Order your video lectures at "Smart learning Destination"
✅Order your video lectures at "Smart learning Destination" 👉First Step Towards Your Goal🏃 🏃 🏃 👉Buy Online Now! CA Inter, Law, and Accounting 👉Best Pre-recorded Video Lectures 👉 Contact us @ 7697044955 Or Visit - https://zurl.co/4GHh #CAcommunity
My Return from Vanguard Compliance & Security and CA World
Last week I had the honor of speaking at both CA World and the Vanguard Compliance & Security Conference.
As promised I made all the slides available over at slide share (http://www.slideshare.net/PhilipYoung14/philip-young-current-state-of-mainframe-hacking-vanguard-101016, http://www.slideshare.net/PhilipYoung14/advanced-mainframe-hacking and http://www.slideshare.net/PhilipYoung14/ca-world-mft1755-gaps-in-your-defense-hacking-the-mainframe-philip-young. In the rest of this write-up I’m going to be covering the tools I discussed with some demo’s and links to where you can find the tools.
Before I get started I wanted to say a HUGE thank you to CA World and Vanguard C&S for having me speak at their conferences.
Network Scanning With Nmap:
https://github.com/zedsec390/NMAP
Basically get a current version of Nmap (for Linux) and download these scripts to a folder. You need the file tn3270.lua for most of them to work. You use them by calling them with nmap:
nmap -sV -p 992 <ip address> —script vtam-enum
for more verbosity/debug information you can use -v through -vvvv and -d through -dddd the more d/v the more detailed it gets.
Demos: VTAM APPLID Enumeration, NJE Node Brute Forcing and TSO User ID Enumeration
Logica Breach Code
https://github.com/mainframed/logica
I mentioned the Logica breach during my talk and talked briefly about the exploits and code that was used. Located here are all the files from the logica breach (which you can read everything about here: https://wikileaks.org/gottfrid-docs/) retyped by hand for historical purposes. The only one not in that batch is DeFeNeStRaTe.C (https://github.com/mainframed/logica/blob/master/DeFeNeStRaTe.C). Really interesting stuff. Also of interest is https://github.com/mainframed/logica/blob/master/kuku.rx which works on unpatched z/OS 1.10.
Demo: Screenshot of DeFeNeStRaTe.C
CICSpwn
https://github.com/ayoul3/cicspwn
This tool is cool as hell and can be used to conduct penetration tests against CICS. Written in python, it can be used to identify weakness in CICS security implementations.
Demos: CICSpwn gathering information, CICSpwn uploading a TSO shell, Netcat being used to connect to that shell
PrivEsc (ELV.APF)
https://github.com/ayoul3/Privesc
This is the coolest one. It came out WHILE I was at the conference. @zospentest (@ayoul3__ on twitter) released this awesome rexx script. Basically takes what Mark Wilson (@ich408i on twitter) has been talking about for a while and automates chunks of it. If you’ve never seen Marks talks at SHARE or GSE do yourself a favor and try to find them.
Demos: ELV.APF on a test system.
Metasploit
For those who don’t know @bigendiansmalls is the MAN! He worked hard to add the zARCH to metasploit which means you can now do cool things like FTP JCL to Shell. It’s seriously cool. No links to metasploit github because it’s a pain to build yourself, just get Kali linux if you want to mess around with it (that’s right, mainframe hacking tools come built in to Kali linux now, how cool is that?!)
Demo: Metasploit using JCL, FTP and assembler to get a unix shell.
Thanks again for everyone who attend my talks, I hope you enjoyed attending them as much as I enjoyed giving them!
If any of this interests you you’ll be happy to know that both @bigendiansmalls and I will be speaking at RSA 2017 and at SHARE in San Jose! Hope to see you there!