The concepts needed to focus on when performing a Mainframe kill chain attack path, consist of the following key understanding areas. The z/OS run together with UNIX as two primary parts of the mainframe operating systems. Main and ultimate target role to obtain for a malicious actor is the attributes = Special and Operations and/or the root level on UNIX.
The components below is not extensive list, but a summary and their short descriptions in purpose.
- SNA: Logical identifier such as terminal getting an ID for routing between connections
- VTAM: Initial connection screen on 3270 Terminal, functions Logon, Logoff and IBMTEST
- TSO: The shell of the z/OS, a place to directly execute REXX scripts
- REXX: scripting language in mainframe z/OS
- JCL: the batch schedule job engine running commands
- RACF: security authentication product controlling access, and most elevated permission is the Special and Operations, together most dangerous roles.
- Virtual Storage: Everything is in memory and data areas
- APF: is ring 0, and programs that can edit ANY region in memory, malicious actor able to change memory can elevate their access or gain access to sensitive info
- CISC: Customer control system, like websites, but not. With CECI function can upload JCL
- UNIX: controls the networking of mainframe, Java, Web, etc.
- FTP: Allow file transfer access and ability to run JCL in different mode, issuing command: site file=jes
The points below is possible attack vectors that may be targeted to obtain access to sensitive information or high privilege role.
- Scan discover open services and ports (FTP, SSH, 3270, etc.) - (Missing SSH 22!)
- FTP 21 TCP port is bridge between zOS and UNIX to enumerate validate credentials, and perform pass spray (Patator) not brute force.
- Gain TSO "shell" access that is a multi user shell of the zOS and aim to get account with access to TSO
- Run ENUM REXX script determine users with same ID allowing access to another user SSH profile or key
- SSH with discovered ssh keys
- Inside SSH session use command:
tso 'search class(surrogat)'
ortsocmd 'search class(surrogat)'
to determine permission - Able to run a bind JCL job as another user
surrogate
to setup bind reverse shell port for bad actor to connect remotely - submit script to job scheduler that run the job and allow the remote connection with different user permissions
- list datasets in HLQ, catalogues resources containing data
- get copy backup of RACF sensitive database, identify credentials and passwords
- Obtain access to Security authentication product, RACF passticket onetime generate passwords for TSC backup account give access to privilege escalation with Special Operations level role.
Sample of tools used to detect vulnerabilities and exploits against mainframes.
- Patator- - ftp_login
- CICSPWN - https://github.com/ayoul3/cicspwn/blob/master/cicspwn.py
- ENUM script - https://github.com/mainframed/Enumeration/blob/master/ENUM
- bind.jcl shell script - in the wind
- Passticket - https://github.com/bigendiansmalls/passticket-tools
- wc3270 - https://github.com/ayoul3/wc3270_hacked/releases/tag/WC3270_hacked
- x3270 - http://x3270.bgp.nu/
- NMAP NSE Scripts - TSU user enumerate, CISC transaction ID discover, VTAM application id identify
- HYDRA - or John, after Patator to discover credentials
- Metasploit - mainframe JCL payloads and exploits
- iNJEctor - exploit the trusts between mainframes
- HOW TO HACK THE MAINFRAME - Davide Girardi
- NorthSec 2019 โ Philip Young โ Mainframe Hacking in 2019
- NMAP tso-enum
- cicspwn
- IBM Detecting and Preventing Hacking the mainframe
- Python py3270 IBM 3270 terminal emulator
- Hacking Mainframes Dan Helton
- Contest Program: Master the Mainframe by IBM to grow skilled resources
- Awesome Mainframe Hacking @samanL33T
- Fun future protect to build own personal mainframe on Herculas hardware mainframe emulator by Tron Guy - Jay Maynard