Re: Seeking a tool to do a network security scan of z/OS
Just to clarify something that I wri=ote and maybe missed somehow about NAMP: Z/OS can be configured to block slow or fast scans using the IDS feature. So, yes, NMAP can try scan the mainframe, but if the IP STAK is well configured, it will be hard to get the open ports. This is not to say that you can't telnet CSSMTP... ITschak On Fri, Jul 13, 2018 at 5:42 PM Robyn Gilchrist < r.gilchr...@rshconsulting.com> wrote: > This is an area I have been investigating for the past few months. I > think a network scanner is a good place to start and Nmap is a very strong > network scanner. An open port isn't a problem per se (SMTP port 25 or HTTP > on port 80) since open ports are required for communication. Nmap network > scanner will indicate ports of interest and can do things like OS version > discovery and use crafted scripts (written in LUA) to perform more > sophisticated tests. > > As far as whether the network is vulnerable, I'll give the tried and true > "it depends". As an example, I have crafted Nmap commands that will > display status of z/OS ftp on port 21 with no z/OS userid required. Is the > machine vulnerable because anyone can know that JESINTERFACELEVEL=1? > Probably not, but if it is =2 that may raise my concern. Vulnerability > depends on security practices, system and app bugs, config settings, > design, etc. If ftp is tightly controlled with a strong configuration, > good RACF rules and uses encryption (FTPS), then JESINTERFACELEVEL=2 may > not concern you, but it probably would make me nervous. > > Nessus, a popular vulnerability scanner, banner scrapes IBM HTTP Server > V5.3 and reports that the machine is "vulnerable" regardless of whether > UK90649 has been APPLYed (Nessus plugin id 66760). At least they tell you > that in the description - Emily Litella practice. There is an "exploit" > written by Solider of Fortran in Metasploit that indicates issuing > FILETYPE=JES and getting response=200 is a vulnerability. Is it? I don't > think that is any more "vulnerable" than TSO SUBMIT. I'm still bound to > the userid I logged on with and if I can spawn a high authority shell (or > TMP) or change my RACF attributes, that's the vulnerability to address. > > I'm studying the Logica attack and it is hardcore. The attackers got > UID(0) on z/OS. Machine "pwned", as the kids would say. Traffic blended > in with all other traffic and the attack was designed to be difficult to > trace back to origin and to fly under the radar. The attack was initially > spotted on z/OS as an anomalous load, not on the network. The > vulnerabilities included lax firewall rules, bad RACF dataset and resource > protection, loose policy on password strength, just to name a few factors. > It was a perfect target and the attackers were very talented and very > sophisticated. > > I like the SMTP vector mentioned here and will be incorporating that into > my investigations. Thanks ITschak! :-) > > As a total aside, I just got back on IBM-MAIN today for the first time > since ... er ... a long time. I was a heavy user of IBM-MAIN back in the > early '90s before all of the swanky new interwebs. I used to read Lionel > in NaSPA's magazine back when that was still a thing. I recognize a bunch > of names and it's good to see they're still here. :-) > > Robyn > > > > Robyn Gilchrist > RSH Consulting > r.gilchrist"at"rshconsulting.com <- replace "at" with @ to email me > www.linkedin.com/in/robyn-e-gilchrist > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- ITschak Mugzach *|** IronSphere Platform* *|* *Information Security Contiguous Monitoring for Legacy **| * -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Seeking a tool to do a network security scan of z/OS
Trying to tread lightly here. Be careful what you wish for. Our network folks have been doing 'intrusion testing' for years. They have caused all kinds of problems on mainframe, not because intrusion was successful but because response to the attempts wreaked havoc. Some examples. -- We would get calls from IBM Support Center for HMC/SE alerts. Turns out that these devices were reporting attempted intrusion. This led to confusion and consternation on the part of Operations, who had no idea what was going on. When we complained to our network folks, they brushed us off saying that this was to be expected, that we should tell IBM Support Center to ignore these alerts (!) -- An older version of Connect:Direct would hang mysteriously at random times. Turns out that network probes caused an IP disruption that the product at that level could not recover from. We had to recycle C:D to get production transfers working again. We eventually upgraded C:D to a release that would recover, but there was lot of churn and angst before we got to that point. -- We still have problems with CICS regions that do not take kindly to intrusion. The regions don't fail, but they take multiple transaction dumps that themselves impact production. Which of course we have to ignore. . . J.O.Skip Robinson Southern California Edison Company Electric Dragon Team Paddler SHARE MVS Program Co-Manager 323-715-0595 Mobile 626-543-6132 Office ⇐=== NEW robin...@sce.com -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Robyn Gilchrist Sent: Friday, July 13, 2018 8:33 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: (External):Re: Seeking a tool to do a network security scan of z/OS This is an area I have been investigating for the past few months. I think a network scanner is a good place to start and Nmap is a very strong network scanner. An open port isn't a problem per se (SMTP port 25 or HTTP on port 80) since open ports are required for communication. Nmap network scanner will indicate ports of interest and can do things like OS version discovery and use crafted scripts (written in LUA) to perform more sophisticated tests. As far as whether the network is vulnerable, I'll give the tried and true "it depends". As an example, I have crafted Nmap commands that will display status of z/OS ftp on port 21 with no z/OS userid required. Is the machine vulnerable because anyone can know that JESINTERFACELEVEL=1? Probably not, but if it is =2 that may raise my concern. Vulnerability depends on security practices, system and app bugs, config settings, design, etc. If ftp is tightly controlled with a strong configuration, good RACF rules and uses encryption (FTPS), then JESINTERFACELEVEL=2 may not concern you, but it probably would make me nervous. Nessus, a popular vulnerability scanner, banner scrapes IBM HTTP Server V5.3 and reports that the machine is "vulnerable" regardless of whether UK90649 has been APPLYed (Nessus plugin id 66760). At least they tell you that in the description - Emily Litella practice. There is an "exploit" written by Solider of Fortran in Metasploit that indicates issuing FILETYPE=JES and getting response=200 is a vulnerability. Is it? I don't think that is any more "vulnerable" than TSO SUBMIT. I'm still bound to the userid I logged on with and if I can spawn a high authority shell (or TMP) or change my RACF attributes, that's the vulnerability to address. I'm studying the Logica attack and it is hardcore. The attackers got UID(0) on z/OS. Machine "pwned", as the kids would say. Traffic blended in with all other traffic and the attack was designed to be difficult to trace back to origin and to fly under the radar. The attack was initially spotted on z/OS as an anomalous load, not on the network. The vulnerabilities included lax firewall rules, bad RACF dataset and resource protection, loose policy on password strength, just to name a few factors. It was a perfect target and the attackers were very talented and very sophisticated. I like the SMTP vector mentioned here and will be incorporating that into my investigations. Thanks ITschak! :-) As a total aside, I just got back on IBM-MAIN today for the first time since ... er ... a long time. I was a heavy user of IBM-MAIN back in the early '90s before all of the swanky new interwebs. I used to read Lionel in NaSPA's magazine back when that was still a thing. I recognize a bunch of names and it's good to see they're still here. :-) Robyn Robyn Gilchrist RSH Consulting r.gilchrist"at"rshconsulting.com <- replace "at" with @ to email me www.linkedin.com/in/robyn-e-gilchrist -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Seeking a tool to do a network security scan of z/OS
This is an area I have been investigating for the past few months. I think a network scanner is a good place to start and Nmap is a very strong network scanner. An open port isn't a problem per se (SMTP port 25 or HTTP on port 80) since open ports are required for communication. Nmap network scanner will indicate ports of interest and can do things like OS version discovery and use crafted scripts (written in LUA) to perform more sophisticated tests. As far as whether the network is vulnerable, I'll give the tried and true "it depends". As an example, I have crafted Nmap commands that will display status of z/OS ftp on port 21 with no z/OS userid required. Is the machine vulnerable because anyone can know that JESINTERFACELEVEL=1? Probably not, but if it is =2 that may raise my concern. Vulnerability depends on security practices, system and app bugs, config settings, design, etc. If ftp is tightly controlled with a strong configuration, good RACF rules and uses encryption (FTPS), then JESINTERFACELEVEL=2 may not concern you, but it probably would make me nervous. Nessus, a popular vulnerability scanner, banner scrapes IBM HTTP Server V5.3 and reports that the machine is "vulnerable" regardless of whether UK90649 has been APPLYed (Nessus plugin id 66760). At least they tell you that in the description - Emily Litella practice. There is an "exploit" written by Solider of Fortran in Metasploit that indicates issuing FILETYPE=JES and getting response=200 is a vulnerability. Is it? I don't think that is any more "vulnerable" than TSO SUBMIT. I'm still bound to the userid I logged on with and if I can spawn a high authority shell (or TMP) or change my RACF attributes, that's the vulnerability to address. I'm studying the Logica attack and it is hardcore. The attackers got UID(0) on z/OS. Machine "pwned", as the kids would say. Traffic blended in with all other traffic and the attack was designed to be difficult to trace back to origin and to fly under the radar. The attack was initially spotted on z/OS as an anomalous load, not on the network. The vulnerabilities included lax firewall rules, bad RACF dataset and resource protection, loose policy on password strength, just to name a few factors. It was a perfect target and the attackers were very talented and very sophisticated. I like the SMTP vector mentioned here and will be incorporating that into my investigations. Thanks ITschak! :-) As a total aside, I just got back on IBM-MAIN today for the first time since ... er ... a long time. I was a heavy user of IBM-MAIN back in the early '90s before all of the swanky new interwebs. I used to read Lionel in NaSPA's magazine back when that was still a thing. I recognize a bunch of names and it's good to see they're still here. :-) Robyn Robyn Gilchrist RSH Consulting r.gilchrist"at"rshconsulting.com <- replace "at" with @ to email me www.linkedin.com/in/robyn-e-gilchrist -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Seeking a tool to do a network security scan of z/OS
Hi Lionel, There are free/libre/open-source tools such as Nmap, OpenVAS, Metasploit that you could use for what you intend to do. The interweb is full of documentation, videos and other materials on how to use these tools (also in the context of testing Mainframes). Alternatively, commercial off-the-shelf solutions such as Nessus, Qualys, Nexpose could be used for the same task. As far as I can tell, there are tools developed by IBM, Vanguard, KRI Security and some other vendors but I didn't use them and cannot advise on their effectiveness. Suffice to say, all the tools have their strengths and weaknesses and they will perform only as good as their configuration allows. That's why having a competent operator / tester is crucial. Depending on your requirements and available resources, I would also recommend to complement automatic scans with manual testing. This will allow you to identify security related issues which cannot be find in automated fashion and verify any potential findings / false-positive / false-negatives. The subject of filtering the output, interpreting the results and triaging the findings deserves a thread on its own. I'll be happy to provide more insights in case you have more questions. Kind regards, Filip Palian 2018-07-13 7:16 GMT+10:00 Seymour J Metz : > You're talking about outbound, for which port scanning is not relevant. The > text "One can connect to the > server with HELLO call" also refers to a TCP/IP connection, not to sending a > SPOOL file. > > > -- > Shmuel (Seymour J.) Metz > http://mason.gmu.edu/~smetz3 > > > From: IBM Mainframe Discussion List on behalf of > ITschak Mugzach > Sent: Thursday, July 12, 2018 3:06 PM > To: IBM-MAIN@listserv.ua.edu > Subject: Re: Seeking a tool to do a network security scan of z/OS > > Shmuel, > > the SMTP server is mainly spool based. So you can create a text file > (Defined in the RFC you mentioned), write it to the spool in the write and > class used by the server and it will be sent. You can use fake name and > fake domain (The server will state "I don't know you", ut will send the > message. > > SMTP is so easy to penetrate, if you don't have a security exit developed & > installed. I once unloaded the security database of a client and sent part > of it to his GMAIL account. Guess what: Hist exchange configured as a mail > relay as well! Clients do stupid things. I told you, this is how I refill > my ref, This is what we do most of the time in Israel & Europe. > > ITschak > > On Thu, Jul 12, 2018 at 8:14 PM Seymour J Metz wrote: > >> If it works it's because they didn't properly configure the server. Just >> connecting to the server isn't enough to send an e-mail to it. RFC 4954 >> came out in July 2007 and RFC 2554 came out in March 1999. sendmail has >> supported it since 8.10. >> >> >> >> >> -- >> Shmuel (Seymour J.) Metz >> http://mason.gmu.edu/~smetz3 >> >> >> From: IBM Mainframe Discussion List on behalf >> of ITschak Mugzach >> Sent: Thursday, July 12, 2018 1:08 PM >> To: IBM-MAIN@listserv.ua.edu >> Subject: Re: Seeking a tool to do a network security scan of z/OS >> >> Shmuel, >> >> I refill the refrigerator doing pentests. I done this and many other >> attacks on clients mainframes and in 90% of the cases, I am able to send >> emails using the mainframe smtp configured as an MTA. if you look at you >> smtp server log you might see some TCP connections (bingo!) or just users >> who write a different domain name in the from clause. >> >> Trust me, it work. >> >> ITschak >> >> On Thu, Jul 12, 2018 at 6:36 PM Seymour J Metz wrote: >> >> > Does your SMTP server not do authentication? That would certain get the >> > auditors' attention. >> > >> > Do your users respond to phish attempts? Another security problem, and >> one >> > that has nothing to do with the mainframe. >> > >> > I suppose it's to much to expect for users to look at the trace fields to >> > determine the provenances of messages. >> > >> > >> > -- >> > Shmuel (Seymour J.) Metz >> > http://mason.gmu.edu/~smetz3 >> > >> > >> > From: IBM Mainframe Discussion List on behalf >> > of ITschak Mugzach >> > Sent: Wednesday, July 11, 2018 4:35 PM >> > To: IBM-MAIN@listserv.ua.edu >> > Subject: Re: Seeking a tool to do a network security scan of z/OS >> > >> > Do you mean outside of the mainframe? Not as a single package, but NMAP >> > will show you which ports are opened on the mainframe. If your mainframe >> > answers the scan, you already have a problem... Now assume that port 25 >> is >> > open and your mail server is configured an MTA. One can connect to the >> > server with HELLO call and send emails under fake name and domain as spam >> > to collect userids, passwords and other secrets. >> > >> > It's a good idea to have an extra agent to IronSphere to do that -) >> > >> > ITschak >> > >> > On Wed, Jul 11, 2018 at 9:53 PM
Re: Seeking a tool to do a network security scan of z/OS
You're talking about outbound, for which port scanning is not relevant. The text "One can connect to the server with HELLO call" also refers to a TCP/IP connection, not to sending a SPOOL file. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 From: IBM Mainframe Discussion List on behalf of ITschak Mugzach Sent: Thursday, July 12, 2018 3:06 PM To: IBM-MAIN@listserv.ua.edu Subject: Re: Seeking a tool to do a network security scan of z/OS Shmuel, the SMTP server is mainly spool based. So you can create a text file (Defined in the RFC you mentioned), write it to the spool in the write and class used by the server and it will be sent. You can use fake name and fake domain (The server will state "I don't know you", ut will send the message. SMTP is so easy to penetrate, if you don't have a security exit developed & installed. I once unloaded the security database of a client and sent part of it to his GMAIL account. Guess what: Hist exchange configured as a mail relay as well! Clients do stupid things. I told you, this is how I refill my ref, This is what we do most of the time in Israel & Europe. ITschak On Thu, Jul 12, 2018 at 8:14 PM Seymour J Metz wrote: > If it works it's because they didn't properly configure the server. Just > connecting to the server isn't enough to send an e-mail to it. RFC 4954 > came out in July 2007 and RFC 2554 came out in March 1999. sendmail has > supported it since 8.10. > > > > > -- > Shmuel (Seymour J.) Metz > http://mason.gmu.edu/~smetz3 > > > From: IBM Mainframe Discussion List on behalf > of ITschak Mugzach > Sent: Thursday, July 12, 2018 1:08 PM > To: IBM-MAIN@listserv.ua.edu > Subject: Re: Seeking a tool to do a network security scan of z/OS > > Shmuel, > > I refill the refrigerator doing pentests. I done this and many other > attacks on clients mainframes and in 90% of the cases, I am able to send > emails using the mainframe smtp configured as an MTA. if you look at you > smtp server log you might see some TCP connections (bingo!) or just users > who write a different domain name in the from clause. > > Trust me, it work. > > ITschak > > On Thu, Jul 12, 2018 at 6:36 PM Seymour J Metz wrote: > > > Does your SMTP server not do authentication? That would certain get the > > auditors' attention. > > > > Do your users respond to phish attempts? Another security problem, and > one > > that has nothing to do with the mainframe. > > > > I suppose it's to much to expect for users to look at the trace fields to > > determine the provenances of messages. > > > > > > -- > > Shmuel (Seymour J.) Metz > > http://mason.gmu.edu/~smetz3 > > > > > > From: IBM Mainframe Discussion List on behalf > > of ITschak Mugzach > > Sent: Wednesday, July 11, 2018 4:35 PM > > To: IBM-MAIN@listserv.ua.edu > > Subject: Re: Seeking a tool to do a network security scan of z/OS > > > > Do you mean outside of the mainframe? Not as a single package, but NMAP > > will show you which ports are opened on the mainframe. If your mainframe > > answers the scan, you already have a problem... Now assume that port 25 > is > > open and your mail server is configured an MTA. One can connect to the > > server with HELLO call and send emails under fake name and domain as spam > > to collect userids, passwords and other secrets. > > > > It's a good idea to have an extra agent to IronSphere to do that -) > > > > ITschak > > > > On Wed, Jul 11, 2018 at 9:53 PM Dyck, Lionel B. (RavenTek) < > > lionel.d...@va.gov> wrote: > > > > > Is there a tool available that can do a network security scan of a z/OS > > > system to identify network vulnerabilities? > > > > > > thanks > > > > > > > > > -- > > > Lionel B. Dyck (Contractor) < > > > Mainframe Systems Programmer - RavenTek Solution Partners > > > > > > > > > > > > -- > > > For IBM-MAIN subscribe / signoff / archive access instructions, > > > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > > > > > > > > -- > > ITschak Mugzach > > *|** IronSphere Platform* *|* *Information Security Contiguous Monitoring > > for Legacy **| * > > > > -- > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > > > -- > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > > > > -- > ITschak Mugzach > *|** IronSphere Platform* *|* *Information Security Contiguous Monitoring > for Legacy **| * > > -- > For
Re: Seeking a tool to do a network security scan of z/OS
I don’t think Qualys will identify configuration issue (which we do inside the mainframe with IronSphere). It will do port scan, try to ping it, but if your mainframe is well configured, it will block port scan as well. ITschak נשלח מה-iPad שלי ב-12 ביולי 2018, בשעה 22:11, Mark Regan כתב/ה: > If your site already uses Qualys, then it can be used to scan z/OS too. > > On Wed, Jul 11, 2018 at 3:53 PM Dyck, Lionel B. (RavenTek) < > lionel.d...@va.gov> wrote: > >> Is there a tool available that can do a network security scan of a z/OS >> system to identify network vulnerabilities? >> >> thanks >> >> -- >> Lionel B. Dyck (Contractor) < >> Mainframe Systems Programmer - RavenTek Solution Partners >> >> >> >> -- >> For IBM-MAIN subscribe / signoff / archive access instructions, >> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN >> > -- > > Regards, > > Mark T. Regan > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Seeking a tool to do a network security scan of z/OS
If your site already uses Qualys, then it can be used to scan z/OS too. On Wed, Jul 11, 2018 at 3:53 PM Dyck, Lionel B. (RavenTek) < lionel.d...@va.gov> wrote: > Is there a tool available that can do a network security scan of a z/OS > system to identify network vulnerabilities? > > thanks > > -- > Lionel B. Dyck (Contractor) < > Mainframe Systems Programmer - RavenTek Solution Partners > > > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- Regards, Mark T. Regan -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Seeking a tool to do a network security scan of z/OS
Shmuel, the SMTP server is mainly spool based. So you can create a text file (Defined in the RFC you mentioned), write it to the spool in the write and class used by the server and it will be sent. You can use fake name and fake domain (The server will state "I don't know you", ut will send the message. SMTP is so easy to penetrate, if you don't have a security exit developed & installed. I once unloaded the security database of a client and sent part of it to his GMAIL account. Guess what: Hist exchange configured as a mail relay as well! Clients do stupid things. I told you, this is how I refill my ref, This is what we do most of the time in Israel & Europe. ITschak On Thu, Jul 12, 2018 at 8:14 PM Seymour J Metz wrote: > If it works it's because they didn't properly configure the server. Just > connecting to the server isn't enough to send an e-mail to it. RFC 4954 > came out in July 2007 and RFC 2554 came out in March 1999. sendmail has > supported it since 8.10. > > > > > -- > Shmuel (Seymour J.) Metz > http://mason.gmu.edu/~smetz3 > > > From: IBM Mainframe Discussion List on behalf > of ITschak Mugzach > Sent: Thursday, July 12, 2018 1:08 PM > To: IBM-MAIN@listserv.ua.edu > Subject: Re: Seeking a tool to do a network security scan of z/OS > > Shmuel, > > I refill the refrigerator doing pentests. I done this and many other > attacks on clients mainframes and in 90% of the cases, I am able to send > emails using the mainframe smtp configured as an MTA. if you look at you > smtp server log you might see some TCP connections (bingo!) or just users > who write a different domain name in the from clause. > > Trust me, it work. > > ITschak > > On Thu, Jul 12, 2018 at 6:36 PM Seymour J Metz wrote: > > > Does your SMTP server not do authentication? That would certain get the > > auditors' attention. > > > > Do your users respond to phish attempts? Another security problem, and > one > > that has nothing to do with the mainframe. > > > > I suppose it's to much to expect for users to look at the trace fields to > > determine the provenances of messages. > > > > > > -- > > Shmuel (Seymour J.) Metz > > http://mason.gmu.edu/~smetz3 > > > > > > From: IBM Mainframe Discussion List on behalf > > of ITschak Mugzach > > Sent: Wednesday, July 11, 2018 4:35 PM > > To: IBM-MAIN@listserv.ua.edu > > Subject: Re: Seeking a tool to do a network security scan of z/OS > > > > Do you mean outside of the mainframe? Not as a single package, but NMAP > > will show you which ports are opened on the mainframe. If your mainframe > > answers the scan, you already have a problem... Now assume that port 25 > is > > open and your mail server is configured an MTA. One can connect to the > > server with HELLO call and send emails under fake name and domain as spam > > to collect userids, passwords and other secrets. > > > > It's a good idea to have an extra agent to IronSphere to do that -) > > > > ITschak > > > > On Wed, Jul 11, 2018 at 9:53 PM Dyck, Lionel B. (RavenTek) < > > lionel.d...@va.gov> wrote: > > > > > Is there a tool available that can do a network security scan of a z/OS > > > system to identify network vulnerabilities? > > > > > > thanks > > > > > > > > > -- > > > Lionel B. Dyck (Contractor) < > > > Mainframe Systems Programmer - RavenTek Solution Partners > > > > > > > > > > > > -- > > > For IBM-MAIN subscribe / signoff / archive access instructions, > > > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > > > > > > > > -- > > ITschak Mugzach > > *|** IronSphere Platform* *|* *Information Security Contiguous Monitoring > > for Legacy **| * > > > > -- > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > > > -- > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > > > > -- > ITschak Mugzach > *|** IronSphere Platform* *|* *Information Security Contiguous Monitoring > for Legacy **| * > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- ITschak Mugzach *|** IronSphere Platform* *|* *Information Security Contiguous Monitoring for Legacy **| *
Re: Seeking a tool to do a network security scan of z/OS
I thought the Soldier of Fortran guy had been updating and providing uss specifics for some open source penetration tests. Rob Schramm On Thu, Jul 12, 2018 at 2:14 PM Seymour J Metz wrote: > If it works it's because they didn't properly configure the server. Just > connecting to the server isn't enough to send an e-mail to it. RFC 4954 > came out in July 2007 and RFC 2554 came out in March 1999. sendmail has > supported it since 8.10. > > > > > -- > Shmuel (Seymour J.) Metz > http://mason.gmu.edu/~smetz3 > > > From: IBM Mainframe Discussion List on behalf > of ITschak Mugzach > Sent: Thursday, July 12, 2018 1:08 PM > To: IBM-MAIN@listserv.ua.edu > Subject: Re: Seeking a tool to do a network security scan of z/OS > > Shmuel, > > I refill the refrigerator doing pentests. I done this and many other > attacks on clients mainframes and in 90% of the cases, I am able to send > emails using the mainframe smtp configured as an MTA. if you look at you > smtp server log you might see some TCP connections (bingo!) or just users > who write a different domain name in the from clause. > > Trust me, it work. > > ITschak > > On Thu, Jul 12, 2018 at 6:36 PM Seymour J Metz wrote: > > > Does your SMTP server not do authentication? That would certain get the > > auditors' attention. > > > > Do your users respond to phish attempts? Another security problem, and > one > > that has nothing to do with the mainframe. > > > > I suppose it's to much to expect for users to look at the trace fields to > > determine the provenances of messages. > > > > > > -- > > Shmuel (Seymour J.) Metz > > http://mason.gmu.edu/~smetz3 > > > > > > From: IBM Mainframe Discussion List on behalf > > of ITschak Mugzach > > Sent: Wednesday, July 11, 2018 4:35 PM > > To: IBM-MAIN@listserv.ua.edu > > Subject: Re: Seeking a tool to do a network security scan of z/OS > > > > Do you mean outside of the mainframe? Not as a single package, but NMAP > > will show you which ports are opened on the mainframe. If your mainframe > > answers the scan, you already have a problem... Now assume that port 25 > is > > open and your mail server is configured an MTA. One can connect to the > > server with HELLO call and send emails under fake name and domain as spam > > to collect userids, passwords and other secrets. > > > > It's a good idea to have an extra agent to IronSphere to do that -) > > > > ITschak > > > > On Wed, Jul 11, 2018 at 9:53 PM Dyck, Lionel B. (RavenTek) < > > lionel.d...@va.gov> wrote: > > > > > Is there a tool available that can do a network security scan of a z/OS > > > system to identify network vulnerabilities? > > > > > > thanks > > > > > > > > > -- > > > Lionel B. Dyck (Contractor) < > > > Mainframe Systems Programmer - RavenTek Solution Partners > > > > > > > > > > > > -- > > > For IBM-MAIN subscribe / signoff / archive access instructions, > > > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > > > > > > > > -- > > ITschak Mugzach > > *|** IronSphere Platform* *|* *Information Security Contiguous Monitoring > > for Legacy **| * > > > > -- > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > > > -- > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > > > > -- > ITschak Mugzach > *|** IronSphere Platform* *|* *Information Security Contiguous Monitoring > for Legacy **| * > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- Rob Schramm -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Seeking a tool to do a network security scan of z/OS
If it works it's because they didn't properly configure the server. Just connecting to the server isn't enough to send an e-mail to it. RFC 4954 came out in July 2007 and RFC 2554 came out in March 1999. sendmail has supported it since 8.10. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 From: IBM Mainframe Discussion List on behalf of ITschak Mugzach Sent: Thursday, July 12, 2018 1:08 PM To: IBM-MAIN@listserv.ua.edu Subject: Re: Seeking a tool to do a network security scan of z/OS Shmuel, I refill the refrigerator doing pentests. I done this and many other attacks on clients mainframes and in 90% of the cases, I am able to send emails using the mainframe smtp configured as an MTA. if you look at you smtp server log you might see some TCP connections (bingo!) or just users who write a different domain name in the from clause. Trust me, it work. ITschak On Thu, Jul 12, 2018 at 6:36 PM Seymour J Metz wrote: > Does your SMTP server not do authentication? That would certain get the > auditors' attention. > > Do your users respond to phish attempts? Another security problem, and one > that has nothing to do with the mainframe. > > I suppose it's to much to expect for users to look at the trace fields to > determine the provenances of messages. > > > -- > Shmuel (Seymour J.) Metz > http://mason.gmu.edu/~smetz3 > > > From: IBM Mainframe Discussion List on behalf > of ITschak Mugzach > Sent: Wednesday, July 11, 2018 4:35 PM > To: IBM-MAIN@listserv.ua.edu > Subject: Re: Seeking a tool to do a network security scan of z/OS > > Do you mean outside of the mainframe? Not as a single package, but NMAP > will show you which ports are opened on the mainframe. If your mainframe > answers the scan, you already have a problem... Now assume that port 25 is > open and your mail server is configured an MTA. One can connect to the > server with HELLO call and send emails under fake name and domain as spam > to collect userids, passwords and other secrets. > > It's a good idea to have an extra agent to IronSphere to do that -) > > ITschak > > On Wed, Jul 11, 2018 at 9:53 PM Dyck, Lionel B. (RavenTek) < > lionel.d...@va.gov> wrote: > > > Is there a tool available that can do a network security scan of a z/OS > > system to identify network vulnerabilities? > > > > thanks > > > > > -- > > Lionel B. Dyck (Contractor) < > > Mainframe Systems Programmer - RavenTek Solution Partners > > > > > > > > -- > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > > > > -- > ITschak Mugzach > *|** IronSphere Platform* *|* *Information Security Contiguous Monitoring > for Legacy **| * > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- ITschak Mugzach *|** IronSphere Platform* *|* *Information Security Contiguous Monitoring for Legacy **| * -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Seeking a tool to do a network security scan of z/OS
Spoofing? You can't spoof the chain of Received header fields. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 From: IBM Mainframe Discussion List on behalf of Charles Mills Sent: Thursday, July 12, 2018 1:50 PM To: IBM-MAIN@listserv.ua.edu Subject: Re: Seeking a tool to do a network security scan of z/OS > I suppose it's to much to expect for users to look at the trace fields to determine the provenances of messages. Nine out of ten recipients have no idea how to do so, and would not know what they were looking at if they did. And given spoofing, look-alikes and punycode, I'm not sure it's a great approach for anyone. Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Seymour J Metz Sent: Thursday, July 12, 2018 9:35 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Seeking a tool to do a network security scan of z/OS Does your SMTP server not do authentication? That would certain get the auditors' attention. Do your users respond to phish attempts? Another security problem, and one that has nothing to do with the mainframe. I suppose it's to much to expect for users to look at the trace fields to determine the provenances of messages. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Seeking a tool to do a network security scan of z/OS
> I suppose it's to much to expect for users to look at the trace fields to determine the provenances of messages. Nine out of ten recipients have no idea how to do so, and would not know what they were looking at if they did. And given spoofing, look-alikes and punycode, I'm not sure it's a great approach for anyone. Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Seymour J Metz Sent: Thursday, July 12, 2018 9:35 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Seeking a tool to do a network security scan of z/OS Does your SMTP server not do authentication? That would certain get the auditors' attention. Do your users respond to phish attempts? Another security problem, and one that has nothing to do with the mainframe. I suppose it's to much to expect for users to look at the trace fields to determine the provenances of messages. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Seeking a tool to do a network security scan of z/OS
Shmuel, I refill the refrigerator doing pentests. I done this and many other attacks on clients mainframes and in 90% of the cases, I am able to send emails using the mainframe smtp configured as an MTA. if you look at you smtp server log you might see some TCP connections (bingo!) or just users who write a different domain name in the from clause. Trust me, it work. ITschak On Thu, Jul 12, 2018 at 6:36 PM Seymour J Metz wrote: > Does your SMTP server not do authentication? That would certain get the > auditors' attention. > > Do your users respond to phish attempts? Another security problem, and one > that has nothing to do with the mainframe. > > I suppose it's to much to expect for users to look at the trace fields to > determine the provenances of messages. > > > -- > Shmuel (Seymour J.) Metz > http://mason.gmu.edu/~smetz3 > > > From: IBM Mainframe Discussion List on behalf > of ITschak Mugzach > Sent: Wednesday, July 11, 2018 4:35 PM > To: IBM-MAIN@listserv.ua.edu > Subject: Re: Seeking a tool to do a network security scan of z/OS > > Do you mean outside of the mainframe? Not as a single package, but NMAP > will show you which ports are opened on the mainframe. If your mainframe > answers the scan, you already have a problem... Now assume that port 25 is > open and your mail server is configured an MTA. One can connect to the > server with HELLO call and send emails under fake name and domain as spam > to collect userids, passwords and other secrets. > > It's a good idea to have an extra agent to IronSphere to do that -) > > ITschak > > On Wed, Jul 11, 2018 at 9:53 PM Dyck, Lionel B. (RavenTek) < > lionel.d...@va.gov> wrote: > > > Is there a tool available that can do a network security scan of a z/OS > > system to identify network vulnerabilities? > > > > thanks > > > > > -- > > Lionel B. Dyck (Contractor) < > > Mainframe Systems Programmer - RavenTek Solution Partners > > > > > > > > -- > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > > > > -- > ITschak Mugzach > *|** IronSphere Platform* *|* *Information Security Contiguous Monitoring > for Legacy **| * > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- ITschak Mugzach *|** IronSphere Platform* *|* *Information Security Contiguous Monitoring for Legacy **| * -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Seeking a tool to do a network security scan of z/OS
There are various tools that do network scans looking for vulnerabilities on the systems being scanned and while we have them for windows, *nix platforms, there seem to be none (that we can find) that will test the security of the network interfaces on z/OS. That is what we are looking for. thx -- Lionel B. Dyck (Contractor) < Mainframe Systems Programmer - RavenTek Solution Partners -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Seymour J Metz Sent: Thursday, July 12, 2018 11:35 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: [EXTERNAL] Re: Seeking a tool to do a network security scan of z/OS Does your SMTP server not do authentication? That would certain get the auditors' attention. Do your users respond to phish attempts? Another security problem, and one that has nothing to do with the mainframe. I suppose it's to much to expect for users to look at the trace fields to determine the provenances of messages. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 From: IBM Mainframe Discussion List on behalf of ITschak Mugzach Sent: Wednesday, July 11, 2018 4:35 PM To: IBM-MAIN@listserv.ua.edu Subject: Re: Seeking a tool to do a network security scan of z/OS Do you mean outside of the mainframe? Not as a single package, but NMAP will show you which ports are opened on the mainframe. If your mainframe answers the scan, you already have a problem... Now assume that port 25 is open and your mail server is configured an MTA. One can connect to the server with HELLO call and send emails under fake name and domain as spam to collect userids, passwords and other secrets. It's a good idea to have an extra agent to IronSphere to do that -) ITschak On Wed, Jul 11, 2018 at 9:53 PM Dyck, Lionel B. (RavenTek) < lionel.d...@va.gov> wrote: > Is there a tool available that can do a network security scan of a z/OS > system to identify network vulnerabilities? > > thanks > > -- > Lionel B. Dyck (Contractor) < > Mainframe Systems Programmer - RavenTek Solution Partners > > > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- ITschak Mugzach *|** IronSphere Platform* *|* *Information Security Contiguous Monitoring for Legacy **| * -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Seeking a tool to do a network security scan of z/OS
Does your SMTP server not do authentication? That would certain get the auditors' attention. Do your users respond to phish attempts? Another security problem, and one that has nothing to do with the mainframe. I suppose it's to much to expect for users to look at the trace fields to determine the provenances of messages. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 From: IBM Mainframe Discussion List on behalf of ITschak Mugzach Sent: Wednesday, July 11, 2018 4:35 PM To: IBM-MAIN@listserv.ua.edu Subject: Re: Seeking a tool to do a network security scan of z/OS Do you mean outside of the mainframe? Not as a single package, but NMAP will show you which ports are opened on the mainframe. If your mainframe answers the scan, you already have a problem... Now assume that port 25 is open and your mail server is configured an MTA. One can connect to the server with HELLO call and send emails under fake name and domain as spam to collect userids, passwords and other secrets. It's a good idea to have an extra agent to IronSphere to do that -) ITschak On Wed, Jul 11, 2018 at 9:53 PM Dyck, Lionel B. (RavenTek) < lionel.d...@va.gov> wrote: > Is there a tool available that can do a network security scan of a z/OS > system to identify network vulnerabilities? > > thanks > > -- > Lionel B. Dyck (Contractor) < > Mainframe Systems Programmer - RavenTek Solution Partners > > > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- ITschak Mugzach *|** IronSphere Platform* *|* *Information Security Contiguous Monitoring for Legacy **| * -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Seeking a tool to do a network security scan of z/OS
Do you mean outside of the mainframe? Not as a single package, but NMAP will show you which ports are opened on the mainframe. If your mainframe answers the scan, you already have a problem... Now assume that port 25 is open and your mail server is configured an MTA. One can connect to the server with HELLO call and send emails under fake name and domain as spam to collect userids, passwords and other secrets. It's a good idea to have an extra agent to IronSphere to do that -) ITschak On Wed, Jul 11, 2018 at 9:53 PM Dyck, Lionel B. (RavenTek) < lionel.d...@va.gov> wrote: > Is there a tool available that can do a network security scan of a z/OS > system to identify network vulnerabilities? > > thanks > > -- > Lionel B. Dyck (Contractor) < > Mainframe Systems Programmer - RavenTek Solution Partners > > > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- ITschak Mugzach *|** IronSphere Platform* *|* *Information Security Contiguous Monitoring for Legacy **| * -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Seeking a tool to do a network security scan of z/OS
Is there a tool available that can do a network security scan of a z/OS system to identify network vulnerabilities? thanks -- Lionel B. Dyck (Contractor) < Mainframe Systems Programmer - RavenTek Solution Partners -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN