Discussion:
Seeking a tool to do a network security scan of z/OS
(too old to reply)
Dyck, Lionel B. , RavenTek
2018-07-11 19:53:47 UTC
Permalink
Is there a tool available that can do a network security scan of a z/OS system to identify network vulnerabilities?

thanks

--------------------------------------------------------------------------
Lionel B. Dyck (Contractor) <sdg><
Mainframe Systems Programmer - RavenTek Solution Partners



----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
ITschak Mugzach
2018-07-11 20:35:32 UTC
Permalink
Do you mean outside of the mainframe? Not as a single package, but NMAP
will show you which ports are opened on the mainframe. If your mainframe
answers the scan, you already have a problem... Now assume that port 25 is
open and your mail server is configured an MTA. One can connect to the
server with HELLO call and send emails under fake name and domain as spam
to collect userids, passwords and other secrets.

It's a good idea to have an extra agent to IronSphere to do that -)

ITschak

On Wed, Jul 11, 2018 at 9:53 PM Dyck, Lionel B. (RavenTek) <
Post by Dyck, Lionel B. , RavenTek
Is there a tool available that can do a network security scan of a z/OS
system to identify network vulnerabilities?
thanks
--------------------------------------------------------------------------
Lionel B. Dyck (Contractor) <sdg><
Mainframe Systems Programmer - RavenTek Solution Partners
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
--
ITschak Mugzach
*|** IronSphere Platform* *|* *Information Security Contiguous Monitoring
for Legacy **| *

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Seymour J Metz
2018-07-12 16:36:19 UTC
Permalink
Does your SMTP server not do authentication? That would certain get the auditors' attention.

Do your users respond to phish attempts? Another security problem, and one that has nothing to do with the mainframe.

I suppose it's to much to expect for users to look at the trace fields to determine the provenances of messages.


--
Shmuel (Seymour J.) Metz
http://mason.gmu.edu/~smetz3

________________________________________
From: IBM Mainframe Discussion List <IBM-***@listserv.ua.edu> on behalf of ITschak Mugzach <***@GMAIL.COM>
Sent: Wednesday, July 11, 2018 4:35 PM
To: IBM-***@listserv.ua.edu
Subject: Re: Seeking a tool to do a network security scan of z/OS

Do you mean outside of the mainframe? Not as a single package, but NMAP
will show you which ports are opened on the mainframe. If your mainframe
answers the scan, you already have a problem... Now assume that port 25 is
open and your mail server is configured an MTA. One can connect to the
server with HELLO call and send emails under fake name and domain as spam
to collect userids, passwords and other secrets.

It's a good idea to have an extra agent to IronSphere to do that -)

ITschak

On Wed, Jul 11, 2018 at 9:53 PM Dyck, Lionel B. (RavenTek) <
Post by Dyck, Lionel B. , RavenTek
Is there a tool available that can do a network security scan of a z/OS
system to identify network vulnerabilities?
thanks
--------------------------------------------------------------------------
Lionel B. Dyck (Contractor) <sdg><
Mainframe Systems Programmer - RavenTek Solution Partners
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
--
ITschak Mugzach
*|** IronSphere Platform* *|* *Information Security Contiguous Monitoring
for Legacy **| *

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Dyck, Lionel B. , RavenTek
2018-07-12 16:39:03 UTC
Permalink
There are various tools that do network scans looking for vulnerabilities on the systems being scanned and while we have them for windows, *nix platforms, there seem to be none (that we can find) that will test the security of the network interfaces on z/OS. That is what we are looking for.

thx

--------------------------------------------------------------------------
Lionel B. Dyck (Contractor) <sdg><
Mainframe Systems Programmer - RavenTek Solution Partners


-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-***@LISTSERV.UA.EDU] On Behalf Of Seymour J Metz
Sent: Thursday, July 12, 2018 11:35 AM
To: IBM-***@LISTSERV.UA.EDU
Subject: [EXTERNAL] Re: Seeking a tool to do a network security scan of z/OS

Does your SMTP server not do authentication? That would certain get the auditors' attention.

Do your users respond to phish attempts? Another security problem, and one that has nothing to do with the mainframe.

I suppose it's to much to expect for users to look at the trace fields to determine the provenances of messages.


--
Shmuel (Seymour J.) Metz
http://mason.gmu.edu/~smetz3

________________________________________
From: IBM Mainframe Discussion List <IBM-***@listserv.ua.edu> on behalf of ITschak Mugzach <***@GMAIL.COM>
Sent: Wednesday, July 11, 2018 4:35 PM
To: IBM-***@listserv.ua.edu
Subject: Re: Seeking a tool to do a network security scan of z/OS

Do you mean outside of the mainframe? Not as a single package, but NMAP
will show you which ports are opened on the mainframe. If your mainframe
answers the scan, you already have a problem... Now assume that port 25 is
open and your mail server is configured an MTA. One can connect to the
server with HELLO call and send emails under fake name and domain as spam
to collect userids, passwords and other secrets.

It's a good idea to have an extra agent to IronSphere to do that -)

ITschak

On Wed, Jul 11, 2018 at 9:53 PM Dyck, Lionel B. (RavenTek) <
Post by Dyck, Lionel B. , RavenTek
Is there a tool available that can do a network security scan of a z/OS
system to identify network vulnerabilities?
thanks
--------------------------------------------------------------------------
Lionel B. Dyck (Contractor) <sdg><
Mainframe Systems Programmer - RavenTek Solution Partners
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
--
ITschak Mugzach
*|** IronSphere Platform* *|* *Information Security Contiguous Monitoring
for Legacy **| *

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
ITschak Mugzach
2018-07-12 17:08:53 UTC
Permalink
Shmuel,

I refill the refrigerator doing pentests. I done this and many other
attacks on clients mainframes and in 90% of the cases, I am able to send
emails using the mainframe smtp configured as an MTA. if you look at you
smtp server log you might see some TCP connections (bingo!) or just users
who write a different domain name in the from clause.

Trust me, it work.

ITschak
Post by Seymour J Metz
Does your SMTP server not do authentication? That would certain get the
auditors' attention.
Do your users respond to phish attempts? Another security problem, and one
that has nothing to do with the mainframe.
I suppose it's to much to expect for users to look at the trace fields to
determine the provenances of messages.
--
Shmuel (Seymour J.) Metz
http://mason.gmu.edu/~smetz3
________________________________________
Sent: Wednesday, July 11, 2018 4:35 PM
Subject: Re: Seeking a tool to do a network security scan of z/OS
Do you mean outside of the mainframe? Not as a single package, but NMAP
will show you which ports are opened on the mainframe. If your mainframe
answers the scan, you already have a problem... Now assume that port 25 is
open and your mail server is configured an MTA. One can connect to the
server with HELLO call and send emails under fake name and domain as spam
to collect userids, passwords and other secrets.
It's a good idea to have an extra agent to IronSphere to do that -)
ITschak
On Wed, Jul 11, 2018 at 9:53 PM Dyck, Lionel B. (RavenTek) <
Post by Dyck, Lionel B. , RavenTek
Is there a tool available that can do a network security scan of a z/OS
system to identify network vulnerabilities?
thanks
--------------------------------------------------------------------------
Post by Dyck, Lionel B. , RavenTek
Lionel B. Dyck (Contractor) <sdg><
Mainframe Systems Programmer - RavenTek Solution Partners
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
--
ITschak Mugzach
*|** IronSphere Platform* *|* *Information Security Contiguous Monitoring
for Legacy **| *
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
--
ITschak Mugzach
*|** IronSphere Platform* *|* *Information Security Contiguous Monitoring
for Legacy **| *

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Seymour J Metz
2018-07-12 18:14:24 UTC
Permalink
If it works it's because they didn't properly configure the server. Just connecting to the server isn't enough to send an e-mail to it. RFC 4954 came out in July 2007 and RFC 2554 came out in March 1999. sendmail has supported it since 8.10.




--
Shmuel (Seymour J.) Metz
http://mason.gmu.edu/~smetz3

________________________________________
From: IBM Mainframe Discussion List <IBM-***@listserv.ua.edu> on behalf of ITschak Mugzach <***@GMAIL.COM>
Sent: Thursday, July 12, 2018 1:08 PM
To: IBM-***@listserv.ua.edu
Subject: Re: Seeking a tool to do a network security scan of z/OS

Shmuel,

I refill the refrigerator doing pentests. I done this and many other
attacks on clients mainframes and in 90% of the cases, I am able to send
emails using the mainframe smtp configured as an MTA. if you look at you
smtp server log you might see some TCP connections (bingo!) or just users
who write a different domain name in the from clause.

Trust me, it work.

ITschak
Post by Seymour J Metz
Does your SMTP server not do authentication? That would certain get the
auditors' attention.
Do your users respond to phish attempts? Another security problem, and one
that has nothing to do with the mainframe.
I suppose it's to much to expect for users to look at the trace fields to
determine the provenances of messages.
--
Shmuel (Seymour J.) Metz
http://mason.gmu.edu/~smetz3
________________________________________
Sent: Wednesday, July 11, 2018 4:35 PM
Subject: Re: Seeking a tool to do a network security scan of z/OS
Do you mean outside of the mainframe? Not as a single package, but NMAP
will show you which ports are opened on the mainframe. If your mainframe
answers the scan, you already have a problem... Now assume that port 25 is
open and your mail server is configured an MTA. One can connect to the
server with HELLO call and send emails under fake name and domain as spam
to collect userids, passwords and other secrets.
It's a good idea to have an extra agent to IronSphere to do that -)
ITschak
On Wed, Jul 11, 2018 at 9:53 PM Dyck, Lionel B. (RavenTek) <
Post by Dyck, Lionel B. , RavenTek
Is there a tool available that can do a network security scan of a z/OS
system to identify network vulnerabilities?
thanks
--------------------------------------------------------------------------
Post by Dyck, Lionel B. , RavenTek
Lionel B. Dyck (Contractor) <sdg><
Mainframe Systems Programmer - RavenTek Solution Partners
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
--
ITschak Mugzach
*|** IronSphere Platform* *|* *Information Security Contiguous Monitoring
for Legacy **| *
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
--
ITschak Mugzach
*|** IronSphere Platform* *|* *Information Security Contiguous Monitoring
for Legacy **| *

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Rob Schramm
2018-07-12 18:26:39 UTC
Permalink
I thought the Soldier of Fortran guy had been updating and providing uss
specifics for some open source penetration tests.

Rob Schramm
Post by Seymour J Metz
If it works it's because they didn't properly configure the server. Just
connecting to the server isn't enough to send an e-mail to it. RFC 4954
came out in July 2007 and RFC 2554 came out in March 1999. sendmail has
supported it since 8.10.
--
Shmuel (Seymour J.) Metz
http://mason.gmu.edu/~smetz3
________________________________________
Sent: Thursday, July 12, 2018 1:08 PM
Subject: Re: Seeking a tool to do a network security scan of z/OS
Shmuel,
I refill the refrigerator doing pentests. I done this and many other
attacks on clients mainframes and in 90% of the cases, I am able to send
emails using the mainframe smtp configured as an MTA. if you look at you
smtp server log you might see some TCP connections (bingo!) or just users
who write a different domain name in the from clause.
Trust me, it work.
ITschak
Post by Seymour J Metz
Does your SMTP server not do authentication? That would certain get the
auditors' attention.
Do your users respond to phish attempts? Another security problem, and
one
Post by Seymour J Metz
that has nothing to do with the mainframe.
I suppose it's to much to expect for users to look at the trace fields to
determine the provenances of messages.
--
Shmuel (Seymour J.) Metz
http://mason.gmu.edu/~smetz3
________________________________________
Sent: Wednesday, July 11, 2018 4:35 PM
Subject: Re: Seeking a tool to do a network security scan of z/OS
Do you mean outside of the mainframe? Not as a single package, but NMAP
will show you which ports are opened on the mainframe. If your mainframe
answers the scan, you already have a problem... Now assume that port 25
is
Post by Seymour J Metz
open and your mail server is configured an MTA. One can connect to the
server with HELLO call and send emails under fake name and domain as spam
to collect userids, passwords and other secrets.
It's a good idea to have an extra agent to IronSphere to do that -)
ITschak
On Wed, Jul 11, 2018 at 9:53 PM Dyck, Lionel B. (RavenTek) <
Post by Dyck, Lionel B. , RavenTek
Is there a tool available that can do a network security scan of a z/OS
system to identify network vulnerabilities?
thanks
--------------------------------------------------------------------------
Post by Seymour J Metz
Post by Dyck, Lionel B. , RavenTek
Lionel B. Dyck (Contractor) <sdg><
Mainframe Systems Programmer - RavenTek Solution Partners
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
--
ITschak Mugzach
*|** IronSphere Platform* *|* *Information Security Contiguous Monitoring
for Legacy **| *
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
--
ITschak Mugzach
*|** IronSphere Platform* *|* *Information Security Contiguous Monitoring
for Legacy **| *
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
--
Rob Schramm

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
ITschak Mugzach
2018-07-12 19:07:19 UTC
Permalink
Shmuel,

the SMTP server is mainly spool based. So you can create a text file
(Defined in the RFC you mentioned), write it to the spool in the write and
class used by the server and it will be sent. You can use fake name and
fake domain (The server will state "I don't know you", ut will send the
message.

SMTP is so easy to penetrate, if you don't have a security exit developed &
installed. I once unloaded the security database of a client and sent part
of it to his GMAIL account. Guess what: Hist exchange configured as a mail
relay as well! Clients do stupid things. I told you, this is how I refill
my ref, This is what we do most of the time in Israel & Europe.

ITschak
Post by Seymour J Metz
If it works it's because they didn't properly configure the server. Just
connecting to the server isn't enough to send an e-mail to it. RFC 4954
came out in July 2007 and RFC 2554 came out in March 1999. sendmail has
supported it since 8.10.
--
Shmuel (Seymour J.) Metz
http://mason.gmu.edu/~smetz3
________________________________________
Sent: Thursday, July 12, 2018 1:08 PM
Subject: Re: Seeking a tool to do a network security scan of z/OS
Shmuel,
I refill the refrigerator doing pentests. I done this and many other
attacks on clients mainframes and in 90% of the cases, I am able to send
emails using the mainframe smtp configured as an MTA. if you look at you
smtp server log you might see some TCP connections (bingo!) or just users
who write a different domain name in the from clause.
Trust me, it work.
ITschak
Post by Seymour J Metz
Does your SMTP server not do authentication? That would certain get the
auditors' attention.
Do your users respond to phish attempts? Another security problem, and
one
Post by Seymour J Metz
that has nothing to do with the mainframe.
I suppose it's to much to expect for users to look at the trace fields to
determine the provenances of messages.
--
Shmuel (Seymour J.) Metz
http://mason.gmu.edu/~smetz3
________________________________________
Sent: Wednesday, July 11, 2018 4:35 PM
Subject: Re: Seeking a tool to do a network security scan of z/OS
Do you mean outside of the mainframe? Not as a single package, but NMAP
will show you which ports are opened on the mainframe. If your mainframe
answers the scan, you already have a problem... Now assume that port 25
is
Post by Seymour J Metz
open and your mail server is configured an MTA. One can connect to the
server with HELLO call and send emails under fake name and domain as spam
to collect userids, passwords and other secrets.
It's a good idea to have an extra agent to IronSphere to do that -)
ITschak
On Wed, Jul 11, 2018 at 9:53 PM Dyck, Lionel B. (RavenTek) <
Post by Dyck, Lionel B. , RavenTek
Is there a tool available that can do a network security scan of a z/OS
system to identify network vulnerabilities?
thanks
--------------------------------------------------------------------------
Post by Seymour J Metz
Post by Dyck, Lionel B. , RavenTek
Lionel B. Dyck (Contractor) <sdg><
Mainframe Systems Programmer - RavenTek Solution Partners
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
--
ITschak Mugzach
*|** IronSphere Platform* *|* *Information Security Contiguous Monitoring
for Legacy **| *
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
--
ITschak Mugzach
*|** IronSphere Platform* *|* *Information Security Contiguous Monitoring
for Legacy **| *
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
--
ITschak Mugzach
*|** IronSphere Platform* *|* *Information Security Contiguous Monitoring
for Legacy **| *

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Seymour J Metz
2018-07-12 21:16:59 UTC
Permalink
You're talking about outbound, for which port scanning is not relevant. The text "One can connect to the
server with HELLO call" also refers to a TCP/IP connection, not to sending a SPOOL file.


--
Shmuel (Seymour J.) Metz
http://mason.gmu.edu/~smetz3

________________________________________
From: IBM Mainframe Discussion List <IBM-***@listserv.ua.edu> on behalf of ITschak Mugzach <***@GMAIL.COM>
Sent: Thursday, July 12, 2018 3:06 PM
To: IBM-***@listserv.ua.edu
Subject: Re: Seeking a tool to do a network security scan of z/OS

Shmuel,

the SMTP server is mainly spool based. So you can create a text file
(Defined in the RFC you mentioned), write it to the spool in the write and
class used by the server and it will be sent. You can use fake name and
fake domain (The server will state "I don't know you", ut will send the
message.

SMTP is so easy to penetrate, if you don't have a security exit developed &
installed. I once unloaded the security database of a client and sent part
of it to his GMAIL account. Guess what: Hist exchange configured as a mail
relay as well! Clients do stupid things. I told you, this is how I refill
my ref, This is what we do most of the time in Israel & Europe.

ITschak
Post by Seymour J Metz
If it works it's because they didn't properly configure the server. Just
connecting to the server isn't enough to send an e-mail to it. RFC 4954
came out in July 2007 and RFC 2554 came out in March 1999. sendmail has
supported it since 8.10.
--
Shmuel (Seymour J.) Metz
http://mason.gmu.edu/~smetz3
________________________________________
Sent: Thursday, July 12, 2018 1:08 PM
Subject: Re: Seeking a tool to do a network security scan of z/OS
Shmuel,
I refill the refrigerator doing pentests. I done this and many other
attacks on clients mainframes and in 90% of the cases, I am able to send
emails using the mainframe smtp configured as an MTA. if you look at you
smtp server log you might see some TCP connections (bingo!) or just users
who write a different domain name in the from clause.
Trust me, it work.
ITschak
Post by Seymour J Metz
Does your SMTP server not do authentication? That would certain get the
auditors' attention.
Do your users respond to phish attempts? Another security problem, and
one
Post by Seymour J Metz
that has nothing to do with the mainframe.
I suppose it's to much to expect for users to look at the trace fields to
determine the provenances of messages.
--
Shmuel (Seymour J.) Metz
http://mason.gmu.edu/~smetz3
________________________________________
Sent: Wednesday, July 11, 2018 4:35 PM
Subject: Re: Seeking a tool to do a network security scan of z/OS
Do you mean outside of the mainframe? Not as a single package, but NMAP
will show you which ports are opened on the mainframe. If your mainframe
answers the scan, you already have a problem... Now assume that port 25
is
Post by Seymour J Metz
open and your mail server is configured an MTA. One can connect to the
server with HELLO call and send emails under fake name and domain as spam
to collect userids, passwords and other secrets.
It's a good idea to have an extra agent to IronSphere to do that -)
ITschak
On Wed, Jul 11, 2018 at 9:53 PM Dyck, Lionel B. (RavenTek) <
Post by Dyck, Lionel B. , RavenTek
Is there a tool available that can do a network security scan of a z/OS
system to identify network vulnerabilities?
thanks
--------------------------------------------------------------------------
Post by Seymour J Metz
Post by Dyck, Lionel B. , RavenTek
Lionel B. Dyck (Contractor) <sdg><
Mainframe Systems Programmer - RavenTek Solution Partners
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
--
ITschak Mugzach
*|** IronSphere Platform* *|* *Information Security Contiguous Monitoring
for Legacy **| *
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
--
ITschak Mugzach
*|** IronSphere Platform* *|* *Information Security Contiguous Monitoring
for Legacy **| *
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
--
ITschak Mugzach
*|** IronSphere Platform* *|* *Information Security Contiguous Monitoring
for Legacy **| *

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Charles Mills
2018-07-12 17:50:41 UTC
Permalink
Post by Seymour J Metz
I suppose it's to much to expect for users to look at the trace fields to
determine the provenances of messages.

Nine out of ten recipients have no idea how to do so, and would not know
what they were looking at if they did. And given spoofing, look-alikes and
punycode, I'm not sure it's a great approach for anyone.

Charles


-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-***@LISTSERV.UA.EDU] On
Behalf Of Seymour J Metz
Sent: Thursday, July 12, 2018 9:35 AM
To: IBM-***@LISTSERV.UA.EDU
Subject: Re: Seeking a tool to do a network security scan of z/OS

Does your SMTP server not do authentication? That would certain get the
auditors' attention.

Do your users respond to phish attempts? Another security problem, and one
that has nothing to do with the mainframe.

I suppose it's to much to expect for users to look at the trace fields to
determine the provenances of messages.

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Seymour J Metz
2018-07-12 17:57:33 UTC
Permalink
Spoofing? You can't spoof the chain of Received header fields.


--
Shmuel (Seymour J.) Metz
http://mason.gmu.edu/~smetz3

________________________________________
From: IBM Mainframe Discussion List <IBM-***@listserv.ua.edu> on behalf of Charles Mills <***@MCN.ORG>
Sent: Thursday, July 12, 2018 1:50 PM
To: IBM-***@listserv.ua.edu
Subject: Re: Seeking a tool to do a network security scan of z/OS
Post by Seymour J Metz
I suppose it's to much to expect for users to look at the trace fields to
determine the provenances of messages.

Nine out of ten recipients have no idea how to do so, and would not know
what they were looking at if they did. And given spoofing, look-alikes and
punycode, I'm not sure it's a great approach for anyone.

Charles


-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-***@LISTSERV.UA.EDU] On
Behalf Of Seymour J Metz
Sent: Thursday, July 12, 2018 9:35 AM
To: IBM-***@LISTSERV.UA.EDU
Subject: Re: Seeking a tool to do a network security scan of z/OS

Does your SMTP server not do authentication? That would certain get the
auditors' attention.

Do your users respond to phish attempts? Another security problem, and one
that has nothing to do with the mainframe.

I suppose it's to much to expect for users to look at the trace fields to
determine the provenances of messages.

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Mark Regan
2018-07-12 19:12:07 UTC
Permalink
If your site already uses Qualys, then it can be used to scan z/OS too.

On Wed, Jul 11, 2018 at 3:53 PM Dyck, Lionel B. (RavenTek) <
Post by Dyck, Lionel B. , RavenTek
Is there a tool available that can do a network security scan of a z/OS
system to identify network vulnerabilities?
thanks
--------------------------------------------------------------------------
Lionel B. Dyck (Contractor) <sdg><
Mainframe Systems Programmer - RavenTek Solution Partners
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
--
Regards,

Mark T. Regan

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Itschak Mugzach
2018-07-12 20:23:59 UTC
Permalink
I don’t think Qualys will identify configuration issue (which we do inside the mainframe with IronSphere). It will do port scan, try to ping it, but if your mainframe is well configured, it will block port scan as well.

ITschak

נשלח מה-iPad שלי
Post by Mark Regan
If your site already uses Qualys, then it can be used to scan z/OS too.
On Wed, Jul 11, 2018 at 3:53 PM Dyck, Lionel B. (RavenTek) <
Post by Dyck, Lionel B. , RavenTek
Is there a tool available that can do a network security scan of a z/OS
system to identify network vulnerabilities?
thanks
--------------------------------------------------------------------------
Lionel B. Dyck (Contractor) <sdg><
Mainframe Systems Programmer - RavenTek Solution Partners
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
--
Regards,
Mark T. Regan
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Robyn Gilchrist
2018-07-13 15:42:37 UTC
Permalink
This is an area I have been investigating for the past few months. I think a network scanner is a good place to start and Nmap is a very strong network scanner. An open port isn't a problem per se (SMTP port 25 or HTTP on port 80) since open ports are required for communication. Nmap network scanner will indicate ports of interest and can do things like OS version discovery and use crafted scripts (written in LUA) to perform more sophisticated tests.

As far as whether the network is vulnerable, I'll give the tried and true "it depends". As an example, I have crafted Nmap commands that will display status of z/OS ftp on port 21 with no z/OS userid required. Is the machine vulnerable because anyone can know that JESINTERFACELEVEL=1? Probably not, but if it is =2 that may raise my concern. Vulnerability depends on security practices, system and app bugs, config settings, design, etc. If ftp is tightly controlled with a strong configuration, good RACF rules and uses encryption (FTPS), then JESINTERFACELEVEL=2 may not concern you, but it probably would make me nervous.

Nessus, a popular vulnerability scanner, banner scrapes IBM HTTP Server V5.3 and reports that the machine is "vulnerable" regardless of whether UK90649 has been APPLYed (Nessus plugin id 66760). At least they tell you that in the description - Emily Litella practice. There is an "exploit" written by Solider of Fortran in Metasploit that indicates issuing FILETYPE=JES and getting response=200 is a vulnerability. Is it? I don't think that is any more "vulnerable" than TSO SUBMIT. I'm still bound to the userid I logged on with and if I can spawn a high authority shell (or TMP) or change my RACF attributes, that's the vulnerability to address.

I'm studying the Logica attack and it is hardcore. The attackers got UID(0) on z/OS. Machine "pwned", as the kids would say. Traffic blended in with all other traffic and the attack was designed to be difficult to trace back to origin and to fly under the radar. The attack was initially spotted on z/OS as an anomalous load, not on the network. The vulnerabilities included lax firewall rules, bad RACF dataset and resource protection, loose policy on password strength, just to name a few factors. It was a perfect target and the attackers were very talented and very sophisticated.

I like the SMTP vector mentioned here and will be incorporating that into my investigations. Thanks ITschak! :-)

As a total aside, I just got back on IBM-MAIN today for the first time since ... er ... a long time. I was a heavy user of IBM-MAIN back in the early '90s before all of the swanky new interwebs. I used to read Lionel in NaSPA's magazine back when that was still a thing. I recognize a bunch of names and it's good to see they're still here. :-)

Robyn

----

Robyn Gilchrist
RSH Consulting
r.gilchrist"at"rshconsulting.com <- replace "at" with @ to email me
www.linkedin.com/in/robyn-e-gilchrist

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
ITschak Mugzach
2018-07-13 18:13:33 UTC
Permalink
Just to clarify something that I wri=ote and maybe missed somehow about
NAMP: Z/OS can be configured to block slow or fast scans using the IDS
feature. So, yes, NMAP can try scan the mainframe, but if the IP STAK is
well configured, it will be hard to get the open ports. This is not to say
that you can't telnet CSSMTP...

ITschak

On Fri, Jul 13, 2018 at 5:42 PM Robyn Gilchrist <
Post by Robyn Gilchrist
This is an area I have been investigating for the past few months. I
think a network scanner is a good place to start and Nmap is a very strong
network scanner. An open port isn't a problem per se (SMTP port 25 or HTTP
on port 80) since open ports are required for communication. Nmap network
scanner will indicate ports of interest and can do things like OS version
discovery and use crafted scripts (written in LUA) to perform more
sophisticated tests.
As far as whether the network is vulnerable, I'll give the tried and true
"it depends". As an example, I have crafted Nmap commands that will
display status of z/OS ftp on port 21 with no z/OS userid required. Is the
machine vulnerable because anyone can know that JESINTERFACELEVEL=1?
Probably not, but if it is =2 that may raise my concern. Vulnerability
depends on security practices, system and app bugs, config settings,
design, etc. If ftp is tightly controlled with a strong configuration,
good RACF rules and uses encryption (FTPS), then JESINTERFACELEVEL=2 may
not concern you, but it probably would make me nervous.
Nessus, a popular vulnerability scanner, banner scrapes IBM HTTP Server
V5.3 and reports that the machine is "vulnerable" regardless of whether
UK90649 has been APPLYed (Nessus plugin id 66760). At least they tell you
that in the description - Emily Litella practice. There is an "exploit"
written by Solider of Fortran in Metasploit that indicates issuing
FILETYPE=JES and getting response=200 is a vulnerability. Is it? I don't
think that is any more "vulnerable" than TSO SUBMIT. I'm still bound to
the userid I logged on with and if I can spawn a high authority shell (or
TMP) or change my RACF attributes, that's the vulnerability to address.
I'm studying the Logica attack and it is hardcore. The attackers got
UID(0) on z/OS. Machine "pwned", as the kids would say. Traffic blended
in with all other traffic and the attack was designed to be difficult to
trace back to origin and to fly under the radar. The attack was initially
spotted on z/OS as an anomalous load, not on the network. The
vulnerabilities included lax firewall rules, bad RACF dataset and resource
protection, loose policy on password strength, just to name a few factors.
It was a perfect target and the attackers were very talented and very
sophisticated.
I like the SMTP vector mentioned here and will be incorporating that into
my investigations. Thanks ITschak! :-)
As a total aside, I just got back on IBM-MAIN today for the first time
since ... er ... a long time. I was a heavy user of IBM-MAIN back in the
early '90s before all of the swanky new interwebs. I used to read Lionel
in NaSPA's magazine back when that was still a thing. I recognize a bunch
of names and it's good to see they're still here. :-)
Robyn
----
Robyn Gilchrist
RSH Consulting
www.linkedin.com/in/robyn-e-gilchrist
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
--
ITschak Mugzach
*|** IronSphere Platform* *|* *Information Security Contiguous Monitoring
for Legacy **| *

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
p***@gmail.com
2018-09-09 16:30:15 UTC
Permalink
Post by Robyn Gilchrist
This is an area I have been investigating for the past few months. I think a network scanner is a good place to start and Nmap is a very strong network scanner. An open port isn't a problem per se (SMTP port 25 or HTTP on port 80) since open ports are required for communication. Nmap network scanner will indicate ports of interest and can do things like OS version discovery and use crafted scripts (written in LUA) to perform more sophisticated tests.
As far as whether the network is vulnerable, I'll give the tried and true "it depends". As an example, I have crafted Nmap commands that will display status of z/OS ftp on port 21 with no z/OS userid required. Is the machine vulnerable because anyone can know that JESINTERFACELEVEL=1? Probably not, but if it is =2 that may raise my concern. Vulnerability depends on security practices, system and app bugs, config settings, design, etc. If ftp is tightly controlled with a strong configuration, good RACF rules and uses encryption (FTPS), then JESINTERFACELEVEL=2 may not concern you, but it probably would make me nervous.
Nessus, a popular vulnerability scanner, banner scrapes IBM HTTP Server V5.3 and reports that the machine is "vulnerable" regardless of whether UK90649 has been APPLYed (Nessus plugin id 66760). At least they tell you that in the description - Emily Litella practice. There is an "exploit" written by Solider of Fortran in Metasploit that indicates issuing FILETYPE=JES and getting response=200 is a vulnerability. Is it? I don't think that is any more "vulnerable" than TSO SUBMIT. I'm still bound to the userid I logged on with and if I can spawn a high authority shell (or TMP) or change my RACF attributes, that's the vulnerability to address.
I'm studying the Logica attack and it is hardcore. The attackers got UID(0) on z/OS. Machine "pwned", as the kids would say. Traffic blended in with all other traffic and the attack was designed to be difficult to trace back to origin and to fly under the radar. The attack was initially spotted on z/OS as an anomalous load, not on the network. The vulnerabilities included lax firewall rules, bad RACF dataset and resource protection, loose policy on password strength, just to name a few factors. It was a perfect target and the attackers were very talented and very sophisticated.
I like the SMTP vector mentioned here and will be incorporating that into my investigations. Thanks ITschak! :-)
As a total aside, I just got back on IBM-MAIN today for the first time since ... er ... a long time. I was a heavy user of IBM-MAIN back in the early '90s before all of the swanky new interwebs. I used to read Lionel in NaSPA's magazine back when that was still a thing. I recognize a bunch of names and it's good to see they're still here. :-)
Robyn
----
Robyn Gilchrist
RSH Consulting
www.linkedin.com/in/robyn-e-gilchrist
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
You can use Nessus scanner to scan the network and then feed the results in Network Vulnerability Analyzer for analyzis and scan comparison.
You can find it here https://nvanalyzer.com

Jesse 1 Robinson
2018-07-13 17:45:58 UTC
Permalink
Trying to tread lightly here. Be careful what you wish for. Our network folks have been doing 'intrusion testing' for years. They have caused all kinds of problems on mainframe, not because intrusion was successful but because response to the attempts wreaked havoc. Some examples.

-- We would get calls from IBM Support Center for HMC/SE alerts. Turns out that these devices were reporting attempted intrusion. This led to confusion and consternation on the part of Operations, who had no idea what was going on. When we complained to our network folks, they brushed us off saying that this was to be expected, that we should tell IBM Support Center to ignore these alerts (!)

-- An older version of Connect:Direct would hang mysteriously at random times. Turns out that network probes caused an IP disruption that the product at that level could not recover from. We had to recycle C:D to get production transfers working again. We eventually upgraded C:D to a release that would recover, but there was lot of churn and angst before we got to that point.

-- We still have problems with CICS regions that do not take kindly to intrusion. The regions don't fail, but they take multiple transaction dumps that themselves impact production. Which of course we have to ignore.

.
.
J.O.Skip Robinson
Southern California Edison Company
Electric Dragon Team Paddler
SHARE MVS Program Co-Manager
323-715-0595 Mobile
626-543-6132 Office ⇐=== NEW
***@sce.com


-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-***@LISTSERV.UA.EDU] On Behalf Of Robyn Gilchrist
Sent: Friday, July 13, 2018 8:33 AM
To: IBM-***@LISTSERV.UA.EDU
Subject: (External):Re: Seeking a tool to do a network security scan of z/OS

This is an area I have been investigating for the past few months. I think a network scanner is a good place to start and Nmap is a very strong network scanner. An open port isn't a problem per se (SMTP port 25 or HTTP on port 80) since open ports are required for communication. Nmap network scanner will indicate ports of interest and can do things like OS version discovery and use crafted scripts (written in LUA) to perform more sophisticated tests.

As far as whether the network is vulnerable, I'll give the tried and true "it depends". As an example, I have crafted Nmap commands that will display status of z/OS ftp on port 21 with no z/OS userid required. Is the machine vulnerable because anyone can know that JESINTERFACELEVEL=1? Probably not, but if it is =2 that may raise my concern. Vulnerability depends on security practices, system and app bugs, config settings, design, etc. If ftp is tightly controlled with a strong configuration, good RACF rules and uses encryption (FTPS), then JESINTERFACELEVEL=2 may not concern you, but it probably would make me nervous.

Nessus, a popular vulnerability scanner, banner scrapes IBM HTTP Server V5.3 and reports that the machine is "vulnerable" regardless of whether UK90649 has been APPLYed (Nessus plugin id 66760). At least they tell you that in the description - Emily Litella practice. There is an "exploit" written by Solider of Fortran in Metasploit that indicates issuing FILETYPE=JES and getting response=200 is a vulnerability. Is it? I don't think that is any more "vulnerable" than TSO SUBMIT. I'm still bound to the userid I logged on with and if I can spawn a high authority shell (or TMP) or change my RACF attributes, that's the vulnerability to address.

I'm studying the Logica attack and it is hardcore. The attackers got UID(0) on z/OS. Machine "pwned", as the kids would say. Traffic blended in with all other traffic and the attack was designed to be difficult to trace back to origin and to fly under the radar. The attack was initially spotted on z/OS as an anomalous load, not on the network. The vulnerabilities included lax firewall rules, bad RACF dataset and resource protection, loose policy on password strength, just to name a few factors. It was a perfect target and the attackers were very talented and very sophisticated.

I like the SMTP vector mentioned here and will be incorporating that into my investigations. Thanks ITschak! :-)

As a total aside, I just got back on IBM-MAIN today for the first time since ... er ... a long time. I was a heavy user of IBM-MAIN back in the early '90s before all of the swanky new interwebs. I used to read Lionel in NaSPA's magazine back when that was still a thing. I recognize a bunch of names and it's good to see they're still here. :-)

Robyn

----

Robyn Gilchrist
RSH Consulting
r.gilchrist"at"rshconsulting.com <- replace "at" with @ to email me www.linkedin.com/in/robyn-e-gilchrist

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Loading...