Z/OS For GenZ - Hack The Mainframe

so welcome everybody thanks for joining um glad we've got quite a few people here uh I was worried that the title might scare people off uh it shouldn't because to be honest I don't even really know what a gen Z is to be perfectly fair with you uh but I thought it was such a great title that I should do it uh it does hint a little bit at some of the problems that are upcoming as I see them uh it's going to be a very quick talk like we've only got 30 minutes including question time so there will be a lot of things that I'll kind of fly through and I'll try not to get too deep

into things um maybe first up uh does anyone here is there anyone here who's worked with mainframes we got a couple uh anyone that's uh hacked a Mainframe or penetration tested a m frame ah yeah these guys I think I know them okay so let's get into it first off who am I we had a little bit of a um introduction before um I'm a senior consultant in inviso um I'm not a main framer I won't claim to be I've learned a lot about them in the last uh few years uh probably more than the average penetration tester but mostly I'm I'm a hacker I like to hack things apart I like to hack things

together uh and that's where I'm coming from um I was a kid in the 80s why is this important well back in the ' 80s um we sort of got this look for the future of what we were going to be uh dealing with uh I got a com or 16 when I was very young and uh we were promised like this future of where we could buy things online using our computers and they would come to our house which is sort of coming and we had talk cars that talked and all this sort of things so it was uh pretty good for me like the breeding ground for technology for the future and of course the idea of hacking the

Mainframe was always toted around you hacked algorithms and you hacked the main frame and that was like wo you were you know you'd done it um I own my very own as400 for anyone who knows what that is uh for those who don't it's not a Mainframe it's a little baby thing that's kind of old uh and I thought that it would be a bit like having a man frame cuz I couldn't get one of my own uh also I'm building a doc anyone who knows what that means probably finds it pretty cool everyone else is like who the hell is this guy first off um let's do a shout out because we're always standing on the

shoulders of giants when we're talking about main frame um in the technology itself like these things have been around forever well 60 odd years uh and when it's talking about hacking the guys that we're looking up to here is uh Phil young and Chad rickens rad uh otherwise known as soldier of Fortran uh and big Indian smalles um these guys are the ones that got me interested in Mainframe hacking um well in the actual hacking of it like as I said as a kid you wanted to hack the Mainframe I didn't know what it was but I wanted to hack heck it um so yeah these guys wrote um the only pen testing course uh for mainframes that is in

existence um it was recently sold by them to broadcom um probably anyone that tried to download VMware Lately from them as aware what that's probably done to the availability of what's going on so uh let's take a step back in time back to the '90s uh back in the '90s a guy called Stuart oop made a very chilling prediction the last Mainframe will be unplugged on March 15 1996 oddly specific I thought um but that's what he said and probably a few people believed him um given that I'm actually standing here we probably can work out that he wasn't quite correct and around 2002 uh he actually published a photo of himself eating his words um so we still have mainframes in

case anyone didn't know and I assume you probably were aware of it otherwise you might not be in this talk um but we have to bust some of the myths about them um one of the myths that we have to deal with is people think that they're outdated they're like these technological dinosaurs I mean they are quite big uh they are quite bulky but they're not what we usually get in our minds when most people hear Mainframe then most people are thinking this who was thinking this yeah we had some of those yeah uh so what we do have here is a main frame this is kind of where it's all coming from and um what you actually

see there this uh block just behind the gentleman to the left that's actually the main frame the main frame of the system where all the good stuff was happening all this other stuff is data storage usually and then he's sitting at a console that he was using to run it it's not what they look like anymore I'll introduce this guy here this is what we're talking about now uh the IBM Z16 uh it's a modern machine uh fits in like the space that you'd have a 19in rack um in a Data Center and you can like scope them out to have one machine that's like four of these and so yeah they're like a big fridge um but they're

beasts of computing and you see here they've introduced onchip AI processing so for all the AI fans uh they're actually putting that on the chips so that they can do it faster why do they do that well service user agreements to make sure that payments get processed quickly can actually be run through fraud detection um and the only way to get that speed that you need uh I think don't quote me I think 6 milliseconds or something the process has to take for the transaction to be approved um so they put that on the chip um Quantum safe Computing uh they have pervasive encryption that you can have on these machines encrypt all the stuff and do it with a a Quantum

safe algorithm uh up to 40 terabyt of Ram uh the processors can talk to each other at a speed of around 250 gbits per second um they can actually address Ram uh or level uh the cache on other processes faster than some Intel machines can talk to their own onboard memory um so that's an idea of like the sort of power we're talking about they can process up to like 19 billion business transactions per day so I mean that's a lot of stuff and the main reason why people would have a Mainframe over anything else is this availability level of 79s they call it so 99 99999 availability uptime so not much downtime very very little down time

almost none um they also t on to a stand an earthquake um of 8 8.0 on the Rus scale which is quite a lot uh I come from New Zealand we know a bit about earthquakes so we probably should have some main frames I don't even know how many we have there but it's beside the point uh just some little statistics so we know how important these things are uh um we see there are like 90% of all credit card transactions 90% of all of them and that's a lot of transactions um we have 77 out of the top 100 Banks uh are using them all of the top 10 insurers apparently 71% of the Fortune 500 are using them and um

apparently 68% of the world's production it workload not so sure on that one myself but they determined it in some way um it's also interesting the way they do the workloads based on cost as well because people think these are expensive machines they are they're very expensive um but the amount of work you can get out of them is huge uh also Market size uh 2.5 billion last year apparently and uh a growth rate predicted of 6.4% until 2032 so the mo Mainframe is by no means dead um as you see it's doing important work it's a very important piece of of infrastructure that we're talking about here uh myth number two and this is the

main one that we are interested in right now um impenetrable digital fortresses it's very true that they are very secure they have been developed over the last 60 years there is still code from back in the day so um it's not a wonder that it's very stable um but of course it is not impenetrable nothing is we all know that I think at least all of the penetration testers know you can eventually get there somehow um and why aren't they immune to compromise well it's quite a simple fact the same reason anything isn't uh and that's it's a computer uh it's built by humans configured by humans used by humans blah blah BL blah basically layer

eight problem um and and that's what uh the security is based on here it's always down to how well is it configured that kind of thing also a lot of people think like we're hiding it back behind our perimeter it's way tucked way down away from everything else not entirely true uh quick Showdown um result 161 and this is just based on looking for the um the TSO or the vam um so this is like the the console that you're using to administer them usually um so yeah we've got a few of them there and as we can see if we look down under ports uh under 23 we've got 49 so that's plain text most likely uh doesn't

have to be but most likely there's still a lot of plain text around glad to see that the number of of 992 is actually higher um but yeah that's what we're dealing with there and this is this is current I did this a couple of weeks ago just to check the other one uh is FTP people say FTP what's so interesting about FTP well you're going to see in a little moment that FTP on a Mainframe is not quite FTP it does do FTP but there's some other stuff you can do with it which is pretty neat and if you AB it you can do some very neat stuff uh here as well you can see Port 21

84 uh of 92 uh I can almost guarantee that those are most likely uh clear text so if you can sniff the traffic you can get credentials uh so uh what haven't we heard about them getting hacked um has anyone ever heard of main frames getting hacked like big names no well there has been a couple of big ones um I'd say generally the reason why we don't hear about them is it's not the kind of thing IBM want to be sort of hanging up on the wall look we got hacked uh our secure platform was hacked big time and we did have it this was a while ago 2012 logic in norda um that's uh a provider of

government IT services in Sweden and a Norwegian Bank um it's one of the only um well documented Mainframe hacks that we have in the public domain um it was attributed to guy called anakata does anyone know who anakata is or gotfried swol he was the founder one of the founders of pirate bay um and when he was in Cambodia staying away from Sweden um he allegedly did these hacks uh he was convicted of them in the end uh he got initial exis for some stolen credentials he did some um I think it was the lawyer that was dealing with him from the government and uh he she had access to a government system and that

was sort of his initial foothold from there he managed to probably develop two Zer days that he found um and he used them um interestingly enough he actually developed these exploits using an emulator called Hercules and an older version of zos uh no doubt he refined them then on the systems that he was actually attacking um the interesting points that we have here is the concept of zero days uh these two zero days became cve uh you don't often see cves related with uh Mainframe products um it's yeah I I think fairly clear that it's not something once again that IBM wants to have a big deal made out of uh the other thing being the the use of the Hercules

emulator this is an interesting one you can't do that legally it's not allowed um but of course if you're a criminal and you want to then it's not going to stop you which brings us to the challenge that we're um facing at the moment as I see them so we've basically got three broad areas that we're looking at first one's the skill Gap obviously the people that are experienced uh in the Mainframe area tend to be heading towards retirement it's not often something that the genz are actually doing although it's improving I I will say that it's definitely improving uh there is light at the end of Tuttle there is um but still a limited number of uh people

getting into it and the learning curve is deep you can't use anything that you knew already about computers it's not like oh yeah I used to use a Windows machine now I can use a Mainframe uh no uh with Unix or Linux experience there are some things that are going to help you out and that's something that we're going to see in a moment approachability uh for a long time the community uh was kind of toxic um a lot of forums I got the impression if we fed them into an llm and we could build a chatbot but I got the feeling that the only answer we would get from it to every question was have you read the

manual and should you really be touching this you don't seem to know what you're doing um I I I'm not entirely sure that that's really overrated or that's not an overstatement there are some things you find where people ask genuinely honest questions um once again this is improving I I will say it is improving there a lot of people are getting more open they're more willing to talk but um yeah there's been a bit of a problem um the main one that I see as a problem is access to it as I already mentioned you can't use information you've already got how are you going to get and you know try and play with this particularly if

you're going into uh bug bounties or like not bug bounties there's no bug Bounty for it but uh if you're going into looking for exploits looking for weaknesses uh even just learning how to administer these systems the only way that you really get access is uh if work somewhere where they have access and they'll let you play around with their machine um the other one is you can get a developer license for one person uh from IBM uh where you can run on an IBM emulator on your own machine but the license cost you €7,000 which puts it a little for one person uh for one year and that puts it a little bit out of the realm of the

average hobbyist or the average uh hacker or penetration tester there's a limited amount of training um there are some very good stuff IBM puts out something called Z explore which is a fantastic uh training uh resource uh and there's a company called inter skill which works closely with IBM and they have some good content as well but it's not the sort of thing that we see like with things like hack the box or um any of these online pin testing uh Frameworks where you can actually go and try stuff out uh last one oversight um a lot of what I've seen is that testing penetration testing of main frames doesn't really happen uh generally mainframes out of scope don't touch it

please uh sometimes you might be allowed to touch one application um but often you hear like well no we don't want you going any deeper on that um so you get one application you look at it and you say well to be honest that's not how I'm going to break into your main frame good that they're testing it but not always uh what's going on uh so now we've got a bit of that out the way um I think uh we should move into the actual hacking part um for those that are familiar with the uh movie hackers uh I'm going to hack the Gibson so just let me change

screens let's come back

okay

sorry I have to stop this

one

okay ah we've got it on there but not on there okay sorry for everyone over here you have to look over here and this our man here's got uh something to find out okay so we're we're going to have a go at hacking your main frame for the main framers here I'm sorry um I'm going to do stuff that's like probably a bit out there like you'll say I'm not really sure that would happen in real life but some of these things do um so let's consider the situation we're inside someone's infrastructure and we're targeting the main frame awesome thank you um and we've got some credentials most people say hang on got credentials uh it's not hard to find

credentials ask a red teer you'll find credentials the start of this actually comes from an assessment that we did uh where we found some credentials inside a code repository and they were for an FTP user uh so let's just have a look here what we've got but so we know the host is the Gibson our user is Dade FTP and his password is bsides 24 um when we're looking at it we do an end map of the Gibson um this won't take too long there we go we got some ports open um uh the ones I care most about a 2122 a 992 um we know that this guy is an FTP user cuz it's OB yes like his name is

FTP so we'll start with that one um if we start from there and we go FTP and then we do Dade FTP at the Gibson you see that the correction was working of course I tried this out before it's not the first time

oh ah you'd think it was the first time that's more like it okay so we We've Got Dat FTP and we're in FTP and it sounds like normal where FP will find some files do we find any files no he hasn't got much there but we had a bit of a sniff around and um we found a couple of users that we were interested in one was Zid call have people here seen hackers by the way and we look at Z Co o SSH let's have a look look at that we go in there and we see what we've

got Okay so we've got nsh key by the looks of things but we're not we're not allowed to see it uh authorized Keys sure we could write our own one to there but uh no we can read them but we can't write them um so that was kind of interesting but let's come back to it there's another one ACD Bur and we have a look there ah okay so we do have a little something there also something that we can't get our hands on but it's a common caert really okay I've got to go very fast now uh I knew this was going to take too long okay so uh common caer is what we

would use for our protected um connection of over the 992 for the termal but what we want to do now is we want to get a pesque um now I'm going to really rush it here CU I want to show it um the cool thing about FTP on the Mainframe is that we can use it submit jobs all the cool stuff that happens in the Mainframe happens as jobs and we can submit them from FTP if we're allowed to so incidentally I have something created here which is called cat ts. JCL uh here we see what a job looks like and we have a little job that's being uh running what's called a TSO command TSO is like the main frame frame

shell um when we're talking about FTP we are in the Unix subsystem or omvs as they call it uh where we can do the Unix stuff and that's why I'm going from this side because more people will be able to relate to that um so what we see here is we have this little job and what this job is going to do is it's going to check for something called a surrogate user and uh hang on we need toy and then we have this site command which tells it we don't want to do files anymore uh what we want to do is Jes the job entry system so now we're in the Jes job entry system we put our TSO JCL job

in there and we run it it gives us back a job number job 096 if we LS that we see that we got some files and now we can actually just get these like we would uh in any other um FTP program and and it's job 096 Dot 4 is the one that we're interested in there cuz that's the system print that's our output okay so it gave it to us we go back over here and we cat job uh no did I do something silly probably

ah thank you thank you thank you I did that yesterday

too presentation besides okay so cat job there it is that's the one we wanted and this is the output that we'd see if we were in a TSO shell um now why want it go up come on there we go and so what we see here is our surrogate user so this means that uh we have submit permissions from zidco meaning we can act as him and oh so short so short okay um so what we saw now is we can actually run a job as uh Z Co the other job that I've got ready is a t uh is a a best job best JCL um and what I'm doing here is I'm running a

program called bpx batch and this is a a program that runs um some bash for me and as you see there we're changing the permissions on our our bsides key that was in The Zed call directory definitely going to run out of time before this is over yeah y that I'll use that I'll take it okay so we're going to put it again put bash. JCL okay so we ran that one uh when we LS this one when when we just use the ls without any argument we see what we've run and then we can see the job we ran before um why don't we see the job that we just run we ran it as someone else we

read it as Z call because we specified in our job card here us a z call and because we've got s get permissions we're allowed to do that we're allowed to be him um and so now what we can do is we can CD into his home

SSH and see what we've got ah change the site back and we want seq seet and then we can see here back in normal FTP land and you see there we've actually got read on the bides key um so let's just get bides uncore key

okay when we l l over here we can see that we got bides key so we've got the private key that we need to use uh okay five morees uh so now we can SSH and just need to change a little bit of this besides key and our user is z cool so let's see if we get in ah permissions because of course we change them and then we do it again and we are now Z cool and um generally what we're doing if we're doing that obviously there's a reason why we've got surrogate permissions um and that is usually because we've got more privilege so we've basically done a privilege escalation now going from um our first

user the FTP user we were able to submit a job as Z call we became him now now we've got his SSH um the last thing that we want to do is um because we've got these higher privileges I actually want to do something which is another TSO command and it's RV okay and so what this is actually giving us is uh the location of the rif database and the rif database backup RF is the security manager that's used uh by most mainframes and uh you have a database there that has all of the permissions certificates anything security related uh it's all in there um now if we can copy that which I'm going to try to

do we can copy it from the uh from this part this uh notation is how you represent data sets um in the Mainframe world like in the what I would call the Z zos side of things one okay we'll try and put it in here um we'll call it R FDB it took a bit so it probably worked okay now we've got it we can read that database um so what we can do now is we can go out and uh I'll just SCP not that one besides key and then we head Z call at the Gibson and we want to get /z call slre if I put it in the SSH how silly of

me re if DB and we're going to copy it to here rack

FDB I was out of SSH when I did it okay cool that looks better take a bit to get because it's quite large it's got all of the security information in it okay now what we're going to do is we're going to use oh two minutes let's see if I can get it done it's like swordfish um so now uh there's a tool called RF to John and what RF to John does is it takes the um RF database and reads through it and it's going to pull out passwords and hashes and we're going to then just output them into that file Mainframe and then we're going to use John uh word list what's my word list words I think

it's passwords yeah password list sech ONN word

list PWD Dash list typo again PWS ah what am I doing you're under pressure I'm under pressure it's the time pressure and it doesn't want to stop it just doesn't want to

stop okay so hopefully it's not going to take too long I've used a very special password list of course um so that we get what we want uh so it's running it's trying to crack these hashes and hopefully ah we've got some p uh some hashes so we see there for ACD burn ASD burn the password is zero call so we now should be able to FTP into acid burn at the Gibson uh zero cool and we're in and uh as I mentioned before um we had a file in there which was the caert um and this is what we can use to get TSO which uh get common me insert and exert well did we get it we've got it

and now what we can do is we can use uh the 3270 um command uh and because it's encrypted and we've got the certificate we have to use also this accept host name uh because the certificate is um put for a private IP and that's why we're doing that one we hit that one we should be able to get in that seem too good to be true comment see I said nice [Music] to am I in the wrong place again what did I do wrong oh I know what I did wrong so silly begin a mistake have to go back in uh and we have to um asky

uhi that's more like it get comma C aert that's better okay now see okay and now we're into Z [Applause] land but wait there's more one last thing one very last thing once it finally comes up so now we log to TSO and we log in as Ed burn with zero call we are in and we list our user and we see one thing uh very very very very special we don't have root when we're talking about uh SSH but we have special in operations this is the highest privilege you can get you can do anything on the system now thank you very much give a hand