (memory) (40m)

  • Key's

  • Walking memory

  • Reading IBM documentation

  • LAB 5 - REXX to read ACEE, what happens when write?

• Authorized Programs (20m)

  • APF

  • LPA

  • Link lib

• CICS (1h)

  • What is CICS?

  • Regions

  • Transaction IDs

  • LAB 6 - Logging on to CICS and getting information

  • BONUS LAB: Day 2 Preview - Use msfvenom to make JCL and submit with FTP

• Review (20m)

Day Two: (8h) Let's Hack a Mainframe

• Reconnaissance (2h30)

  • OSINT and the Mainframe

  • Using Nmaps *new* tn3270 library

  • LAB 1 - Using Nmap to enumerate LU, VTAM Application IDs, CICS transactions.

  • System Interaction/Shells

  • Breaking in through TSO, CICS, Web

  • Using Python for infil/exfil

  • Using x3270 & s3270 scripting

  • LAB 2 - using s3270 to run the 'ListUser' command and parse the output in bash

  • CICS Security Bypass

  • Using CICS to get a shell

  • LAB 3 - CICSPwn reverse shell

  • FTP and JCL for evil

  • Automating it all with metasploit

  • Lab 4 - Metasploit and JCL and SURROGAT

  • Attacking Web servers

  • Lab 5 - Attacking Tomcat

• System Enumeration (1h30m)

  • Gathering system information

  • RACF SEARCH

  • WARNMODE

  • SURROGAT

  • FACILITY CLASS

  • UNIXPRIV

  • Living off the land (showzos/iplinfo/tasid)

  • Uploading and running yourself

  • SuperC

  • Pulling from storage

  • Reviewing parmlibs for other places to look at

  • Enum (rexx script)

  • SETRCVT (rexx script)

  • SYS0WN  (rexx script)

  • Unix Enumeration

  • LAB 6 - Identify all APF authorized libraries

• Cracking Password and Passtickets (40m)

  • How passwords are stored

  • Where they are stored

  • Understanding the hashing algorithm

  • Cracking the passwords with John/Hashcat

  • How z/OS uses Passtickets

  • Cracking Passtickets

  • Using the hash to make your own ticket

• Privilege Escalation (1h)

  • JCL

  • NJE

  • BPX.Superuser

  • SURROGAT authority

  • Search/SuperC

  • APF Authorized

  • Unix Mount

  • Lab 7 - Use python to become a fake mainframe

• Review (20m)

  • Cover any questions/remaining items

• CTF (2h)

  • The last two hours is a mainframe CTF which uses everything learned in the class to 'own' a mainframe.

  • Students attack the in-house mainframe to gain points. First team to get the highest wins a prize!

  • Cover all the CTF items and answers for the class

Hardware and Software Requirements

To be added.