Hi Lionel, There are free/libre/open-source tools such as Nmap, OpenVAS, Metasploit that you could use for what you intend to do.
The interweb is full of documentation, videos and other materials on how to use these tools (also in the context of testing Mainframes). Alternatively, commercial off-the-shelf solutions such as Nessus, Qualys, Nexpose could be used for the same task. As far as I can tell, there are tools developed by IBM, Vanguard, KRI Security and some other vendors but I didn't use them and cannot advise on their effectiveness. Suffice to say, all the tools have their strengths and weaknesses and they will perform only as good as their configuration allows. That's why having a competent operator / tester is crucial. Depending on your requirements and available resources, I would also recommend to complement automatic scans with manual testing. This will allow you to identify security related issues which cannot be find in automated fashion and verify any potential findings / false-positive / false-negatives. The subject of filtering the output, interpreting the results and triaging the findings deserves a thread on its own. I'll be happy to provide more insights in case you have more questions. Kind regards, Filip Palian 2018-07-13 7:16 GMT+10:00 Seymour J Metz <sme...@gmu.edu>: > You're talking about outbound, for which port scanning is not relevant. The > text "One can connect to the > server with HELLO call" also refers to a TCP/IP connection, not to sending a > SPOOL file. > > > -- > Shmuel (Seymour J.) Metz > http://mason.gmu.edu/~smetz3 > > ________________________________________ > From: IBM Mainframe Discussion List <IBM-MAIN@listserv.ua.edu> on behalf of > ITschak Mugzach <imugz...@gmail.com> > Sent: Thursday, July 12, 2018 3:06 PM > To: IBM-MAIN@listserv.ua.edu > Subject: Re: Seeking a tool to do a network security scan of z/OS > > Shmuel, > > the SMTP server is mainly spool based. So you can create a text file > (Defined in the RFC you mentioned), write it to the spool in the write and > class used by the server and it will be sent. You can use fake name and > fake domain (The server will state "I don't know you", ut will send the > message. > > SMTP is so easy to penetrate, if you don't have a security exit developed & > installed. I once unloaded the security database of a client and sent part > of it to his GMAIL account. Guess what: Hist exchange configured as a mail > relay as well! Clients do stupid things. I told you, this is how I refill > my ref, This is what we do most of the time in Israel & Europe. > > ITschak > > On Thu, Jul 12, 2018 at 8:14 PM Seymour J Metz <sme...@gmu.edu> wrote: > >> If it works it's because they didn't properly configure the server. Just >> connecting to the server isn't enough to send an e-mail to it. RFC 4954 >> came out in July 2007 and RFC 2554 came out in March 1999. sendmail has >> supported it since 8.10. >> >> >> >> >> -- >> Shmuel (Seymour J.) Metz >> http://mason.gmu.edu/~smetz3 >> >> ________________________________________ >> From: IBM Mainframe Discussion List <IBM-MAIN@listserv.ua.edu> on behalf >> of ITschak Mugzach <imugz...@gmail.com> >> Sent: Thursday, July 12, 2018 1:08 PM >> To: IBM-MAIN@listserv.ua.edu >> Subject: Re: Seeking a tool to do a network security scan of z/OS >> >> Shmuel, >> >> I refill the refrigerator doing pentests. I done this and many other >> attacks on clients mainframes and in 90% of the cases, I am able to send >> emails using the mainframe smtp configured as an MTA. if you look at you >> smtp server log you might see some TCP connections (bingo!) or just users >> who write a different domain name in the from clause. >> >> Trust me, it work. >> >> ITschak >> >> On Thu, Jul 12, 2018 at 6:36 PM Seymour J Metz <sme...@gmu.edu> wrote: >> >> > Does your SMTP server not do authentication? That would certain get the >> > auditors' attention. >> > >> > Do your users respond to phish attempts? Another security problem, and >> one >> > that has nothing to do with the mainframe. >> > >> > I suppose it's to much to expect for users to look at the trace fields to >> > determine the provenances of messages. >> > >> > >> > -- >> > Shmuel (Seymour J.) Metz >> > http://mason.gmu.edu/~smetz3 >> > >> > ________________________________________ >> > From: IBM Mainframe Discussion List <IBM-MAIN@listserv.ua.edu> on behalf >> > of ITschak Mugzach <imugz...@gmail.com> >> > Sent: Wednesday, July 11, 2018 4:35 PM >> > To: IBM-MAIN@listserv.ua.edu >> > Subject: Re: Seeking a tool to do a network security scan of z/OS >> > >> > Do you mean outside of the mainframe? Not as a single package, but NMAP >> > will show you which ports are opened on the mainframe. If your mainframe >> > answers the scan, you already have a problem... Now assume that port 25 >> is >> > open and your mail server is configured an MTA. One can connect to the >> > server with HELLO call and send emails under fake name and domain as spam >> > to collect userids, passwords and other secrets. >> > >> > It's a good idea to have an extra agent to IronSphere to do that -) >> > >> > ITschak >> > >> > On Wed, Jul 11, 2018 at 9:53 PM Dyck, Lionel B. (RavenTek) < >> > lionel.d...@va.gov> wrote: >> > >> > > Is there a tool available that can do a network security scan of a z/OS >> > > system to identify network vulnerabilities? >> > > >> > > thanks >> > > >> > > >> > >> -------------------------------------------------------------------------- >> > > Lionel B. Dyck (Contractor) <sdg>< >> > > Mainframe Systems Programmer - RavenTek Solution Partners >> > > >> > > >> > > >> > > ---------------------------------------------------------------------- >> > > For IBM-MAIN subscribe / signoff / archive access instructions, >> > > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN >> > > >> > >> > >> > -- >> > ITschak Mugzach >> > *|** IronSphere Platform* *|* *Information Security Contiguous Monitoring >> > for Legacy **| * >> > >> > ---------------------------------------------------------------------- >> > For IBM-MAIN subscribe / signoff / archive access instructions, >> > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN >> > >> > ---------------------------------------------------------------------- >> > For IBM-MAIN subscribe / signoff / archive access instructions, >> > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN >> > >> >> >> -- >> ITschak Mugzach >> *|** IronSphere Platform* *|* *Information Security Contiguous Monitoring >> for Legacy **| * >> >> ---------------------------------------------------------------------- >> For IBM-MAIN subscribe / signoff / archive access instructions, >> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN >> >> ---------------------------------------------------------------------- >> For IBM-MAIN subscribe / signoff / archive access instructions, >> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN >> > > > -- > ITschak Mugzach > *|** IronSphere Platform* *|* *Information Security Contiguous Monitoring > for Legacy **| * > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
