Charlotte ISSA - 2016 - Mainframe Hacking

@mainframed767

DISCLAIMER

I’m not here in the name of or on behalf of my employer. All opinions expressed here at ISSA are my own.

@mainframed767

Is it Legacy?

@mainframed767

WHAT IF?

Three out of four of those pictures are what we should define as “Legacy”. Mainframes aren’t one of them.

@mainframed767

FACTS

IBM Mainframes are MODERN architectures running STATE OF THE ART operating systems.

•  Current Version: 2.2 released in 2015 •  Modern password crypto •  Supports IOT/Web

@mainframed767

IT’S IMPORTANT

•  96 of the world’s top 100 banks, •  23 of the 25 top US retailers •  9 out of 10 of the world’s largest

insurance company •  71% of global Fortune 500 (355)

@mainframed767

HOW MANY?

Mainframes process roughly 30 billion business transactions per day, including most major credit card transactions and stock trades, money transfers, manufacturing processes, and ERP systems.

@mainframed767

SHOW OF HANDS

How many of you today are actively doing penetration testing or vulnerability scans on your mainframes?

@mainframed767

A.K.A. ABOUT ME

1992

@mainframed767

@mainframed767

FAST FORWARD

•  Degree in Computer Science •  IT Security Consultant:

– Ernst & Young – Grant Thornton

•  Internal Audit: Visa •  Currently:

– Mainframe Pentester

@mainframed767

BEFORE & AFTER VISA

•  Mainframe security reviews – Typical checklist auditor – No idea what I was actually doing

•  Assigned to review mainframe at Visa – Was assigned a terrible consultant – Started personal research

Identified multiple vulnerabilities

@mainframed767

TALKIN’BOUT IT

http://bit.ly/ztalks

@mainframed767

YOU MAY BE THINKING: “Most, or all, mainframes are protected behind firewalls, VPNs, other various security controls.”

@mainframed767

INTERNET MAINFRAMES PROJECT

•  Started in 2013 •  Simple scan of the internet for

mainframes (using Nmap) •  Found about 400+ mainframes For example:

@mainframed767

@mainframed767

FOR THOSE WONDERING

@mainframed767

PRIMARY MAINFRAME OS

@mainframed767

@mainframed767

IT’S JUST AN OPERATING SYSTEM

•  It has Files and Folders –  (but they’re not called files or folders)

•  It has a command line •  It has a GUI •  Serves up websites •  It runs UNIX •  TCP/IP

@mainframed767

FILES AND FOLDERS

FILES are called Datasets •  Datasets are composed of:

–  High Level Qualifier (HLQ) –  Other Qualifiers

PHIL.PROGRAMS.TEST HLQ

FOLDERS are called Partitioned Datasets (PDS) •  Same as datasets but now has ‘members’

PHIL.PROGRAMS.TESTS(JUNE2015)

HLQ

HLQ MEMBER

@mainframed767

COMMAND LINE

•  Known as TSO •  Identified by the red ‘READY’ prompt

@mainframed767

@mainframed767

UNIX

•  z/OS comes with UNIX • UNIX runs TCP/IP

– Webservers – SSH – DB2 sockets – CICS sockets

@mainframed767

@mainframed767

SECURITY DATABASE

•  z/OS is governed by what’s called a SAF •  Most common (IBM): RACF

– Resource Access Control Facility •  Two others (CA): •  ACF2 •  Top Secret

@mainframed767

TO FIND THE LOCATION

•  Finding RACF database is really easy:

@mainframed767

SCRIPTING LANGUAGE

•  Job Control Language (JCL) •  A scripting language for mainframes •  For example:

@mainframed767

JOB CARD

Program Parameters

@mainframed767

STEAL CREDENTIALS

@mainframed767

AUTOMATE WITH ETTERCAP

@mainframed767

STEAL THE RACF DATABASE

• RACF hashes passwords with DES – without the newest (optional) upgrade

• John the ripper supports RACF password cracking

@mainframed767

@mainframed767

MORE ABOUT HASHING ALGO •  Chad Rikansrud @bigendiansmalls •  SHARE 2016

“Topics on Mainframe Encryption” http://bit.ly/zoscrypto

@mainframed767

LET’S BREAK IN INSTEAD

See if you can catch the problem

@mainframed767

@mainframed767

CICS ENUMERATION?

@mainframed767

PATCH OA44855

•  Disables this ability • While allowing users to log on •  Again this patch/change is ‘optional’ •  PASSWORDPREPROMPT ON

@mainframed767

USING FTP

•  Allows for SSL – no excuses for unencrypted

•  Allows wildcard searches (e.g. *RACF*)

•  Allows for JCL submission

@mainframed767

METASPLOIT-ABLE

@mainframed767

Z/OS CVE’S

Only two in the world! • CVE-2012-5951 (CVSS Score: 7.2)

– Local privilege escalation • CVE-2012-5955 (CVSS Score: 10)

– CGI-BIN parser & ‘;’

@mainframed767

@mainframed767

THESE CVE’S •  These two CVE’s came from the Logica/Nordea breach •  In 2012 a founder of the piratebay breached multiple mainframes

http://bit.ly/zbreach “Smashing the Mainframe: For Fun and Prison Time”

@mainframed767

TN3270 APPLICATIONS

•  TN3270 is the protocol – That ‘green screen’

•  Relies on client side security

@mainframed767

@mainframed767

DO IT YOURSELF

All these scripts are available online:

http://github.com/zedsec390 &

http://github.com/mainframed

@mainframed767

IBM POLICY

@mainframed767

IBM QUOTES

“PUBLIC release of this data was not in the best interest of the system Z community.”

@mainframed767

VULNERABILITY SCANNING

•  Almost worthless on the platform • Qualys/Nessus don’t support the

platform •  Scanners rely on CVEs However: •  IBM doesn’t release public

vulnerabilities

@mainframed767

NOT UP TO DATE

@mainframed767

IBM TRUST IS ABSOLUTE

Show of hands: Who here trusts Microsoft to get crypto right?

CENSORED CENSORED

@mainframed767

SPEAKING OF ABSOLUTES

“Also ALL the DoD mainframes are behind firewalls and VPNs”

ALL

@mainframed767

PENSYS1.ARMY.PENTAGON.MIL

@mainframed767

PENETRATION TESTING

•  No, the system won’t crash •  Start forcing penetration testing against the

environment Key Take Away: The system isn’t “Legacy” and therefore shouldn’t be exempt from standard information security controls.

@mainframed767

BETTER SIEM

•  The mainframe logs everything •  Getting those logs is a challenge but not impossible •  Multiple products exist which support mainframe logs Key Take Away: Mainframe logs should be used for alerting and follow your existing Windows/Linux processes.

@mainframed767

ASSET CLASSIFICATION

•  Multiple products exist on the market to identify WHAT is on your mainframe

•  Identifying critical data assets allows you to protect it! Key Take Away: Being able to identify critical data and who is accessing it is essential for forensics and appropriate control assessments.

@mainframed767

LAB ENVIRONMENT

•  Get access to the mainframe yourself •  Hands on learning opportunities •  “Rational Development and Test Environment for

System Z” - http://bit.ly/rdtz Key Take Away: Hands on training and access provides clear connections to mainframe controls and allows for better security testing.

@mainframed767

COMPLIANCE

•  Controls should be as robust as those on other systems •  Standard processes should be observed despite ‘Legacy’

moniker. •  Use appropriate baseline: DoD DISA STIG

–  DoD STIG is only comprehensive checklist which covers entire OS

Key Take Away: Assess your current controls against those in other areas and best practices and close any gaps which exist.

@mainframed767

WHAT DO YOU THINK?

• Do you still think it’s a “secure” legacy platform?

• Who here thinks it appropriate to be out of scope from your security activities?

@mainframed767

THANKS/CONTACT You can contact me on gmail/twitter/tumblr:

Email: [email protected] Blog: Mainframed767.tumblr.com Twitter: @mainframed767

THANK YOU!

All Links: http://bit.ly/ztalks http://bit.ly/zoscrypto http://bit.ly/zbreach http://bit.ly/rdtz

Charlotte ISSA - 2016 - Mainframe Hacking

Internet

Transcript of Charlotte ISSA - 2016 - Mainframe Hacking