RACF masking algorithm, unmasked

I’d been asked a few times recently for the code that generates the ICHDEX01 RACF masking exit. If you recall, this was the pre-DES (and long pre-KDFAES) algorithm that RACF used to store its passwords. (If you want more detail about this as the other algorithms, see my presentation from SHARE 2016)

The algorithm, through a series of shifts and XORs transforms the user’s 8 character password into the masked equivalent. Quick users will see that the algorithm does little to actually protect the passwords from reverse engineering as there is a 1:1 relationship with the input (plaintext) character in position X to its corresponding output masked character in the same position X.

For example, given algorithm mask(), the following examples hold true:

So all we need do is encode via the algorithm each character until we have positions in the new mask matching the given mask.

The github repo below has both the encoder (ichdex01.py) and brute-forcer (masking_bf.py)

Masking/Demasking python code

Enjoy.

New job – Doing what I love

Well – the time has come to start doing what I love to do full time. I couldn’t be happier to announce that I’m working with RSM Partners, Ltd to help bring their amazing mainframe services, security & software business to North America. This is going to be a great challenge and a great opportunity. Super excited to work with all the amazingly talented people at RSM.

RSM Appoints North America Director

Enterprise Systems Media – RSM Partners announces new N. America Director

Is that ransomware on your mainframe?

Next week at SHARE – San Jose, I’m giving a talk on ransomware on z/OS.  I’ve been asked multiple times if I thought ransomware could happen on Z, is it possible: Unequivocally yes.  Come see this talk and watch a live demonstration of how this might work.   If you are responsible for mainframe security, work for a company with a mainframe, or just want to better understand the landscape of this particularly insidious threat, don’t miss this talk.

Ransomware is a combination of 3 basic moving parts:

  1. A delivery mechanism (Phishing email, infected web page, malicious program).
    • This infects the user’s machine – allowing for sniffing of credentials and network traffic.  It can then upload a payload to the host system.
  2. File cataloging and encrypting.
    • Just what it sounds like – find files of interest, encrypt them in place, destroy the local copy of the key.
  3. Some type of Command & Control (or at least reporting) – centralized server.
    • Some means of transferring the keys out to the bad guys. Also, a way for the affected users to connect and pay ransom. (This is not strictly required, but does have precedent.  Steps #1 & #2 can happen regardless of the system’s ability to ‘phone home’ ).

We will also look at how to attempt to mitigate this catastrophic event, as well as ideas about how to recover from it.  Items such as two-factor authentication, proper ICSF / RACF security controls, egress filtering and intrusion detection.

SHARE 2016 Atlanta – Presentation – Mainframe exploits

This is a co-presentation I did with Brian Marshall and Mark Wilson.

My slides are the last few, where I demonstrate 3 distinct exploits on the mainframe.  First, off-the-shelf Java with Jboss.  Second, TN3270 SSL MITM (using SETn3270 – thx to @mainframed767) and then use the stolen creds in a mainframe Metasploit module to get a shell.   And third, the final stages of what was a malicious SMP/E payload – demonstrated by an IPL that has an already inserted malicious SMF exit module installed (IEFU29).

Hope you enjoy it! PS – The animated GIFs that show the actual demonstrations don’t work in the deck via slideshare, so I’ve posted them separately below.

02-ssl-creds-msf 02-java-jexboss

Updated JCL in Metasploit Functionality

Recently updated my work in Metasploit to allow for editing of the JCL JOB card, in PR7221.

What this means for you senior and aspiring z/OS pentesters, is that you can tailor JCL you submit with valid CLASS,MSGCLASS,NOTIFY,ACCOUNTING etc.

This will allow for more success running jobs on different systems and, out of the box, it is set with defaults that will run quiet on most systems.

Next MSF project is a TN3270 layer, which will allow for scripted information gathering and attacks on systems – using the TN3270/TSO interface.