You say SCADA, I say … mainframes. There are some remarkable - and scary - parallels between the worlds of SCADA ICS and mainframes. Each system is critical to our lives. Their worlds are insular, proprietary, and seemingly shut-off to everyone else. Except for when they aren’t. Extrapolate the future of security for mainframes based on the challenges and failures of SCADA ICS as it has evolved from sequestered to connected. SCADA serves as a cautionary tale for securing mainframes against acts of God, nature and man in this scenario of a Stuxnet for Mainframes.
2. Cheryl Biswas
• Security researcher/analyst Threat Intel
• APTs, Mainframes, ICS SCADA, Shadow IT, StarTrek
• BSidesLV, Circle City, BSidesT0, SecTor, Hackfest, TiaraCon
• https://whitehatcheryl.wordpress.com
• Twitter: @3ncr1pt3d
DISCLAIMER: The views represented here are solely her own and not those of
her employers, past or present.
11/4/2016@3ncr1pt3d A Stuxnet For Mainframes
18. MAINFRAMES - BUILT TO LAST
• High Availability
• Longevity
• Virtualization
• The ability to offload to separate engines
• Backward compatibility with older software
• Massive Throughput
https://en.wikipedia.org/wiki/Mainframe_computer
21. SCADA MAINFRAME
❏ Culture
❏ Security Approach
❏ Perceptions
❏ Built to Last
❏ Closed off
❏ Does not play well
with others
❏ Culture
❏ Security Approach
❏ Perceptions
❏ Built to Last
❏ Closed off
❏ Does not play well
with others
36. SCADA - JUMPING AIR GAPS
• Designed for underwater communication
• Near ultrasonic frequency
• Remote key logging for multiple hops
http://www.jocm.us/index.php?m=content&c=index&a=show&c
atid=124&id=600
37.
38. MAINFRAMES & SCADA - THE LINKS
• Similar in Culture
• Lack of security
• Perceived as secure
• “Air Gapped”
• “See no evil” – cuz you don’t see it if you aren’t
looking
39.
40. BUT IT’S AIR GAPPED
“Mainframe modernization or exposing the classic
system of record data to new services means that the
data is no longer isolated on the mainframe – the
world is now “unknown, unknown.” We have lost sight
and control of where the data is going the minute we
try to harness mainframe data for other purposes than
batch or transaction applications.”
zOS Expert
41. MAINFRAME - LACK OF ATTACK DATA
Because … What you don’t see won’t hurt you
45. MAINFRAME - EXPLOIT RESEARCH
Bigendiansmalls
https://www.bigendiansmalls.com/category/security/exploit-develop
ment/
46. MAINFRAME - NMAP
Can now detect Mainframe ports
Mainframe banners are not static
More accessible to others for hacking
http://mainframed767.tumblr.com/post/132669411918/mainframes-a
nd-nmap-together-at-last
http://mainframed767.tumblr.com/post/47105571997/nmap-script-to
-grab-mainframe-screens
47. MAINFRAMES - BIND SHELLCODE
Mainframe assembler
EBCDIC to ASCII converter
Connect with NetCat
https://www.bigendiansmalls.com/mainframe-bind-shell-source-code
/
ASCII TO
EBCDIC
ASCII TO
EBCDIC
EBCDIC TO ASCII
49. MAINFRAMES - STACK BUT DIFFERENT
▪Mainframe prologue creates Dynamic Storage Area
▪Points to next free byte on the stack used
▪Does not subtract from ESP to allocate space
▪Register used as a stack pointer
▪Not forced to do so.
https://www.bigendiansmalls.com/smashing-the-zos-le-daisy-chain-for-fun-and
cease-and-desist-letters-guest-post-2/
50. ALLOCATION OF MEMORY - FUNCTION
PROLOGUE
0x8012343
0x8012344
Function Called
0x8012345 -
SFP
IP
EBP
MAIN()ESP
EBP
SFPESP +
51. ALLOCATION MEMORY - FUNCTION
PROLOGUE
0x8012345
0x8012344
Function Called
IP Allocated
Memory
EBP
-28ESPMAIN() FUNCTIO
N()
SFPESP +
53. ALLOCATION MEMORY - DSA PROLOGUE
0x8012345
0x8012344
Function
“Called”
IP
Dynamic
Storage Area
MAIN()
Pointer to
original DS
DSA NOT
STACK
Save Area
54. Not gonna
happen
HOW TO EXPLOIT - STRING EXPLOITATION !=
WINAlways aware of length
StringStringStringStrin
gString
Length
StringStringStrin
gStri
Length
https://www.bigendiansmalls.com/smashing-the-zos-le-daisy-chain-for-fun-an
d-cease-and-desist-letters-guest-post-2/
AAAAAAAAAA
55. MAINFRAMES - UNIQUE TO EXPLOIT
S0C1 Exception
http://mainframed767.tumblr.com/post/136886215917/guest-post-jan-cannaerts-smashing-the-zo
s-le
AAAAAAAAAAAAAAA
AAAAAA
Memory
containing Data
OPCODES
OPCODE does not
exist
No size checking
AAAAA
AAA
Overflow causes
execution to
branch to another
memory location
57. MAINFRAMES - UNIQUE TO EXPLOIT
Globally addressed arrays
S0C1 Exception
http://mainframed767.tumblr.com/post/136886215917/guest-post-jan-cannaerts-smashing-the-zo
s-le
DSA Level 0 DSA 2DSA Level 1
Register 14 = RP
DSA 2DSA 1 DSA 3
Procedure returns to Level 1
Actually executes
code in DSA2
58. MAINFRAMES - INSECURITY OF MEMORY
Memory not more secure than Windows or Unix.
No “DEP”
No strict ASLR
http://mainframed767.tumblr.com/post/136886215917/guest-post-jan-cannaerts-smashing-the-zo
s-le
62. FTP METASPLOIT MODULE
ARCH_CMD Executes a command, or uses a command to
give a shell
Platform: Mainframe Uses the Mainframe payloads of metasploit
Target Automatic Only works with IBM FTP CS V.R.
Requires Credentials Credentials allow a file to be uploaded
Debugging enabled Can enable Verbose and FTPdebug
https://www.bigendiansmalls.com/a-logical-first-step/
https://www.rapid7.com/db/modules/exploit/mainframe/ftp/
63. FTP METASPLOIT MODULE
Checks Banner
If banner correct, logs in and uploads file
File is uploaded as JOB & executes
https://www.bigendiansmalls.com/a-logical-first-step/@3ncr1pt3d A Stuxnet For Mainframes 11/4/2016
64. GENERIC JCL TEST FOR MAINFRAME EXPLOITS
This can be used as a template for other JCL based payloads
https://www.rapid7.com/db/modules/payload/cmd/mainframe/generic_j
clhttps://www.bigendiansmalls.com/a-logical-first-step/
65. Z/OS (MVS) COMMAND SHELL, REVERSE TCP
Creates a reverse shell.This implementation does not include ebcdic character
translation, so a client with translation capabilities is required. MSF handles this
automatically.
https://www.rapid7.com/db/modules/exploit/mainframe/ftp/ft
p_jcl_creds
https://www.bigendiansmalls.com/mainframe-bind-shell-sourc
72. SCADA - STUXNET
• Air Gap bypass
• APT
• C2
• Self erasing
• Specific to system it wants
• Nation State
73. SCADA -THE THREAT IS REAL
• Dec 2015 Powergrid attack in
Ukraine
• March 2016 Ransomware hits
US power company in
Michigan
• June 2016 Irongate Targetted
ICS malware in testing stage
75. We’re here to say history doesn’t need to
repeat itself. Especially not when we
know how dire the outcome could be.
Scada gives us the lessons we need to
learn from and apply to mainframe
security. The question now is - will we do
it?
76.
77.
78.
79. THE KEYS TO THE KINGDOM
▪ Obtain Domain admin level creds
▪ Gain a copy of NTDS.dit for Kerberos golden tickets to move freely
▪ Identify the back up and recovery systems, including DRP
▪ Identify the critical data and services. Mission critical
▪ Identify messaging servers
▪ Find and compromise application distribution platforms
80.
81.
82. HOW TO GET YOUR FEET WET
Researchers to Research
• https://www.bigendiansmalls.com/
• http://mainframed767.tumblr.com/
• Mainframe Assembly
• locallyhttp://www.cbttape.org/ftp/asmbook/alnv200.pdf
83. HOW TO GET YOUR FEET WET
• Virtualization software to play
• http://www.bsp-gmbh.com/turnkey/
• http://mvs380.sourceforge.net/
• https://www.tripwire.com/state-of-security/security-data-protection/cyber-secur
ity/mainframe-insecuritites-or-hack-the-gibson-no-really/