ca world - mft1755 - gaps in your defense hacking the mainframe - philip young

World®’16

GapsinyourDefense:HackingtheMainframePhilipYoung,Co-Founder,ZedSec390

MFT1755

MAINFRAMEANDWORKLOADAUTOMATION

2 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

©2016CA.Allrightsreserved.Alltrademarksreferencedhereinbelongtotheirrespec\vecompanies.

ThecontentprovidedinthisCAWorld2016presenta\onisintendedforinforma\onalpurposesonlyanddoesnotformanytypeofwarranty.Theinforma\onprovidedbyaCApartnerand/orCAcustomerhasnotbeenreviewedforaccuracybyCA.

ForInforma\onalPurposesOnlyTermsofthisPresenta\on

3 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

Abstract

Themainframeisthemission-essen\albackboneoftheenterprise,housingover70percentofcorporatedata,touchingmorethanhalfofallapplica\ons,andconnec\ngtotheinternetandInternetofThings(IoT)throughAPIs.However,intheenterprisesecuritydiscussion,themainframeisoaenpresumedtobeinherentlysecure.Thissessionwilldiveintothecurrentstateofmainframeofmainframehacking,whyhackersaretakingalargerinterestintheplaborm,adiscussionofcomplianceversussecurityandnextstepsonhowyoucanop\mizethesecurityofyourmostmission-essen\albusinessasset.

PhilipYoung

ZedSec390Co-Founder

4 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

Disclaimer

I’mnothereinthenameoforonbehalfofmyemployer.Allopinionsexpressedherearemyown.

PhilipYoung

ZedSec390Co-Founder

5 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

6 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

7 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

8 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

9 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

10 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

11 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLDLogicaSecurityIncidentInves3ga3on:Bilaga_A.pdfSource:h=ps://wikileaks.org/goArid-docs/

12 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLDCastleWallsUnderDigitalSiege:Risk-basedSecurityforz/OS–CAWorld‘15Source:h=ps://www.youtube.com/watch?v=CySiZOaY2T0

13 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

CommonMyths

IT’SNOTONTHEINTERNET

IT’SIMPENETRABLE

HACKERSDON’TKNOWABOUTITHACKERSDON’TKNOWABOUTIT

BUTWE’REAUDITEDALLTHETIME!?

14 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

The‘IMP’

§  Startedin2013§  Tools:

–  MassScan–  Nmap–  Python–  X3270–  LinuxVPS

§  Databaseof400+mainframes

hkps://mainframesproject.tumblr.com/

InternetMainframesProject

15 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

16 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

17 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

18 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

19 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

ItDoesn’tMa=er

20 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

EnterprisesareFlat

§ Manylargeenterprisesexperiencedabreachin2015

§  Flatnetworks

§  Nofirewallbetween“Corporate”networkandmainframe

21 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

HackingtheUnhackable

§  Fromthenetwork

§  Noknowledgeofthesystem

§  Steps–  Gatherinforma\on–  Profilethesystem–  Launchakacks

Toolsreleased/updatedin2015/2016

22 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

Nmapin2015/2016

• Anon?• SITE?• OSVersion?

• Informa\on• VTAM?• CICS?• TSO?

• Version?• Nikto?• BURP?• Enumerate?• JavaObjects

23 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

TN3270Screen

24 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

VTAMEnumera\on

25 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

TSOUserEnumera\on

26 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

27 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

CICSTransac\onEnumera\on

28 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

29 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

CICSpwn

30 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

CICSpwn:TSOShell

31 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

CICSpwn:TSOShell

32 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

FTPAuthorizedCodeExec

33 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

WhatCanIDo?

§  Complianceisliterallythestart

§  Justbecauseyou’recompliantdoesn’tmean:–  Thecompliancerulesarewelldone–  Representcurrentthreats–  Matchcurrentbaselines

§  VulnerabilityScanning?

34 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

GapAssessment

§  Compareyourrequirementstoastandard

§  Howdoyoucompareandcontrast?

§ Who’sexper\seareyourelyingon?

35 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

GoBeyondCompliance

§  zAssure?§  Iden\fyingDataAssets?§  LoggingandMonitoring?

–  zSecure–  IronStream–  Vanguard

§  Penetra\onTes\ng?

36 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

Ques\ons?

37 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

CICSpwnh=ps://github.com/ayoul3/cicspwn

NmapScriptsh=ps://github.com/zedsec390/NMAP

Metasploith=ps://github.com/rapid7/metasploit-framework

Contact&ReferencesTwi=er:@mainframed767E-Mail:mainframed767@gmail.com

38 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

Stayconnectedatcommuni\es.ca.com

Thankyou.

@CAWORLD#CAWORLD ©2016CA.AllRIGHTSRESERVED.39 @CAWORLD#CAWORLD

MainframeandWorkloadAutoma3on

Formoreinforma\ononMainframeandWorkloadAutoma\on,pleasevisit:hkp://cainc.to/9GQ2JI