2015 Year in Review
With the new year on us I thought it would be a good idea to do a short little year in review of talks and conferences I went to, tools and updates released and whats coming up in 2016.
Talks
This was a banner year for speaking for me. It saw me giving my first ever keynote at SHARE Seattle 2015. When I was invited to speak at SHARE ti was an honor but also a very nerve racking experience. This was the first time I was in front of people who might actually be able to call me on my shit. You can read some of my thoughts here.
Beyond SHARE I also spoke at Advisory Councils in Dublin and San Diego, at BSidesLV, Skytalks and DEFCON!
DEFCON also saw the introduction of my partner in crime @bigendiansmalls! We’ve had such a blast working on mainframe security together.
@bigendiansmalls really took to DEFCON and was even interviewed by Hak5:
After security summer camp I gave another keynote at MISTI: ITAC and ended with my last (for the year) keynote at GSE Amsterdam (thanks Henri!)
I was truly lucky to have given this many talks but I wanted to post about some of my misses, most notably RSA. I’ve been trying to get a talk in to RSA for a bit now because I feel like mainframes are something they should care about but either the stuff we’re doing isn’t leet enough, vendor-y enough or (most likely) I missed the submission window because it closed right after DEFCON/BlackHat and I was still recovering.
Other than RSA I also submitted to BlackHat but it was kind of a samesie talk from the last time so it was no surprise it didn’t really get accepted. Maybe 2016!
Tools!
At the end of 2014 I had a collection of python scripts and some goals for 2015: Create a TN3270 ‘banner’ grabber to Nmap and explore Network Job Entry.
Nmap:
I started with a lua engine (all nmap scripts are lua) and wireshark and started deconstructing the connection handshake. Once I had it working well enough I would test it against a real internet mainframe. And it would fail spectacularly. Eventually I just decided to buckle down and read the x3270 sourcecode. Once I was done with that I had created a fully functional TN3270 emulator in the Nmap scripting engine!
On top of the TN3270 library I also updated the probes (with the help of Daniel Miller, thanks!) to help correctly identify open ports running NJE/TN3270!
If you want to know more about Nmap and mainframes check out this post: Mainframes and Nmap - Together at last.
Because I wrote a TN3270 library in LUA I thought why not turn around and write one in Python as well. So, if you ever need it you can use this python library to do fun mainframe stuff: https://github.com/zedsec390/tn3270lib
Network Job Entry (aka NJE)
Finally having the time and resources to research NJE I started the same way, some mainframes and wireshark. Once that proved indecipherable (SCB compression? what the hell is that?) I was “happy” to find that the protocol is fairly well documented. Reading the book HAS2A620 which, albeit a little obtusely, explains the protocol in detail allowed me to write the NJE python library. Once I had a library I was able to write iNJEctor and python script that allows you to submit NJE JES2 commands to a node on a mainframe network, so long as you know the node names.
Right now the library (and iNJEctor) is included as part of the DEFCON 23 CD but expect a re-release this year since I’ve made some pretty major changes/additions to the code. Meanwhile here’s a screenshot of the new library in action with iNJEctor:
Once I made the library it was trivial to make some scripts and new service probes for Nmap. And now, as of Nmap 7 the NJE node brute forcer is included.
Beyond these two items I also decoded the USS Table and made some sick logon screens for our mainframes:
And I also put together some new ascii art for Metasploit (since @bigendiansmalls added a whole new arch!)
@bigendiansmalls!
This year BeS and I started working more closely together. Watching him go from mentee to surpassing me has been amazing. Dude is an animal and I’m super excited to see what he accomplishes in 2016.
If you haven’t you really need to be reading his blog at http://www.bigendiansmalls.com/ some important articles:
A (mostly) useful debugger on z/OS
Mainframe Shell – Metasploit Framework
Mainframe Security Derbycon Slides and Video
2016!
2015 was a great year. It really saw some significant changes and advancements in mainframe security and I’m hoping to use some of the momentum I have to continue building new tools and speaking opportunities. Off of the top of my head (please don’t hold me to this) here’s what I’m working on and hoping to accomplish in 2016:
Re-start/Continue the ‘IMP’ (aka Internet Mainframe Project)
Automate testing with BIRP (not a typo)
Include tn3270 Nmap library with Nmap
Write a book
Learn zArch assembly (a goal since 2013, haha)
Add JCL and other features to the NJE library
Research CICS more thoroughly
Work on zArch implementation in Radare2 or Capstone
Whoa, thats a pretty long list already, hope I can live up to the hype.
Thanks!
Lot’s of thanks goes out this year. I wanted to thank SHARE and people I met there for an awesome experience. Of course @bigendiansmalls but also @singe (Dominic) for his help and support as well as Bart Kulach for his awesome DEFCON 23 talk! My wife, for helping me out when I’m all stressed from all these talks and taking care of the kids while I’m traveling. Keith (whom I met at SHARE) for great suggestions and conferences and finally Henri for inviting me to GSE but more importantly giving me some ‘ossum’ ideas and some great discussion.