>> All right.  Mainframes, anybody?  Yeah, four people!  All right.  Quickly show of hands and keep your hands up, how many people in the room do any kind of mainframe pen testing, auditing, any kind of that work at all?  Hands up.  9, seven people.  Keep your hands up, way, way, up.  Now, yeah, yeah.  No, no, how many of you have an account, ever had an account on a mainframe?  Ever!  Whoa, whoa!  None of you guys do any security work.  All their hands went down, little bit of disconnect but anyways... I got to put this slide up, disclaimer, I'm here of my personal volition, I'm not here in the name of or on behalf of my employer and any views expressed in my talk are those, not those of my employer.  We're good.  
	I'm sure a couple of you guys were expecting a awesome mainframe talk with a flaming skull or super awesome wizard with an IBM glove.  But that's not me.  I have a tiny beard, way too small to be a mainframe guy so I'm told but I'm just a regular security guy.  I have always been into mainframes, I was auditing mainframes and just always been into the security of the mainframe and I never, ever touched one.  I never got access to one.  Until one year we have a contractor come in from an unnamed company and he comes in, and he's a PCI certifier, a mainframe security guru, he can do ISO 27002, 30 plus years experience on the mainframe.  Super awesome guy.  
	Wasn't too savvy on network controls and all that other stuff.  He didn't know how to tell what ports were open on the mainframe.  It has the net set command you'll see in a few minutes.  So I realized like I have all this security background and mainframe background and finally got access to a mainframe and I was like, you would not believe some crazy stuff going on here that these engineers have told me bold-faced lies for years, I was like wait, you can totally do all these things they told me you cannot do on the mainframe.  So I decided to sort of bring the awareness to the community.  Started creating tools, writing articles for security people and instead of coming out from the mainframe perspective I'm coming at it from the hacker perspective.  I spoke at all these conferences that have no mainframe representation at all to start raising awareness about this platform. 
Real quick another question.  This is a chart that shows SSL versus non-SSL usage for Internet-facing mainframes.  Who wants to bet the largest portion of the pie is encrypted SSL in the small ones?  No takers.  It gets even better.  The ones that do do SSL that are Internet connected about 1/3 have valid certificates.  Now, why is that port?  Because there's crazy cool fucking mainframes on the Internet.  Can you see that?  It's hard to read.  That says Egypt Air.
(Laughter)
 I found Iceland, lot of governments ones like Raleigh, North Carolina court system.  Plani text, just hanging out on the Internet.  I'll get into why plain text is important.  this is an all zOS talk, I won't talk about i series, won't talk about the Tandem, just the z series mainframes it blows my mind people call this platform Legacy because they just released a new version, state of the art hardware and operating system and it blows my mind people calling it Legacy because they don't know how it works.  It's not really a Legacy platform if you are updating it and installing patches and keeping it up-to-date and current with current releases.  
	So not a Legacy platform.  There's all kinds of cool companies and infrastructure run it but what does it look like?  3270 emulator connecting like extended Telnet.  I'll log into TSO, the equivalent of the shell in this environment.  Take a little bit to log in. So here I am going to run the LU command, list user credentials or user information, what they have access to, or I can list another user's credentials or I can add other flags and filter out some of the information that I care about, right.  Only care about the unix partition I'll talk about in a second.  
	You can do other cool stuff, net stat, open ports, net stat home that shows the IP configuration, you can also do ping, you can ping Google, just regular normal, it's not any super special thing that everyone had to believe, just a regular computer with regular kind of commands and you can do cool stuff but nobody does it in this interface.  They use ISPF, that's like the GUI interface with the mainframe.  I use the editor, I go straight to the editor and I can edit files.  Here I am editing login script and just a regular you know regular text editor, editing files.  
	I'll go back to my home folder that I know is not a home folder to mainframers but for the sake of argument I'll keep it there.  I only have 20 minutes.  Here I'll edit JCL, like script language, basically you submit jobs and you can run a script, very similar.  Here is a rex file, this file shows the current logged in TSO users and what is cool about this is you can actually execute TSO commands straight from the editor, you can do work, save it and execute commands, so this is showing you can execute, you can do a lot of cool things from this.  Right.  
	I'm going to log out and I'll show you that UNIX is running on top of zOS.  Regular old UNIX, client environment.  You can do, make a mistake and it will tell you.  You can also do regular commands, remember the flag when you are recording.  You can also do screen -- regular UNIX interaction.  This is a 3270 session, you can do it over Telnet or SSH, Telnet runs on port 1023 and I've seen on ton on the Internet still acceptable on that port.  
	Now, that's the mainframe, all mainframe experts, now how to break into a mainframe.  Okay.  How do you get a credential?  I'll just sniff it off the wire, now we know they are not encrypted but up until recently Ettercap didn't support sniffing for TSO so we were like (?) we went and added here.  Nothing changes there, totally credentials, now you can see I'm logged in on TSO, totally stole credentials as well.  In case you missed it, this is what it looks like there.  Oftentimes, large enterprise organizations, they'll set up a Web server on the mainframe because not everyone wants to learn the commands to say show user, they want to log in if they are doing simple administration tasks.  So on the DEF CON mainframe I created a website that lets you list user information that -- you can check if they revoked or what not so here is what it looks like, shows you the detail. 
Super broken, on purpose for the demo.  
	What's interesting is that the CGI thing called TSO command, that's cool right I can guess wait does and that's running LU because we just went through what LU does, I wonder if I add on the other part of the command and if it does something else, okay, it's totally just interpreting commands that you type in and run in the TSO environment, I'll run R very, that shows you -- RACF database is the most important file security wise on the mainframe because every single security setting user name, password hash, is stored in this one file.  Technically two the primary and backup.  If you access this file you are on the mainframe.  I'll show you in a second.  
	There you go, I typed rvary and thats it.  Now oftentimes you'll come across a mainframe only FTP is available and it will tell you because it tells you in the banner it's mainframe.  Can't do anything else.  You have login credentials.  What is awesome is mainframe lets you run commands through JCL and FTP, back in the day there was no way to submit jobs remotely so I can submit, if I create a JCL and upload it, and say hey go run this, it runs it for me.  There's all kinds of cool stuff.  I'll show you.  Now, you have access, I'm trying to blow through this to get to the demo.  We have access now, assume we got a credential and now what?  That's what two lasts me.  Great.  That was easy, someone left it in a script.  What do I do?  Now we'll escalate privileges.  First thing we'll do.  So connect with any kind of thing you want to use, Telnet, and escalate. 
Here is where it gets funky.  In 2012 there was a major breach of mainframe suite.  Whole bunch of CVEs came out.  I'll read the first little bit.  Unspecified vulnerability in IBM net new blah, blah, blah.  What the real vulnerability was, was the fact that any set UIDREC script, Python script, any set UIDrec script will allow you to escalate privileges.  The attacker used a REC script that was used by Tivoli NetView.  So when they released CDE, it's technically correct and then IBM did not talk about the other part and they quickly and quietly patched that up.  It's all patched so this is not I'm not stupid enough to come up here and teach you guys how to really hack these things but if you have some that are not patched, this may definitely work.
(Laughter)
 So just sayin'.  We talked about this, -- works with any recs -- can you see that?  Of course not.  Let's see if I can get that going anywhere else.  End of demo, great.  Can you guys see down there?  You can see I'm on a mainframe, no question this is on the mainframe.  Okay.  No question at all.  Here I have a simple script all it does is say yay, doesn't do anything else, UID of 0.  I run, get user RX, I supply it that very simple REC script.  And I have root.  Because of the way they are using spawn.  So now the rest of the demo is whatever, just showing I did it and if I had time to show it to you guys, I would.  
(Pause)
Someone earlier said -- you are using su, I have zero access to it, I have no access to run the su command at all with that user ID.  So there's the same demo for pdf readers. So for this hack  specifically I need to thank a couple people before I go and talk on the rest of the stuff.  Swedish BlackHat community for figuring this out.  They discovered this, and then it was all wrapped up and hush-hush Oliver Lavery, there was paperwork sent secretly and little tiny pieces and we had to reverse engineer it.  We tried running net hue, so what we were doing, and figure out it was just a REC script, and then like I mentioned Sweden a mainframe that got breached, mainframe was run by a company called Logica. We have root.  But we talk about TSO a lot.  So how do we bypass the rest of the controls to get access to TSO 
	Easiest thing to do at this point is just get a copy of the RACF database.  If you are lucky the root ID has access to the database.  If unlucky maybe the Web server has access to do user updates or you know of someone who has access and just set up I net D to open up a shell.  There's multiple ways to get at it.  Whatever you do, you get that part.  Because John the ripper supports cracking the hatchets in RACF database.  With a tool called RACF to John, you have taken it stripped all users names, it's great because it's dead.  So the way that the hash 
(Laughter)
 The way they hash the password is they take your user ID and they encrypt it with your password.
(Laughter)
	>> Yeah, there's a little bit of obfuscation, they shift it to the left one bit but essentially the same.  Did I say it?  Okay.  Doesn't matter, it's open source, you guys could have read the code, not a see receipt, IBM is working to change this, they released saying we want suggestions on what to do next.  What else can you do?  IBM has a tool cold IRRDBU00, stands for database unload.  What it does is takes a RACF database and dumps that to a flat text file, all permissions, all settings, everything.  What you'll do with that is find all users that have special -- then go back to hash and say John just focus on these people.  Then once you have that you'll log in with that special account.  Then here is an example of JCL because it's cool to have JCL at DEF CON because that's so cyberpunk. 
That's the JCL users included on the CD, IRRDBU00.  But now we have special.  Special gives us full control of RACF.  RACF lets us do anything we want because we're special.  It doesn't mean we have access to anything but it does mean we can give ourselves access to anything we want.  So I can create a user ID.  I can have a regular -- regular USER ID in the mix well now I'll give it a user ID of 0, and I have permission to do that or I'll just give myself special, just create another ID and give it special in case I lose my special.  You could also -- you know all the users who have special.  You could remove their special access.
(Laughter)
 Now, there's a really cool permission called BPX.SuperUser.  You can see that demo, good, sort of all it's doing is typing Su and exit over and over in quick successes session, there's no time to type a password here.  BPX.super user doesn't ask for a password if you want to Su up the root.  If you have people with permission to BPX.SuperUser, you can just type Su and do a Get.  That's how you do it if you want it to do that. Really long command, just change user ID right here to your user ID and do it that way.  On top of that, I have a whole bunch of tools I've created to make it easier to deal with the mainframe.  When I first came across I was like what is happening?  All commands are crazy, no idea, I had no idea how to edit a document.  Using this thing.  What is happening?  
	I started writing and said it would be really coal if nethack could work, now it's a cool project, only does UNIX, really cool if we could do like a reverse TSO shell.  That's what I did with CATSO it's this really awesome script, it has a whole bunch of macros in it, So if you want to do a FTPL file off the mainframe you just type FTP, space 'the file name' and destination and it does it behind the scenes you don't have to deal with it.  If you want to copy files, delete files, it's just all these macros, you want to look at the IPP configuration, RACF database, just type RACF and it will show you.  It lets you run UNIX and TSO commands straight from the prompt.  You open up listener or reverse shell out with net pad it all works fine.  The shocker is a wrapper around that whole script.  So remember earlier I was talking about can use FTP, then have it execute that JCL.  That is what it's doing. 
It's compiling, taking all together, building it and then uploading it to the mainframe.  This is what it looks like if you run path on the mainframe.  If not, this is what it looks like shocker to run it from your Linux box.  So it goes and builds and runs it and you have to connect with net pat or automatically listen on net pat and it would be already for you to go.  If you only have FTP access and mainframe is left to call out, this is a way you can get interactivity with that mainframe.  That's really cool but what would be even better is to get a root shell out of this so I could get root.REX and do the exact same thing, compiled it altogether, it has two C programs it compiles on the fly in the mainframe, uploads those files, executes it and let's see this demo better work -- awesome.  You guys see the end of the demo again?  
Disconnecting on port 21, so we connect port 21, switches the mainframe to upload the JCL in the job cue and then doing its things behind the scenes and I have a root session all through FTP, that's all I needed.  That's it.  Then I have control and start doing what I was talking about that I never even had to do anything crazy, go back... now you're probably thinking to yourself that's awesome but they'll never let me touch our mainframes, are you kidding me?  They are like multimillion dollar machines that they are unbreakable but they're afraid I'll break them.  What's great is IBM has software called RDZ. a Rational developer for system z, full on emulated mainframe you can run in Linux, they offer it, if you have mainframe, put up your hands that they had an account on a mainframe, talk to your IBM rep and see if they will give you a demo license to check it out. 
Full on mainframe environment and now you can go get your hands dirty, you can break it and not worry, start creating overflows and just seeing how it works.  I learned more setting up this machine to do demos than I did in seven or eight classes on mainframes.  It's so awesome to have your hands on one and it looks cool as hell, just call your IBM guy, you should be good.  Now I need to thank some people.  Mike (?) is all operating systems based.  Lot of application that is run on the mainframe that have been built not using best practices from 60 years ago.  Gentleman by the name of Dominick White, he gave a talk at hack in the box, he called it BIRP big iron recon (?) does the exact same thing but does it for mainframe applications.  There's another cool fact that 3270 client well anyways I'll let him talk about that. 
I need to thank the community.  And IBM, I mean literally I know I was making fun of IBM here a little bit but I love the mainframe, really do, it's cool and I don't like want to have a stucks net happen on the mainframe here because people don't know how to (?) I will put this up.  Yeah.  Yeah.
	>> (Speaking off-mic).
(Applause)