Re: z/OS, OS/390 Pen testing tips/ideas/papers?

From: visigoth (
Date: 01/30/03

  • Next message: Rainer Duffner: "Re: z/OS, OS/390 Pen testing tips/ideas/papers?"
    Date: Wed, 29 Jan 2003 21:08:40 -0600
    From: visigoth <>
    To: Nick Jacobsen <>

    On Tue, Jan 28, 2003 at 05:24:22AM -0800, Nick Jacobsen wrote:
    > Hi all,
    > One of my clients has an IBM OS/390 running on one of their networks I
    > am doing some security testing on, and considering I really have not dealt
    > with any IBM mainframes before when it comes to security, I was hoping that
    > some of you might be able to point me the right direction. Anything would
    > be helpful, but especially from a penetration viewpoint.

    I haven't particularly touched any OS/390 boxen, but in testing other "big
    iron" systems like OS/400 we often find that the most common security
    vulnerability is STILL default passwords and accounts. I have assessed
    banks who still have default accounts in place for accounts ranging from
    user template accounts all the way to the QSECOFR account. If the box
    you're assessing seems to have any standard authentication interfaces
    available, I would start there.... The next issue after that in frequency
    is usually internally developed web based apps with gaping holes.

    Cheers (and good luck ;)


    	Damieon Stark		| Microsoft: Where do you want to go today?
    e:	| Linux: Where do you want to go tommorow?
    	p: 612.382.6945		| FreeBSD/Sun: Are you guys coming or what?
    	pgp: 0xBE5D0C57		| - To the Nth!		| - The power to serve!
    I'll see your DMCA and raise you a First Amendment.