BG- We Hacked the Gibson! Now What? - Phillip Young

in the house anyone anyone I know you're here cuz people have told me but they never admit to being in my talks so I got a quick I'm going to start a timer here so I don't go over time a quick little anecdote um when I gave this talk at black hat last year I was thinking you know how can I start the talk to be interesting how can I get this talk to be really fun and dynamic so I said okay so yeah I want you guys to play along too put up your hands if you've ever audited or done a security assessment or some kind of pen test on a main frame drop your hands way

up high high high high keep them up so in my blackout audience a room this size full of people all the hands were up all right that's good right they're all doing Security Administration work you know they're trying to audit the machine they're trying to do security work great then I asked them to keep their hand up if they ever actually worked on a main frame if they've actually been a system programmer well this dude back here has if they've ever been a system programmer or if they've ever been an administrator or any kind of work on the main frame all the hands went down but one hand and it was because he had just switched from

being a security guy to a system programmer because they get paid more all right and so to me that was really shocking I actually expected there' be at least a few hands up in a room full of like 100 200 people but no so that's sort of the disconnect between like look all the hands are down none of you guys are system programmers except for you in the back you were at my Austin talk yeah you were yeah so so it's just funny how the community this community who's in charge of assessing the main frames and testing the security of the platform really has never actually administered or done anything in terms of running that

platform but if I ask the same question and say how many of you have done a Linux pen test or some kind of Linux security work whole bunch of hand one hand goes up liars and then if I asked you how many of you have run a Linux box all the hands would go up cuz it's super easy and it's accessible the main frame is not accessible and so that puts you guys at a disadvantage already this talk is going to help sort of get through that disadvantage a little bit and teach you some cool hacking skills now I got to put this disclaimer up I'm here as a private individual I'll read right from the

slide here uh I not here in the name of or on behalf of my employer I'm here solely because of personal research I've done in personal time okay that's that's how it goes so who am I why am I here why am I talking about this topic okay this is my third time at bsides I love bsides I started as a mentee my very first talk at bsides was as a mentee my very first talk ever was the mentee track but I'm sort of a one-trick pony right all I do main frames that's all I do come talk to me about Ubuntu whatever I don't give a [ __ ] main frames especially zos and IBM

main frames that's my jam don't bother coming to me with like a kickass cross-site scripting I don't care so since I gave gave that talk at bsides two years ago I've spoken at a few other conferences since then I'm not going to read them all but uh interestingly enough share has asked me to give a talk so that's the conference for Mainframe people so that should be fun I may get lynched and Defcon later this week I'm going to be giving a similar talk that's going to be covering different things but still main frames because that's all I know so this talk like I mentioned this talk is going to be about zos Z series

if you're an as400 OS or I5 whatever they change the name to this is not the talk for you you might get some cool things from it but this is the biggest Big Iron that huge financial military airline travel banking are running this is not for like you know Caesars runs an as400 and that's kind of cute but I'm talking Global huge main frames that take up multiple multiple racks in the data center and they're using up a lot of electricity and making a lot of heat and processing what couple hundred thousand transactions a minute right that's what I'm talking about here I'm only talking about rack F so acf2 shop and top secret you can breathe a s of relief because

I'm not going to talk about that at all there's no tools that exist for any of those security products if you have no idea what I'm talking about go read up about Top Secret in acf2 because I'm not I don't have time and I mentioned aski art if I have time we'll see so legitimately why am I giving this talk right m frames are not a legacy platform ever they never were people call them Legacy oh they get away with murder because it's a legacy platform oh I don't need to do this it's Legacy it doesn't have to have an eight character password it can go do four that's fine it's a legacy platform who

cares that it's processing all of my banking transactions that's cool it's cool who cares that AMX is running it through just four four is cool no this is not a legacy platform uh a lot of them though I'll say especially on the rack of mailing list they're not up to date there's posts from people who are like Hey how do I upgrade from the equivalent of how do I upgrade from Windows 2000 to 2008 server What's the upgrade path for that that's what they're talking about well more like NT in some cases like we're talking like zos 104 which is super old and they're talking about upgrading to the most recent version that means they

haven't been upgrading for a while um and uh all this information is public I have not this is not anything secret this is out there and it's available for free IBM gives it up for free and you guys all suck for not having learned this yourselves I should not be the one up here talking about this I'm not some super crazy hacker guy and I'm having to talk about this you guys should be the ones up here talking about this topic when I gave my uh black hat talk there was a really interesting article that came out afterwards about a guy who was like well who cares about your Mainframe if you can't secure your L

Linux and windows boxes I was like that listen if you've got windows and Linux problems yeah you got you got problems fix that [ __ ] first that I'm going to swear in the talk so if that defends anybody you got to fix that [ __ ] first because there's a lot more and there's a lot more exploits for that but when we're talking about military or large Financial organizations they have that stuff locked down they've had that stuff locked down for years and yet they left they've left the Mainframe to Fester by itself why now I'm going to skip to the bottom slide because the business people have been told it's by the engineers and

then those Engineers have retired and the only Engineers that are left who assume it's secure and any time you try to point something out to them they got all upset because they're like well no you have to prove it you have to prove everything that's and I'll be proving some stuff here today the community is really awful the Mainframe Community overall it's really not a welcoming community at all I'll show an example here this is a this is a good one if you guys can see read this uh here we go uh uh so this person just asked like hey this command doesn't work because he had a typo and the person so you can see way

up here like oh he uh he was trying to do something he's trying to transfer some data and it's all messed up and then this guy freaking just rips him a new one please go back and post what I asked for okay that's fair enough um if you cannot will not post what is requested is nearly impossible to help you not giving any guidance at all he literally asked asked for the data on the non-mr box this guy's talking about production system and he's asking to see an example of the data but he's not he didn't say example he's like just give me the straight up data for this box and this is a mild case I had to quickly find

this while I was sitting outside because I want to give an example I have seen some like literally two-thirds of the posts are just read the [ __ ] manual the 11,000 page manual which is one volume of 133 and they yeah so it's it's not a very welcoming community

oh uh the other challenge like I mentioned people who know about this platform are starting to retire out they're starting to leave the industry and they're taking all this knowledge that they have with them and so we're losing incredible talent and they're not we're not really hiring that much talent like I saw two three people put up their hands who were doing this kind of research and I saw no people put up their hand who actually touch the main frame so the other thing and it's sad is that on the on the security mailing lists for the Mainframe there actually are people starting to die off it's not I mean it's kind of funny but it's not

funny because like they've retired and now they've actually aged out from doing any kind of helping in the Mainframe world and they were the guys who invented the security and we're losing all that knowledge and no that no one's taken up the talents to transfer it to them this is an example from the rack of mailing of how absolute the statements can be from a main engineer you can read some of it if you can see it but uh also all the dod main frames are behind firewalls and VPN wonderful statement I know that's a wrong statement so I emailed him offline and I said heyy just FYI that's not entirely true if you click this link you'll see this guy is

online and available publicly to the internet right now hold on before don't hey hold on this is publicly available just chilling on the internet I drive by take a screenshot and move on I don't do anything anything I don't touch it I do that over tour I'm admitting that right cuz no the reason I do it over tour is because some of them show my IP address I'll show you an example here some of them share the IP address and uh that kind of sucks because if I'm giving demo I'm actually uploading these to a separate website three times a day so I've collected a whole bunch these are all internet connected main frames I'll show you guys a cool one that I

like let's see two I think it's 217 here each yeah whoa whoa whoa whoa 333 yeah there's so whoa oh hello okay anybody can can anybody read that what this says right that's Egypt Air so that's kind of cool right there's an Egypt Air Mainframe just chilling out and they tell you what programs they're running so you can just straight up just type that in and start accessing some cool [ __ ] and that's an airline right Iceland Air is on there there's a whole bunch of like a lot of government stuff is on there a lot of schools a lot of schools weird thing like Englewood in like LA county has a Mainframe to do to do I guess student

grade processing right and like I was saying the IP address that's not my IP address I'm not stupid that's why I do it over tour okay so that's I have a website that publishes those all the time and it's it's super awesome the the problem is IBM's disclosure policy kind of sucks I got to thank this guy over here for showing this point that point this out to me it really sucks basically they're saying I'm going to summarize real quick they say it's better for our customers if we don't disclose the security vulnerabilities that are brought to our attention and we will not make cves and we won't tell you if the patch fixes a

security problem right so sometimes there are Shadow patches that patch of security vulnerability that you didn't know you had which is fine but they don't even disclose it at least at least Microsoft says hey there was a buffer overflow and this patch fixed it or this problem on the Oracle thing was doing whatever so this is fixing that then nothing like that it says install this thing to fix your Unix partition and it'll it'll it'll do some upgrade to net view but it's doing some other stuff behind the scenes you have no idea and I'll demonstrate what what I mean by that and oh by the way that's recent they sent

yeah yeah that's a great security policy from 1996 when I guarantee you when that was written they like well we should nip this in the butt and just not let it happen all righty so that's it so the rest of the talk is going to be really demo heavy I'm going to try to get through as much as I can I like the interactivity so if you guys have any questions you want to see something you miss something you're like hey what was that thing you just did and that looked cool I'll go back and redo it call it out I see a lot of people sitting near the front just yell it out because the

point is to get you guys exposed to this platform so we're going to connect to my Mainframe all right you guys can barely read that so that's great and then uh all right kickass demo time let's see how let's see here can you guys see that at all can you guys kind of kind of see it if I zoom zoom in yeah you can see parts of it right all right so I'm going to log in as a user here let's see if it works all right all right you guys can't see that at all huh all right there I'll do like this yeah I wonder if we could just yeah because it's being recorded they

can't kill the lights that's fine well all right well that's that's great well all right I'll show some quick demos here here and then we'll uh we'll try to move on so yeah so IBM has a VM that they offer and called rdz and I'll talk about that later um so that's great for my demos that you guys can't see so that's awesome um these guys can see if you want to move up to see some cool stuff I'll try to walk through no I think I can but I don't have enough time to stick around here and try to figure it out so real quick I'll just do some real quick you know what I'm just going to skip the command

Lin basically this is Tso you can type cool commands um you can do netstat home you guys can see the green text so that's good not homey so that's great so you can see that I mean you guys can't really see the output but you can see I type netstat netstat just shows you you know like regular netset um but I'll get out of this because you guys can't see it basically you can type regular commands there you can do like a listing of files you can show you can FTP From Here regular stuff nobody uses this because it's Arcane and it's hard to use I enjoy using it but so we'll get into what's basically the equivalent of

the gooey on a main frame right this is called ispf you maybe if I change my resolution maybe that'll work let's see here no that can't do

it let's see if we can change this it going to work that might be better that's much better you guys can see that now yeah now it's way too freaking big just lower the screen format

here well you guys are going to have to live with it that's about as good as I can get it all right so this is the guey equivalent on the main frame I really don't use it that much you can go to 3.4 3.4 shows you cool stuff you can do um if I wanted to look at my files these are the files I have you can edit these files that's kind of cool editor um this is a JCL file right so in JCL it's like a batch file except here instead of like a shebang you have a program that you execute so I'm executing this program the program's going only be eight characters long and then it's got all

these options to do kind of cool stuff and it's going to dump it to a specific file down here so that's that's one file that's one example of a file and then here we can do see so this is another example of another file now hopefully I logged in with it so this what this this is a Rec script which is the equivalent of like python on the main frame it's a scripting language it's really powerful you can do some kind of cool stuff with it this script specifically tells you the logged on users to TSO because there's no real easy way to do it in TSO so you can execute this command just like I was

doing like a TSO command you can type Tso and I'll zoom in and show you guys all right

TSO so see we can do that a little bit more there so you can see here it showed the log users are there's two users who are logged in right now right obviously there'd be a lot more on a regular main frame but this is not a regular main frame I mean it is for all intents and purposes so now you guys are definitely not going to see this part because it's all blue so I'll get out of this let's go to it's fine so you guys can't see that at all that's just Linux well Unix it's Unix running in zos right so there's like a whole you on the main frame you have zos right that's the base

operating system and you have like TSO which is command line stuff and accessing data sets you have Unix which let you do all kinds of it's a POS compliant environment has all the Unix components and I'll do a demo of how you can break into that and get root and then you have like kicks and all these other kind of components right so that's how it's sort of made up usually when I first learned about this it blew my mind I'm like wait a minute it's running Unix like in the background and then we're just interacting it with like a program on top no no it's running alongside is I don't have time to really get get into

the details but that's of a if you want to come see me afterwards I'll tell you so you guys can't see that that's terrible but I can do like ID there you go show me my user id all right so that's the demo let's see here I'll turn this off any questions about zos anything you guys want to see as if you guys can see anything anything you'd like me to and maybe I can tell you what the outut looks

like no it's just like it's like I mean you can tell net straight from TSO there's no you don't need like a special reason you can FTP from TSO you can do you can do an about neat connection if you really wanted to

yeah uh kind of so when I did all that Mainframe hunting um I had to use I use showan a little bit and I actually talked to the guy who created showan and when I talk back and forth it's hard because they don't all they don't have a banner so and show in uses banners right versus nmap it does some analysis of the packets and it can tell you what the OS and what the service is running so I use nmap but I use showan to find other services like FTP which have a distinct Banner that like IBM V1 R5 or whatever then I port scan that system to see if it's got the regular ports for

those screens open that's one way of hunting them down okay so we did this I'm gonna skip through this all right good now that you guys didn't see any of that demo we're Mainframe Masters okay if you guys didn't get anything from that demo there's 12,000 Pages worth of manual you can read to become this level of expertise but what can we do with that yeah go ahead a lot of mames system user you option enter yep how do you break out of that uh not on the TSO side well you can if you have APF authorized libraries but I was just talking about that I don't really have the expertise yet to do that

but you can with APF authorized libraries there's actually videos on YouTube showing guys who have done it they don't tell you how because they don't want to share that information

but yeah not only that they would say go ask your system programmers to do how you do that nobody that

yeah well how many guys how many guys work in a shop where you're not allowed to touch the main frame where you're not allowed to even look at it with a like a ping because the most secure platform on the planet can't handle a pink weave right oh yeah you're going to crash whatever all the time but oh it's super Rock Solid security wise so that's why and I'll talk to you guys how to get your own emulated main frames and you can work with IBM to do that and it'll be up and up and you guys can start doing the same kind of work that I've been doing all right so whatever we're going to try to hack the

unhackable okay there's multiple easy ways we've I've updated ER cap so it supports TSO so you can sniff credentials straight off the line um often times when you pop a Windows box or Linux box there'll be scripts in there that'll FTP stuff to the main frame or it's getting stuff from the Mainframe those will have FTP credentials in them funny thing is you to use FTP you need a Unix you need access to the Unix part and if they left tet open you can in some misconfigured situations access the Unix partition because they didn't say don't give this person a shell or a home because their automated script just gave them a shell and a home right and then bad CGI yes

CGI still exists in large environments for user management all kinds of stuff and there's so many more ways just like you're talking about there's so many more ways and I don't have time to talk about all of them because I don't know all of them so I'm going to assume for the rest of the talk for the rest of the demos that we've stolen an FTP so I just use Dade use that for the rest of the talk we've stolen a username and password and we can use it to access FTP and Unix and all that stuff okay that's the Assumption now we also found out that there's a really terrible website that someone put together

that lets you do to check if someone's ID is revoked right so I'm going put this to you know because you see this in corporations all the time on the main frame they put together some custom app to see if the user ID is good or to do some kind of user Administration right so let's see I can zoom in there we go so you can type in a user ID and then it goes just thinking about it and it shows you the status of the user right so it tells you what they groups are and it tells you all the information this way you don't have to log into the main frame every time you got a check up on a

user that see that would be a pain in the ass this makes my life easier as a user administrator problem is they didn't really code it right so if you look at the URI Lu I recognize Lu because I was supposed to give it to you in the demo stands for list user so I recognize that and just my username so if I change this to list user I should get the exact same output look at that the exact same output okay well what if I now I know what the list user command can take as commands so I'm going to add on some more com some more commands here to see if it'll if if I'm right and yeah so I'm

right so okay so now I know it's doing some some kind of funky thing so it's actually just executing commands in the TSO address space and displaying it here terrible design whoever designed this is an idiot but it's got a firewall oh yeah it's behind the firewall it's fine so I'm going to not list users anymore well actually I'm going to list one I know the name of the system administrators who are on the box because I did my Recon research so I know who is on the B now I think it's Margo so let's see yep oh and look at that I'm right that user exists so I can use this so I'm using

this to profile okay so that's fine so now I know and and sure enough this user has special and I'll talk about special later but good they have special operations that's a really good thing to know if you're tackling if you're trying to look at users and find users whose accounts you want to compromise okay last thing I need to know is I need to know where the rack if database is and since I know it takes commands I'm just going to type a symol command here and it's going to show me where the rack of database is stored that command is open everybody R very if you just type it when you're loged into a main frame in TSO it just

tells you where it is it just tells everybody where the rack up database is stored all right so I got I think I got enough information now to start tackling this bastard so from here let's see does this still work good I'm going to FTP to the main frame okay well before I do that I have a Rec script here called BS rout for bsid roote not [ __ ] and I'm going to upload it to the main frame yeah [Music] yeah I mean I can if I want to but this I'm not going to run it here I'm going to do this I'm going to FTP to the main frame and I know date so I'm logged in

as date on this machine so I just logged in as dat and uh and I know his password because I stole it from some login script and uh now right now I'm just in his normal home folder right you can you guys see this it's like all the same files that we had before I'm going to go to the Unix partition just by typing sltm and now I'm in the Unix part of the main frame not can up FTP files to here so I'm going to put bs3 you might see it already here maybe I was practicing my demo but that file's been uploaded now I can actually change the file permissions from here so I don't really

care okay so I'm done now with my FTP now now let's see maybe if I have tnet access now tet runs on 1023 for regular Bare Bones tnet access that's I mean it's not super special let's see

here so now I'm at like a regular Unix prompt in a Shell let's see if I can make this bigger for you guys there regular old thing so now when I run sorry I forgot I'm not in bash so tab complete never works if I run it it's a good enough script it's nice enough to tell me hey you didn't Supply anything to command you need a set uid Rec script to get root now this has been fixed okay so fre don't run out of here screaming this was fixed a year ago for this specific program that I'm using it was then secretly fixed for all set uid Rec scripts across the Unix environment without any notification to

anybody so I'm going to run this script then it's going to give me root okay so now I have root great only problem is I don't have access to this user's TSO address space so that red screen that stupid thing you guys couldn't see I only have access to root things in Unix I don't have access to anything else so this user and I know this user because I set it up does not have access to any resources in TSO that I care about so that sucks but I know a user who does I know two users plag and Margo so how am I going to get their accounts well I can just use a super simple back

door which you guys can't see let's do this let's

see yes I know let's see oh good they're using they're using inet so that's nice I wonder as root I have full file permission so I can probably change the file now I got to do something stupid here see if I can remember the stupid command set what if I don't remember the command but basically if I try to edit the file right

now it won't let me do it and I have do something like set term see if that works no oh thank you no it's fine because I already changed the file when I was doing my demos just to save time so what I did was since I know Margo has access to all those files I just created a back door with Margo's user ID to run a shell script so so then now I just need to I could technically right now kill inetd and restart it and it would reload this but I don't need to because it's already running so that's done I don't need rout anymore because I only could access the stuff on the unit side but I want full

control of the main frame so now what I do is I tell net to the main frame and for 543 except what the [ __ ] is this anybody want to tell me what those two characters down there mean anybody want to take a guess I should have a shell yes thank you so I was hoping someone would know the answer it hasn't happened this is the first time someone knew so yes this is idic which fortunately I've encountered multiple times before when trying to do this kind of thing and I got pissed so I wrote a python script to handle this all you got to do is use net epidat and I don't want display this

logo and now I have access to Unix with her ID great that's just Unix that doesn't really help me out all that much I still don't have her user I still have a password and I couldn't change it from here and with root I can't sue around to anything like I literally can't sue up to user account just ask me for the password fortunately I know where the rack if database lives and I know she has access to the r RF database so what I'm going to do is I'm going to copy it to to a location that I know Dade has access to with this super awesome

command oh Lord that's not going to

work so the SL slash is like a yeah let try this

again so now it's just it's copying the file right wait I just do LS so that I know okay now it's done it's copy the file and if I do I think I call it rack R3 that's stupid you can see I didn't really set the UMass properly so now it's World readable by whoever accesses it very dangerous I'm going to log off I'm just going to FTP is Dade to the Box see oh now you guys know my password uh oh my super secure password I was going to do like an end cap demo that's why I put as Batman because it'd be it's easy and it's easy to crack when I forget it so now I just go to sltm with FTP

switch it to Binary mode because you want to copy the file in binary mode and then I just get the file takes four seconds it's like 14 Megs it's not very big on this tiny system now what I'm going to do now I've already precompiled John the Ripper to do this work so what I'm going to do there we go yeah so use John the Ripper to strip the hash out of the file first because I only care about two users I don't care about the rest of them I just care about two users so we're going to try to do this now let's see John the Ripper no I want to

run uh so I've got a lot of all my talks in the past I've talked about the hash format it's it's triple Dez for lack of it's uh actually I think it's just Dez it's and your the seed is your user ID so it's encrypting your user ID with your password that's the hash a little more involved than that I have a whole article on that explains it so I only really care about two users so let's see grab so I care about this user and then I care about plague because they're both admins okay so now I have no I I broke these earlier because I didn't want to deal with waiting for it to run during a

demo and now I get to see their passwords all right now normally they would be eight characters long but I didn't want to really great so now you guys can't see the rest of the demo because we're going back to the main frame screen to see oh what's going on here there we go so I'm still logged in as Dade and you guys still can't see Jack and I'm going to log

off I'm just going to log in as uh Maro I know her was God and I couldn't use plague because we knew plague was logged in right plague was logged in and you can't log in as another user that's already logged in in TSO so that's why I had to use someone else's ID from here I just alter my user ID right so Al for those of you who can't see which is everybody see there we go so and I'm going to give myself special now special gives me full control of the security system database for the entire main frame I can give myself whatever I want there's a file I want whatever I I don't have access to

it I just give myself access there's a there's a a port I want to open but I am restricted from opening that Port because I'm not a specific user whatever I'll just give myself access you have full control over the file permissions not the files the file permissions okay and then I'm going to exit I'm going to log off because you know Margo might show up and be like hey who's using my account right you can if you have like oper access right you can no well I mean you can execute TSO commands from the Unix side there's ways I mean that's the the web server was doing really right um but you have to have a certain level of

access to do it so now I'll just log back in as Dade got to go to TSO my super secret password so I'm system special now now this is just one user they're going to find out that I've you know given myself special and I've done all this bad things so I want to make sure I keep my level of access going here for as long as I can and one of the easiest ways a lot of main frames have login scripts really login scripts that execute when you log in in your personal folder right folder data sets I guess so what that means is is I know let's see here uh I know that when user log in it

executes this script and now I have full control of the security on the main frame so now now I can access whatever data set I want to access so what I'm going to do is I know Mr the plague uses one there it is and he uses oh [ __ ] I don't have access to it that's fine because I have special so what I can do instead is give myself operations operations if special gives me full control over the entire security database operations gives me access to every file in the entire system does not ask for authorization it just goes so I gave myself I just gave myself operations but I'm still not able to

access the file yet I got to log off and do all that fun stuff this is all getting logged if but who's monitoring those logs is it the Mainframe guys maybe someone in operations notices you access try to access a file one of the thousands of users who get denied accessing a file per hour yeah exactly they don't if it's running they're not they're not too concerned there'll be definitely be a trail all this is getting logged oh yeah but you have you have full access you could technically turn off logging but they'll know you turned off logging because all of a sudden all this traffic that used to be there is gone yeah actually log runs in the Unix

partition and uh I think IBM Z secure will do real time SMF logging SMF is what's the logging part on the TSO side well the rest of the main frame um so any so let me log off here because I didn't have access to that file so now I got to log back

in slow here we're we're doing some things but now so now if I list my user account privileges right actually I do in screen you guys can see it we'll do here let's see it was it there we go NOP so you can see I have special and operations here right so that's my attributes there so I'm not going to so I go back to the guey and now what I'm going to do is I'm going to [ __ ] with this guy so every time he logs in it shows this script it says you are the best right good for him it would usually be much more complicated than this it'd be allocating data sets and getting you

ready to use certain applications but this and I'm going to change it to move that I'm going to add one more line here and I'm going to alter my user one more time and uh I'm going to alter my user ID and I'm going to give myself special and operations every time this guy logs on so next morning when he logs back in they found the breach they know I've done all these things they they take away now technically I could put another thing here that says you know remove revoke from my account but I can't remember what the command to do that is so we'll just live with this when they remove all of my special

privileges from this account next time Mr the plague logs in it reinitializes them and gives me special in operations again y when he logs in right so so here we we'll exit that and I think I have so this is Mr the plague logged in already right you can see here Mr the plague so I'm going to log him off and what I'll do here I'll show you guys a quick quick example so I'm going to remove my access rights that I just gave myself no special and no operations right so now I've removed those access rights that I used to have so you can see here I'm not there's no attributes anymore now when he logs in

uh and his password was the same he's going to log in but it's going to show a real nice message down here that you guys cannot see eventually oh that's nice that's a nice little oh so that's cute someone gave me that little nice message there okay whatever now I have special in operations back because it ran with his privileges when he logged in right so that's now I so that's basically how you own a Mainframe Soup To Nuts I had all these slides prepared with these awesome hacker movie backgrounds but I don't need to use them because all my demos worked um we went through that all these cool stuff I'll put the slides online if

anyone wants to read them you can see every every slide had a demo it was just to sort of keep me on track if I forgot what I was doing so like I said at this point you've owned the main frame you have full ownership you can access any file any resource whatever you want to do you want to open a port you want to do all kinds of crazy connections it's up to you you can now you just start [ __ ] around and start looking for things all the HL Qs which is basically like the root folder you can start looking for you can start looking for interesting things start reading the documents that

are in the document repository that talk about how they how the insurance compan is storing all the personal data in a specific hlq for a certain app right that's what you can start you can start [ __ ] around with this thing as I promised there's some homework for you guys to do now that you guys have seen what I was able to do in my spare time just literally just screwing around I was like oh I wonder if this works I wonder if this works I wonder what this works this is a fully licensed available product from IBM rdz the name changes all the time it used to be called Z PDT it keeps changing but it

was built so that you could so that a developer who was developing an application for the Mainframe could run a virtual Mainframe on their Linux box without having to worry about touching production right it's the same concept as I'm going to run a new buntu image on my Dev box so I can do rapid prototyping same concept except it's virtual Mainframe great thing is it runs a fullon full Mainframe that you can play around with they didn't build it for security guys to screw around with but that's one of the benefits of getting it if you work in a large organization that has a lot of IBM mainframes or IBM products you can get you can get this product just

call up your IBM rep and say I want rdz give me a demo license I want to see if this works if this is worth us paying a license for licenses can range depending on how good you are negotiating with IBM publicly I think it's $30,000 non-publicly you might be able to talk them down if you have like say 45 Lars running in your environment right you just have to be able to say look we got a lot of IBM [ __ ] we want to use this to start doing some security work it's not hard and it's easy to set up and they'll help you set it up they they'll come to your office and help you

get it going so that you can start doing your testing I want to do some thanks this is the first time I get to thank a bunch of people so the IBM mfre Community as much as I was [ __ ] on them earlier they are extremely helpful they really are there are some now not everyone is a jerk in the main frame Community they are some really nice guys there are some guys who help you out when you have questions they're really nice I'm going to name them by name because they don't like me very much like the whole IBM thing but they know who they are they're super awesome uh the Swedish black hat

community so that that root exploit that was actually discovered by someone who did a breach over in Sweden me and Oliver Oliver had figured out how to how to do some stuff and he was like Hey can you take a look at this and see if you can get it working I think there's enough code here to get it working from the breach investigation files because what happened was half the program was in one file and they cut out the bottom half for security reasons and then the other bottom half was in a different file and they cut the top half for security reasons and it was also [ __ ] that was missing some things but if you knew

enough Rex to get by you could put it back together and figure it out um and you guys for coming out um especially that gentleman right there who's who we've been chatting a lot about main frame security and stuff but uh but really I want you guys to be interested in starting to attack this platform to starting looking at this platform I really don't want another stucks net for the M actually the logic of breach was like Sweden and nor Norway's stuck snet like it was a big deal over there I don't want that to happen here I don't want to find out that's a major bank it's compromised because you know they left FTP open on their Mainframe and

didn't secure the omvs component because they didn't know a patch was applicable right but yeah you can say whatever you

want don't know a lot to just come up there's a mic right here um sorry um so so I got into this because my my background is is in um you know security backgrounds in Linux um but I have access to a Mainframe at work and we're one of those companies that gets really good deals on IBM software and um it's it's one of these things where uh there you might be sitting out there thinking yeah but you know my skills don't necessarily Port there isn't a person in here with some technical skills that don't that doesn't Port so if you're if you're if you're a web uh security expert if you're um a network person if you like to read wire

shark all day long if you are into assembly like disassembly or malware uh any of that kind of stuff like it it absolutely encompasses everything there is not a portion of this that doesn't need to to be tested it's like the Wild Wild West and like it's like the internet in 96 so so get into get into it find it yeah there's there's so many I just don't have enough time to look into all the areas this is what I had time to look in from like a super high level just brushing the surface and I found all this crap and what I did was not that technical did you mention uh no no one thing I one person I do need to

thank is Dominic at sing he uh so all my talk was about applic you know the operating system layer he gives a talk about the application layer he gave a talk at hacking the box I hope he gets to do his talk at dercon Fantastic talk about hacking the application layer it's like websites back in the day so a good example would be um the 3270 client you the Mainframe says hey don't display this field and don't let anybody change it and then the app the person who wrote the app says well if if this field up here says X then this is the screen they're allowed to see but don't show them options three four and five if

they don't have this level of access so he wrote a patch to the screen terminal emulator that says hey just ignore that crap and let me do what I want on the screen and he was able to find some OD days and some applications that IBM wrote so look at it's right for for plundering there's all kinds of stuff going on in here if you just have the time and the interest and email me feel free to email me it's Mainframe 767 if you don't want to make it public I answer all emails all the time I point people in the right direction I try to help people out any questions in the 33 seconds we have

left the D in the back I just wanted to say thank you for actually zooming in on the terminal so that we could see what you were doing yeah well I tried that's kind of it's kind of shitty I apologize um and it's been a problem that we've had before but you got a question sir in the front uh yeah Phil so I saw that you're in a special group and you added yourself to the operations group does that make you a special operations group he used to be military so I'll cut him a break any any real questions

yeah millions and millions of dollars in man hours I mean we're talking about applications that are millions of lines long written in cobal and cobal is not that bad but written an assembly for a platform that is totally foreign to the people who are getting trained on it today

yeah

no it's you I when I was learning this it was like when the first time I popped in like red hat whatever back in the 90s and I was like what is this how do I run Doom now I have no idea what I'm doing same thing I started this up and I was like what what am I doing how do I how do I play Doom on this thing you can't but there's are some games on the main frame though like clling on and Star Trek I'm not kidding Cave Story you can Port it my friend any any other questions yeah all the red books are freely available online let me show

you IBM publishes all their red books online freely available and there's all kind I mean there's all kinds who who who whoa all kinds of red books I mean this is a specific one for just tuning your buffer pool for db2 right but that's not what we're looking for let's do omvs red book sure let's click that a PDF so this is the Unix system services so omvs we were talking about they call it Unix system services or omvs this is for whatever release this is and this is the implementation guide on how to implement it and set it up and how it works it's really good it is also 575 pages long and it's one guide

of 13 and it's all free I mean IBM IBM's not stupid they know that the skill set's moving on they do a master of the Mainframe contest every year and they get a bunch of college students to sign up and do programming challenges on the Mainframe you have to do the development work on the main frame and it's really interesting and then I asked them I said hey what are you guys doing to train up security folks so we can make sure the developers aren't doing stupid things and they said we have Master the Mainframe where we're training developers to write code on the main frame and I was like okay get it that's the answer I'm not looking for

so what do you mean so like you're talking like zos I series HP nonstop the very like the traditional what we think of I mean zvm is another one tpf is another one they're all very different right yeah yeah I mean you can be a generalist I know windows and Linux well enough right

um

yeah yep yep now if you're worried about your Mainframe the dod has a great implementation guide for securing your Mainframe freely available it's the only one that covers the whole operating system usually a guide just cover is rack F yeah it's a DOD stand I'll show you guys uh what's that yeah it's one of the sticks yeah security technical implementation guide yeah yeah right it's actually really good it's the only dot I found I was like oh that would fixed basically if I implemented this on on that rdz thing none of my demo would have worked just none of it well I would have gotten rote if I didn't apply the patches but everything else would have just been no

you can't do that no we can't do this floating so this is a Stig it comes in a XML file format and you need a special viewer to read it but you can export it to Excel and use that to analyze it I think am I done for time yeah okay so that's it uh if there's other questions I'll just go out in the lobby if there's different anyone interested in talking about this anymore and uh thank you