Mainframe Security Testing

Mainframes are the lifeblood of global economies, powering mission critical workloads. Our Mainframe Penetration Test offering, tailored for IBM mainframes running z/OS, aims to identify vulnerabilities and misconfigurations to fortify your system’s security, ensuring it remains resilient against emerging threats.

Key Focus Areas

Testing an LPAR running z/OS is a very similar activity of performing an infrastructure penetration test and involves very similar steps but with a mainframe twist.

Information Gathering

In a black-box assignment, the first part of an assessment will focus on mapping the attack surface. Our consultants will learn about the target mainframe by getting information via:

• Reconnaissance using publicly available information such as:
  • DNS
  • Job postings
  • Mailing lists
  • Marketing material
  • Web searches
• Port scans of systems in scope to identify the exposed services
• Enumeration of:
  • TN3270 screens
  • VTAM Application IDs
  • Logical Units
  • CICS transactions
  • Network Job Entry
  • Web applications
  • Enumeration of the mainframe users via exposed services

A gray or white-box test will integrate this information with knowledge provided by the customer by means of documentation or meetings.

Authenticated Information Gathering

After getting access to the mainframe, our consultants will review:

• RACF password policies
• IPL parameters and information
• Unprotected datasets (see section 1.3)
• APF libraries
• VTAM configuration
• TCP parameters
• z/VM information available from the current LPAR

If this information is not directly available, the testing team will try to extract it from storage (memory) or by exploiting a vulnerability or misconfiguration.

Resource Access

Our consultants will identify the resources that a user could access, with or without authorization, including:

• Master catalog
• User catalogs
• Datasets in warning mode
• Surrogat job submission
• Extended access via Unix privileges or facility class
• Access to ZFS/HFS VSAM datasets
• Access to Unix resources and user data
• Hardcoded credentials in jobs, datasets, and Unix files

CICS Testing

Testing CICS includes identifying any dangerous transaction which could be exploited to elevate a user’s privileges in the platform, get unauthorized access to data, or run code.

Testing of Other Application Servers

Our consultants will test commonly installed application servers such as Tomcat or WebSphere in the same manner as CICS. The configuration of managing applications such as z/OSMF and the CICPLEX web interface will be also tested. The testing activities also include identifying how these applications communicate with a backend database, such as Db2.

However, depending on the amount of applications and application complexity, dedicated mainframe application tests could be required.

Privilege Escalation

Malicious users usually need to obtain greater access permissions on applications and the infrastructure they is running on. Escalating privileges in a mainframe includes many different strategies. The most common ones include the exploitation of:

• Unprotected APF libraries in MVS
• Unprotected APF binaries in USS
• Unprotected CICS transactions
• Vulnerable SVCs
• Unprotected datasets used in scheduled jobs
• Credentials in files or datasets
• Unprotected Unix executables
• Unprotected ZFSs or HFSs
• Non-unique USS user IDs
• Privilege DASD access
• Password cracking
• Forging pass tickets
• Facility access

Exploitation

The consultants will try to exploit any software vulnerability and misconfiguration in a safe manner. This will prove what a threat actor could achieve when exploiting a vulnerability. If successful, this will further expand the attack surface.

Our testing team will contact the customer before attempting any exploitation which could impact the environment.

Cross-LPAR Access

The testers will identify and eventually exploit methods to move from a LPAR to another.

The analysis includes:

• Password dependencies
• Account dependencies
• Cryptographic key re-use
• Shared datasets
• Shared DASDs
• Shared USS filesystems

Segmentation and Exfiltration Checks

This step focuses on establishing if a malicious user has means to exfiltrate data from the mainframe to another system. Moreover, the consultants will explore possibilities to maintain unauthorized persistent access to the platform.

Exfiltration possibilities include, but are not limited to:

• XMIT
• FTP
• IND$FILE
• scp
• sftp
• writing custom binaries

Hardware Management Console and Support Elements

If the customer wishes so, it is possible to check if an attacker can reach the HMC or the SEs.

Targeted Assessment Options

Given the large amount of software and services that can run on a mainframe, there are possibilities to focus the testing activities on a specific topic, such as:

• Application testing, for example a CICS application.
• Testing of the integrations with the distributed world.
• Perform a penetration test focused solely on finding vulnerabilities that lead to a privilege escalation where a low-privileged user can access more resources than they should be able to.
• Help with fine tuning of your detection capabilities by leveraging the intrusion detection system part of the communication server and by analyzing SMF records with external tools in your Security Operations Center.

Why Choose Our Mainframe Penetration Test

For years compliance has been the main driver for mainframe security but this is not enough anymore as different regulators require proper penetration tests of these important enterprise beasts. Our consultants have extensive experience in the mainframe and the enterprise world around it and have worked on installation in multiple business areas across countries. They also breached into multiple mainframes during red team exercises and so have a deep understanding in which attacks are effective and can avoid detection.