A mainframe is just another computer. It simply has way more toys for a hacker to play with!
As you probably know, we at Truesec do our fair share of red team exercises, where we go after a target enterprise and their so-called high value targets. If our customer has a mainframe, that is always in the high value target list.
As with any other IT system, an attacker always tries to expand their access and control on the platform right after getting initial access.
When we do this, we need to evade detection and, at the same time, make sure that we treat all the customer data with the highest security posture.
So I started wondering, if we have access to a mainframe in some way:
- Is it possible to bypass firewalls and get access to filtered ports?
- Are the tools in z/OS enough to get a secure, encrypted, reverse shell?
This lead to a tool which mixes a little bit of SSH, some character trans-coding, stirs with some shell magic and gets remote code execution plus reverse SSH on a mainframe. Only with FTP access. From the Internet.
Now, I want to share my own research and experience on mainframe hacking
This Thursday, September 5, I’ve been asked to speak about this with a talk titled “Put Your Money Where Your Mouth Is – Let’s Hack a Mainframe.” at NECC Cyber Security Industry Day in Karlskrona. The talk is not just for hackers, it also might be interesting for techies who need to work on a mainframe is still using clear-text communication and do not want to expose information over the network.
I’ve worked more than ten years with attacking, Red teams and defending complex network systems based on Windows, Linux, mainframes, OS X, and other Unix-based operating systems. So please, reach out if you have questions about mainframes, hacking or cybersecurity!