Had a few people ask for the actual presentation, so here you are!
I’d been asked a few times recently for the code that generates the ICHDEX01 RACF masking exit. If you recall, this was the pre-DES (and long pre-KDFAES) algorithm that RACF used to store its passwords. (If you want more detail about this as the other algorithms, see my presentation from SHARE 2016)
The algorithm, through a series of shifts and XORs transforms the user’s 8 character password into the masked equivalent. Quick users will see that the algorithm does little to actually protect the passwords from reverse engineering as there is a 1:1 relationship with the input (plaintext) character in position X to its corresponding output masked character in the same position X.
For example, given algorithm mask(), the following examples hold true:
So all we need do is encode via the algorithm each character until we have positions in the new mask matching the given mask.
The github repo below has both the encoder (ichdex01.py) and brute-forcer (masking_bf.py)
Watch this space.
An interview I gave regarding the state of mainframe security. Pt. 1.
Well – the time has come to start doing what I love to do full time. I couldn’t be happier to announce that I’m working with RSM Partners, Ltd to help bring their amazing mainframe services, security & software business to North America. This is going to be a great challenge and a great opportunity. Super excited to work with all the amazingly talented people at RSM.
Next week at SHARE – San Jose, I’m giving a talk on ransomware on z/OS. I’ve been asked multiple times if I thought ransomware could happen on Z, is it possible: Unequivocally yes. Come see this talk and watch a live demonstration of how this might work. If you are responsible for mainframe security, work for a company with a mainframe, or just want to better understand the landscape of this particularly insidious threat, don’t miss this talk.
Ransomware is a combination of 3 basic moving parts:
- A delivery mechanism (Phishing email, infected web page, malicious program).
- This infects the user’s machine – allowing for sniffing of credentials and network traffic. It can then upload a payload to the host system.
- File cataloging and encrypting.
- Just what it sounds like – find files of interest, encrypt them in place, destroy the local copy of the key.
- Some type of Command & Control (or at least reporting) – centralized server.
- Some means of transferring the keys out to the bad guys. Also, a way for the affected users to connect and pay ransom. (This is not strictly required, but does have precedent. Steps #1 & #2 can happen regardless of the system’s ability to ‘phone home’ ).
We will also look at how to attempt to mitigate this catastrophic event, as well as ideas about how to recover from it. Items such as two-factor authentication, proper ICSF / RACF security controls, egress filtering and intrusion detection.
This is a co-presentation I did with Brian Marshall and Mark Wilson.
My slides are the last few, where I demonstrate 3 distinct exploits on the mainframe. First, off-the-shelf Java with Jboss. Second, TN3270 SSL MITM (using SETn3270 – thx to @mainframed767) and then use the stolen creds in a mainframe Metasploit module to get a shell. And third, the final stages of what was a malicious SMP/E payload – demonstrated by an IPL that has an already inserted malicious SMF exit module installed (IEFU29).
Hope you enjoy it! PS – The animated GIFs that show the actual demonstrations don’t work in the deck via slideshare, so I’ve posted them separately below.
Recently updated my work in Metasploit to allow for editing of the JCL JOB card, in PR7221.
What this means for you senior and aspiring z/OS pentesters, is that you can tailor JCL you submit with valid CLASS,MSGCLASS,NOTIFY,ACCOUNTING etc.
This will allow for more success running jobs on different systems and, out of the box, it is set with defaults that will run quiet on most systems.
Next MSF project is a TN3270 layer, which will allow for scripted information gathering and attacks on systems – using the TN3270/TSO interface.
For any of you who live in GDB, this is a great quick guide on some setup options that will improve your GDB efficiency.
I started writing a list of topics I’ve learned, some in excruciating detail, some just enough to know where to look for further details (trust me, that is no small feat).
I’m writing this not only as a way of keeping me honest on those days when nothing goes right, but also as a way to incentivize those among you who, like myself, have an insatiable desire to learn – and the tenacity to “figure it out.”
In most organizations, the below is accomplished by teams of people. Some of the items (gen’ing a system from scratch, for instance – or setting up SMP/E, SMS, etc. from scratch – might never be a part of even a very senior mainframer’s repertoire). I wanted to see what it would take to go it alone.
My plan is to build this page out with good links to relevant data – and/or if I get really ambitious build some how-tos on the finer points, if there is interest. Real language how and wherefores.
THINGS I’VE LEARNED (since I started a deep technical dive into mainframes)
- password construction / algorithms
- user profile management
- using callable services
- TSO commands for many common elements
- building certificates
- importing certificates
- user certificates
- Storage Management
- Configuring SMS from scratch
- Initializing devices
- using DFDSS to move, backup and restore files
- using IDCAMS for catalog and VSAM file management
- what the eff a VSAM file is
- how to allocate datasets
- different access methods (qsam, bdam, etc)
- what the hell a cylinder (or track) is
- How big a mod 3,9,27,54 EAV are
- Initializing volumes
- labeling and initializing tapes
- troubleshooting space abends (D37,B37,E37)
- System Programming
- SMP/E updates, installation, management
- Building jcl from scratch
- Configruing IPL parms, parmlibs, and startup shutdown procs from scratch
- checking system resources
- How apf authorization works
- building a lnklist
- building an lpalib
- building a multi-tier catalog system
- taking SVC dumps
- Getting a trace of a component
- reading said trace
- using IPCS
- troubleshooting failed ipls
- z/OS crypto
- keychain management
- key management
- password configuration
- Assembler Programming
- What a load module is
- What a program module is
- how to disassemble them
- writing assembly
- using 4 different debuggers
- patching programs the hard way
- building a ZAP
- Using Macros
- Compiling, Linking
- Callable service usage
- What the hell Language Environment is
- Jes2 job management
- Reading a job log
- managing output
- managing active jobs
- reconfiguring SDSF screens
- Job management
- Configuration files
- parmlib entries
- TN3270 configuration
- FTP configuration
- FTP/S configuration
- TN3270 + ssl configuration
- Policy Agent configuration
- TSO / USS tcp/ip commands
- creating zfs filesystems
- dbx debugger
- compiling and linking with xlc
- What the hell Language Environment is
- z/OS operations
- Many console commands (devices, stg)
- How to research a WTOR
- Vtam commands
- tcpip commands
- device commands
- Panel customization
- DDLIST wizardry
- Editor fine-tuning
- Keylist modification
- using the editor – line & main command sets
THINGS LEFT TO LEARN
- memory areas and control blocks in depth
- So much more (work in progress)
- policy agent
- ATTLS (in depth)
- Coding Exits
- Hardware configuration
- Cross memory operations (PC, SRB, etc)
- much more