Back to All Events

Evil Mainframe: Beginner z/OS Penetration Testing by @mainframed767 and @bigendiansmalls

  • Charlotte Convention Center 501 South College Street Charlotte, NC, 28202 United States (map)

Mainframes, and specifically z/OS, represents a massive blind spot when it comes to penetration testing. People lack the capabilities and language to properly test the security of these corporate mainstays. As it stands today these system sit largely untouched by IT security professionals, until, that is, a breach occurs, such as the breach of a bank and government mainframe in Europe leading to the potential loss of a million USD. If your company has a mainframe chances are it’s never been given it’s proper day in the sun. We’ve heard all the excuses ranging from “system outage” to “we don’t know how”. This training aims to tackle the excuses by demonstrating that mainframes are just computers like everything else, providing the attendees with the language and knowledge to start testing their own mainframes. Arming them with the appropriate responses and tools to tackle every excuse in the book.  

This training, and its supplemental materials,provides a solid baseline when it comes to the operating system (z/OS) followed by creating tools and using scripting languages such as python to help with a mock penetration test. 

This course provides customized training on the newest attack vectors created by the trainers, techniques for gaining system access and how to perform an end-to-end penetration test. After a quick overview of how z/OS works and how to translate from Linux to z/OS the instructors will lead students through the various attack vectors against a target mainframe. Students will be introduced to the platform by being allowed to explore the operating system with TN3270 and allowing students to understand the weaknesses within the protocol that allows us to automate much of our testing. Students will also get introduced to the only open source tools and libraries available for all the steps of a penetration test including Nmap and metasploit. A goal of this course is teaching students how the various layers of the stack work (Operating System, VTAM, RACF, Network) so they can develop their own techniques and skillets to conduct appropriate mainframe penetration testing.  

The majority of the course will be spend performing instructor led hands on mainframe testing with the tools available. Goals for each segment will be laid out with appropriate time afforded to students to allow them the ability to gain a deep understanding of how a test could and should be performed. Exercises will be based on real world attack scenarios. 

While this class is outlined as a beginner class to mainframe hacking the attendee should have knowledge of IT security, penetration testing and very basic Python. 

Class Outline

  • Day 1 – Mainframe Basics
    • Mainframe History
    • Operating System introduction
    • z/OS Basics
      • Logging on
      • User interaction
      • ISPF
      • TSO
      • REXX
      • CLIST
      • UNIX
      • Dataset Concatenation
      • JCL
      • Hands On: Creating JCL and submitting it
    • System Startup
      • Walk through IPL Parms
      • TCP/IP Startup/Config
    • Security
      • RACF
      • Profiles
      • Facilities
      • SETROPS
      • Dataset Profiles
      • ACEE
      • APF Authorized
    • Storage
      • Mainframe memory primer
      • Virtual Storage intro
    • Networking
      • SSL Configuration
      • TN3270 setup
      • SNA
      • Hands On: SSH to the mainframe
      • Hands On: FTP to the mainframe
    • Patching/Patch Management
      • SMP/E Walkthrough
    • CICS
      • Walkthrough CICS transactions
      • Hands On: Access a CICS transaction
    • TN3270
      • Protocol Examination
      • Hands On: x3270 -trace walkthrough
      • Nmap/Python library
      • Hands On: Nmap tn3270 library
      • BIRP
  • Day 2 – Mainframe Penetration Testing
    • System Recon
      • Mailing List system information
        • Using public resources to gather info
      • Using Nmap to:
        • Identify system
        • Enumerate available applications (VTAM)
        • Enumerate CICS transactions
        • Enumerate TSO Users
      • Nikto
      • Hands On: Nmap and VTAM/CICS enumeration
    • System Access
      • Python TN3270 Library
        • Interact with a mainframe with Python
        • Logon/Interact
        • Upload a file to z/OS
        • Download a file
        • Hands On: Create Python to interact with mainframe
      • FTP and the SITE Command
        • FTP 'exploit'
        • Hands On: Write simple JCL and execute through JCL
        • Hands On: Netcat and JCL
        • Automate with Metasploit
        • Hands On: Metasploit reverse shell
    • System Enumeration
      • REXX and STORAGE()
      • Gather Information
      • Hands On: REXX system info
    • Cracking
      • Using JtR to crack RACF
    • Buffer Overflow
      • High Level ASM primer
      • Writing Buffer Overflows
    • Privilege Escalation
      • APF Authorized
      • ModeSet
      • Use APF to create system special account

Class Requirements

VMware player/Fusion – A virtual machine image will be provided prior to class.

If students wish to build their own:

Ubuntu/Redhat Linux with:

  • Nmap – current SVN version
  • Metasploit – Current nightly
  • X3270 Compiled from source
  • BIRP - with x3270 patches installed
  • SSH Client
  • Python 2.7+
  • Git client

Instructor Bios

Philip Young: Philip Young is a leader in legacysystem security. Having spoken at multipleconference around the world, including DEFCON, BlackHat and keynoting at SHARE Europe, he hasestablished himself as the thought leader in this space. Since 2013 Philip has released tools to aid in the testing of mainframe security and contributed to both the Nmap and Metasploitprojects, allowing those with little mainframe capabilities the chance to test their mainframes. In addition to speaking, he has built mainframesecurity programs for multiple Fortune 100 organizations starting from the ground up to creating a repeatable testing program using both vendor and public toolsets. His hope is thatthrough raising awareness about mainframe security more organizations will take their risk profile seriously. 

Chad Rikansrud: Chad is a 20+ year veteran within IT. He has held many IT positions including: DBA, Developer, System Administrator and Network Engineer with his primary background inLinux/UNIX and Networking. Chad currently works for a large financial institution in the System Z department as a manager of data / storage and also is helping develop a mainframepenetration testing methodology while building out a penetrations testing team. In his spare time, Chad builds “Capture the Flag” contests for areainformation security conferences, gives talks about these subjects and helps mentor others just getting started in IT/Security. Chad has established himself as a leader in this space bygiving talks on Mainframe security at DEFCON, Derbycon, SHARE

If you have any questions about the class content, please reach out to @mainframed767or @bigendiansmalls.

If you have any questions about anything else, please reach out to [email protected] or the Charlotte ISSA Education Director on twitter: @FrackMacker


You can register for this class here.