Mainframe hacking

Attackers can also target large mainframes to harvest very sensitive data.

0 CVE Mainframe related

Strangely there are 0 CVE  at the given time for any vulnerabilities on the z/OS and it is considered as a highly secure platform.

The risk is if a highly secure z/OS is connected to a less insecure Windows environment where the attackers can from a compromised network attack the z/OS.

Admins can also use smart cards or Kerberos to access the secure platform.

Common operating systems can be z/OS most common for IBM mainframe.
Mainframes can have large 10-20TB data with 200 processors 5GHz each.

Mainframe Linux Windows 3270 Emulator

Programs related to Mainframes are Quick3270, WC3270.
To interact with the Mainframe it is needed a 3270 emulator.
Could be x3270 on Linux or wc3270 on Windows.
It can be compared to a special telnet client.
It can run on port 4080
The greeting screen is called VTAM (Virtual Telecommunication Access Method) which gives access to multiple applications.
One of the more interesting is TSO command line operation on a mainframe.
Some consider the Mainframe as the most secure platform in the world.

z/OS Password RACF Database

Passwords on z/OS are stored in the RACF database in a hashed format.
The passwords are often stored by default using the DES algorithm limited to 56 bits.

Other TCP ports used on the mainframe 23,10023,2323,992,5023.
The port 23 telnet will be identified as tn3270 IBM Telnet service.

CICS was used earlier to connect multiple mainframes to process banking transactions.

IBM developed CICS in 1968 and promote SNA networking before TCP/IP in the 90ties.

CICS is like a combination of CMS WordPress and a classic middleware such as Tomcat or Apache.

CICS gives shortcuts to use in COBOL code and makes them available via VTAM..

By exiting the application with F3 the user gets back on CICS screen or terminal.

CICS terminal is waiting for a four digit code to launch like CESN authentication program.

It is possible to bruteforce transaction ID with scripts.


Two interesting scripts are:

CECI gives a interpreter to execute. Read files write files.

CEMT (CICS Master Terminal Program)

Controls resources on CICS files programs, transaction ID.

By having access to the two programs it can be used to control the CICS.

Via a program called CICSpwn python script to make it more easy.

Often can be used without authentication to gain sensitive data and execute code as well.