RE: z/OS, OS/390 Pen testing tips/ideas/papers?
From: Davi Ottenheimer (dottenheimer@synchronnetworks.com)
Date: 01/30/03
- Previous message: Rainer Duffner: "Re: z/OS, OS/390 Pen testing tips/ideas/papers?"
- Maybe in reply to: Nick Jacobsen: "z/OS, OS/390 Pen testing tips/ideas/papers?"
- Next in thread: Bob Mahan: "RE: z/OS, OS/390 Pen testing tips/ideas/papers?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Davi Ottenheimer <dottenheimer@synchronnetworks.com> To: Nick Jacobsen <nick@ethicsdesign.com> Date: Thu, 30 Jan 2003 11:32:51 -0800
> On Tue, Jan 28, 2003 at 05:24:22AM -0800, Nick Jacobsen wrote:
> > Hi all,
> > One of my clients has an IBM OS/390 running on one of their
> > networks I am doing some security testing on, and
> considering I really
> > have not dealt with any IBM mainframes before when it comes to
> > security, I was hoping that some of you might be able to
> point me the
> > right direction. Anything would be helpful, but especially from a
> > penetration viewpoint.
Nick,
OS/390 and z/OS have significantly more similarity to the exposures of open
systems than their predecessors (it's not just a "mainframe" anymore). For
example, you will probably find some combination of hardware encryption,
digital certificates, PKI, Kerberos, LDAP, SSL, or even regular UNIX System
Services (USS -- Unix under MVS, formerly called OMVS). The latter is always
a good place to start. I've worked with both RedHat and SUSE systems running
Apache on z/OS USS that, as expected, had many of the typical *NIX vulns
(but only to their own instance). Security gaps will also be related to the
implementation of MQ Series, DB2, and Websphere (i.e. check out the redbook
on websphere security --
http://www.redbooks.ibm.com/redpieces/pdfs/sg246846.pdf).
I suggest reading the z/OS security guidelines and docs and working backward
from there. In other words, there are plenty of docs explaining how things
*should* be done that will provide a scope for where to investigate. You
might find this paper a good starting point:
http://www.research.ibm.com/journal/sj/403/guski.html
http://www.research.ibm.com/journal/sj/403/guski.pdf
The Resource Access Control Facility (RACF) and use of the RACF Remote
Sharing Facility (RRSF) also will tell you a lot about the system,
especially if you can manage to access the system or, even better, find past
audit reports... ;)
Also, there are some tools available but I don't know much about them.
http://www.goldisconsulting.com has an RACF password cracker.
http://www.janusassociates.com has a penetration tool called
"I.C.U...OS/390" and a cheesy but informative presentation about OS/390
security (http://www.janusassociates.com/icu/pres.html).
You also might want to ping some OS/390 security guys like Stuart Henderson
(http://www.stuhenderson.com/XSERVAUT.HTM) Thierry Falissard
(http://os390-mvs.hypermart.net/) or Nigel Pentland
(http://www.nigelpentland.co.uk). They have some basic info online and could
probably point you in the right direction.
Hope that helps. Good luck,
Davi
+++ ------------------------------------------------------------- +++
Davi Ottenheimer, CISSP Synchron Networks, Inc.
Chief Security Engineer 100 Enterprise Way, C230
www.synchronnetworks.com Scotts Valley, CA 95066
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
- Next message: Torbjorn.Wictorin@its.uu.se: "Re: z/OS, OS/390 Pen testing tips/ideas/papers?"
- Previous message: Rainer Duffner: "Re: z/OS, OS/390 Pen testing tips/ideas/papers?"
- Maybe in reply to: Nick Jacobsen: "z/OS, OS/390 Pen testing tips/ideas/papers?"
- Next in thread: Bob Mahan: "RE: z/OS, OS/390 Pen testing tips/ideas/papers?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
