Mainframe Hacking - Derbycon 5.0
8 likes9,057 views
The document outlines the author's journey in learning mainframe hacking, presenting a five-stage process that includes denial, anger, bargaining, depression, and acceptance. It highlights the challenges faced, such as overwhelming documentation and complicated systems, while also acknowledging the potential of mainframes. The author expresses enthusiasm for teaching and creating tools to assist others in their learning process.
Mainframe Hacking - Derbycon 5.0
- 2. @bigendiansmalls@bigendiansmalls The puzzle • Learn how to mainframe – Architecture – Language – Vernacular • Make it easier for others • Build and Port Tools • Get the word out
- 3. @bigendiansmalls@bigendiansmalls /ME • Enjoys RE, ASM, Learning, Not taking no for an answer • Relative n00b to MF haxoring • Loves a good puzzle • Really excited about continuing to teach ppl bout Gibsons • Here on behalf of myself, not employer IN HONOR OF HACKERS 20YR ANNIVERSARY, I BRING YOU:
- 4. @bigendiansmalls@bigendiansmalls 5 stages of learning mainframe 1. DENIAL
- 5. @bigendiansmalls@bigendiansmalls DENIAL • Most secure platform – If configured correctly ** • Antiquated tech – on it’s way out • Can’t be exploited by traditional means • A quick review:
- 6. @bigendiansmalls@bigendiansmalls obsolescence • Not. • Google it. • That’s enough
- 7. @bigendiansmalls@bigendiansmalls Antiquated • Ha! • Possible 100% uptime, protection against data loss • 5.5ghz 6 core ooo CISC – 100+ cores / TB’s of RAM – Nearly limitless storage etc etc
- 8. @bigendiansmalls@bigendiansmalls Trad’L hax no apply • Things like buffer overflows? • RCE?
- 11. @bigendiansmalls@bigendiansmalls Trad’L hax no apply • Well ……
- 12. @bigendiansmalls@bigendiansmalls 5 stages of learning mainframe 1. DENIAL 2. ANGER
- 13. @bigendiansmalls@bigendiansmalls ANGER • This is a complicated system • People help – Pay for it = good – Search for it = lulz • Manuals: thorough. Really thorough
- 16. @bigendiansmalls@bigendiansmalls Doco help overload • Manuals with IP in the title: – 16 Manuals in – 59.39 MB of PDF files – 13,384 Pages – Which one? Let’s read the titles:
- 17. @bigendiansmalls@bigendiansmalls • IPv6 Network and Application Design Guide • IP Diagnosis Guide • (IP) New Function Summary • IP Configuration Guide • IP Configuration Reference • IP Programmer's Guide and Reference • IP User's Guide and Commands • IP System Administrator's Commands • IP Sockets Application Programming Interface Guide and Reference • IP CICS Sockets Guide • IP IMS Sockets Guide • IP Network Print Facility • IP Messages Volume 1 (EZA) • IP Messages Volume 2 (EZB, EZD) • IP Messages Volume 3 (EZY) • IP Messages Volume 4 (EZZ, SNM)
- 18. @bigendiansmalls@bigendiansmalls 5 stages of learning mainframe 1. DENIAL 2. ANGER 3. BARGAINING
- 19. @bigendiansmalls@bigendiansmalls BARGAINING I Solemnly swear I will never, ever complain about a buggy Makefile, if you just let me please get this simple SSHD server set up on a mainframe before I die.
- 20. @bigendiansmalls@bigendiansmalls 5 stages of learning mainframe 1. DENIAL 2. ANGER 3. BARGAINING 4. DEPRESSION
- 21. @bigendiansmalls@bigendiansmalls Depression v1.0 • And also: – Protocol droids - existing mainframe workforce – No tribal knowledge - Lack of Howto's and FAQs – Documentation Overload
- 22. @bigendiansmalls@bigendiansmalls DEPRESSION v2.0 • Up against: – Vernacular – Words you have never heard or different meanings. – Tools - designed for developing, testing, and delivering complex workable production systems – No public disclosure
- 24. @bigendiansmalls@bigendiansmalls 5 stages of learning mainframe 1. DENIAL 2. ANGER 3. BARGAINING 4. DEPRESSION 5. ACCEPTANCE
- 25. @bigendiansmalls@bigendiansmalls ACCEPTANCE • Writing code with only 2 manuals, instead of 7. • Help others get involved. • Creating tools that others can use • Still want to test / secure – but no access or months to read manuals? How about ….
- 27. @bigendiansmalls@bigendiansmalls metasploit • What’s in thus far – Basic payloads (3 kinds, 2 flavors) • Bind / reverse shell w & w/o encoders – Built-in Command Shell w/decoder – Core files for translation, platform & architecture definition
- 28. @bigendiansmalls@bigendiansmalls Bind shell - enc • ~1300 bytes (large!) • Encoder included • Can use any client to connect, including std. MSF Command Shell
- 30. @bigendiansmalls@bigendiansmalls Rev shell - noenc • ~300 bytes (small for z) • No encoder • Must use client which does translation (MSF now includes!)
- 32. @bigendiansmalls@bigendiansmalls Post / Other • With fundamentals in place • Can do custom POST functions • Direct command execution – With screens
- 34. @bigendiansmalls@bigendiansmalls 3270 WIP • Early preview of native 3270 module in MSF • Used to echo screens, enter raw commands use valid credentials for POST exploitation
- 36. @bigendiansmalls@bigendiansmalls What’s next • GCC, GNU UTILS • Debug framework is on the radare • Further additions to MSF – Customized Meterpreter – JCL Creator – Full TN3270 emulation • File transfer / Command execution • Moar training & teaching
- 37. @bigendiansmalls@bigendiansmalls THANKS! CONTACT NFO IBM SoF – Graphics, moral support Others in the community http://www.bigendiansmalls.com @bigendiansmalls mainframe@bigendiansmalls