- AS/400 Auditing
Remote Auditing- Information Gathering
Nmap using common iSeries (AS/400) services.
Unsecured services (Port;name;description)
446;ddm;DDM Server is used to access data via DRDA and for record level access
449;As-svrmap; Port Mapper returns the port number for the requested server
2001;As-admin-http;HTTP server administration
5544;As-mtgctrlj;Management Central Server used to manage multiple AS/400S in a net
5555;As-mtgctrl;Management Central Server used to manage multiple AS/400S in a net
8470;As-Central;Central Server used when a client Access licence is required for downloading translation tables
8471;As-Database;Database server used for accessing the AS/400 database
8472;As-dtaq;Data Queue server allows access to the AS/400 data queues used for passing data between applications
8473;As-file;File Server is used for accessing any part of the AS/400
8474;as-netprt; Printer Server used to access printers known to the AS/400
8475;as-rmtcmd;Remote Command Server used to send commands from PC to an AS/400
8476;as-signon;Sign-on server is used for every client Access connection to authenticate users and to change passwords
8480;as-usf;Ultimedia facilities used for multimedia data
Secured services (Port;name;description)-
447;ddm-ssl;DDM Server is used to access data via DRDA and for record level access
448;ddm;DDM Server is used to access data via DRDA and for record level access
992;telnet-ssl;Telnet Server
2010;As-admin-https;HTTP server administration
5566;As-mtgctrl-ss;Management Central Server used to manage multiple AS/400S in a net
5577;As-mtgctrl-cs;Management Central Server used to manage multiple AS/400S in a net
9470;as-central-s;Central Server used when a client Access licence is required for downloading translation tables
9471;as-database-s;Database Server
9472;as-dtaq-s;Data Queue server allows access to the AS/400 data queues used for passing data between applications
9473;as-file-s;File Server is used for accessing any part of the AS/400
9474;as-netprt-s; Printer Server used to access printers known to the AS/400
9475;as-rmtcmd-s;Remote Command Server used to send commands from PC to an AS/400
9476;as-signon-s;Sign-on server is used for every client Access connection to authenticate users and to change passwords
NetCat (old school technique)- nc -v -z -w target ListOfServices.txt | grep "open"
Save list of secured and unsecured ports into a file.
Banners Grabbing- Telnet
- Using TN5250
- Tools
-
-
- Security-Database transcription in english
- Download the Package from location
- Convert RPM to DEB package
- Aptitude install alien
- alien iSeriesAccess-XX.rpm
- Installing Deb Package
- dpkg -i iSeriesAccess-xxx.deb
Running binary file- /opt/ibm/iSeriesAccess/bin/ibm5250
Sometimes this error occurs : error while loading libXm.so.3- This means OpenMotif is missing
- Add deb http://ftp2.fr.debian.org/ sid main non-free to /etc/apt/sources.list
- aptitude update
- aptitude install libmotif3
- Remove added line from /etc/apt/sources.list and launch aptitute update
- After installing OpenMotif, this error sometimes occurs : error while loading libcwbcore.so
- This means Lib Path to iseriesaccess could not be reached
- You should add iseriesaccess (/opt/ibm/iSeriesAccess/lib) to /etc/ld.so.conf
- run the command : ldconfig
- Old School hack : LD_LIBRARY_PATH=/opt/ibm/iSeriesAccess/lib/:${LD_LIBRARY_PATH} /opt/ibm/iSeriesAccess/bin/ibm5250
-
- Search for binary using dpkg -L iseriesaccess
-
- FTP
- echo quit | nc -v target 21
- HTTP Banner
- echo GET / | nc -v target 80
- Browser HTTP administrative (if available)
- http://target:2001
- http://target:2010
- POP3
- echo quit | nc target 110
- Basic POP3 retriever
- SNMP
- Snmpwalk
- SMTP
- Users Enumeration
- Default AS/400 users (UserID;PASSWORD1;PASSWORD2)
-
11111111;11111111
22222222;22222222
IBM;PASSWORD
IBM;2222
IBM;SERVICE
IBM;IBM
QAUTPROF;
QDBSHR;
QDOC;
QLPAUTO;
QNETSPLF;
QPGMR;QPGMR
QSECOFR;QSECOFR;11111111;22222222
SECOFR;SECOFR
QSRVBAS;QSRVBAS
QTFTP;
QTSTRQS;
QBRMS;
QDBSHRDO;
QDSNX;
QLPINSTALL;
QNFSANON;
QPM400;
QSNADS;
QSVCDRCTR;
QTMHHTTP1;
QUMB;
QCLUMGT;
QDFTOWN;QDFTOWN
QEJB;
QMQM;
QNOTES;
QPRJOWN;
QSPL;
QSYS;
QTMHHTTP;
QUSER;QUSER
QCLUSTER;
QDIRSRV;
QFNC;
QMQMADM;
QNTP;
QRJE;
QSPLJOB;
QSYSOPR;QSYSOPR
QTMPLPD;
QYPSJSVR;
QCOLSRV;
QDLFM;
QGATE;
QMSF;
QPEX;
QRMTCAL;
QSRV;QSRV;IBMCEL
QTCP;
QTMTWSG;
QYPUOWN;
QSERV;QSERV
- Error messages
- Telnet Login errors
CPF1107: Password not correct for user profile XXXX
CPF1120: User XXXX does not exist
CPF1116 : Next not valid sign-on attempt variers off device
CPF1392 : Next not valid sign-on attempt disables user profile XXXX
CPF1394: User profile XXXX cannot sign on
CPF1118:No password associated with the user XXXX
CPF1109: Not authorized to subsystem
CPF1110: Not authorized to work station
- POP3 authentication Errors
- CPF2204: User profile XXXX not found
- CPF22E2: Password not correct for User profile XXXX
- CPF22E3: User profile XXXX is disabled
- CPF22E4: Password for User profile XXXX has expired
- CPF22E5: No Password associated with User profile XXXX
- Qsys symbolic link (if ftp is enabled)
- ftp target | quote stat | quote site namefmt 1
- cd /
- quote site listfmt 1
- mkdir temp
quote rcmd ADDLNK OBJ('/qsys.lib') NEWLNK('/temp/qsys')
quote rcmd QSH CMD('ln -fs /qsys.lib /temp/qsys')
dir /temp/qsys/*.usrprf- Here you should list some profils
- LDAP
- Need os400-sys value from ibm-slapdSuffix
- Think to grab it using FTP from (QIBM/UserData/OS400/DirSrv/
File slapd.conf-
dn: cn=System, cn=System Backends, cn=IBM Directory, cn=Schemas, cn=Configuration
cn: System
slapdPlugin: database /QSYS.LIB/QGLDPSYS.SRVPGM sysprj_backend_init
slapdReadOnly: FALSE
slapdSuffix: os400-sys=HERE IS THE VALUE YOU ARE LOOKING FOR
objectclass: top
objectclass: ibm-slapdConfigEntry
objectclass: ibm-slapdOs400SystemBackend
- or file ibmslapd.conf
- Resolve IP address.
- Telnet Value screen.
-
Server : AS400_ANDOLINI
COMPANY : DONCORLEONE.COM
Value should be : AS400_ANDOLINI.DONCORLEONE.COM
- Tool to browse LDAP
-
- LdapSearch (unix utility)
- Enumeration
-
ldapsearch -h AS400SERVER \ -b "cn=accounts,os400-sys=AS400-Name" \ -D "os400-profile=$LOGIN$,cn=accounts,os400-sys=AS400-Name" \ -w $PASSWRD -L -s sub "os400-profile=*" > MyUSERS.log
AS400-Name : is the value you grabbed before
- More Advanced information on User
-
ldapsearch -h target \ -b "cn=accounts,os400-sys=AS400-Name" \ -D "os400-profile=$LOGIN$,cn=accounts,os400-sys=AS400-Name" \ -w $PASSWRD -L -s sub "os400-profile=USER_YOU_WANT" > COMPLETEINFO_ONUSER.log
-
- Exploitation
- CVE References
- Access with Work Station Gateway
- http://target:5061/WSG
- Try default AS/400 accounts.
- Network attacks (next release)
- DB2
- QSHELL
- Hijacking Terminals
- Trojan attacks
- Hacking from AS/400
- Local Auditing
- System Value Security
-
QSECURITY
System security level objects and operating system integrity
-
Recommended value : 30
Level of security selected is sufficient for keeping Passwords,
objects and operating system integrity
Insufficient security level could compromise
objects and operating system integrity
-
QVFYOBJRST
Verify object on restore verifies object signatures
during restore.
-
Do not verify signatures on restore, allowing such a command
or program represents an integrity risk to your system
-
QMAXSIGN
Maximum sign-on attempts
-
This restricts the number of times a user can incorrectly attempt
to sign-on to the system before being disabled.
The action taken by the system when this number is exceeded
is determined by the preceding parameter
-
QINACTITV
Inactive Job Time-Out
- Recommended value is 30
-
Value 0 means the system will never
log a user off the system.
- Password Policy
-
QPWDEXPITV
Password expiration interval specifies whether user passwords expire or not,
controls the number of days allowed before a password must be changed.
-
Number of days before expiration interval exceeds the recommended, this
compromises the password security on your system
-
QPWDRQDDIF
Duplicate password control prevents users
from specifying passwords that they have
used previously
-
Recommended value is 1
This prevents passwords from being reused for (returned value) generations for a user ID.
-
QPWDMINLEN
Minimum password length specifies the
minimum number of characters for a password
-
Recommended value is 5 ( 6 is a must)
This forces passwords to a minimum length of (returned value) alphanumeric characters.
QPWDMAXLEN
Maximum password length maximum number
of characters for a password
-
Recommended value is 10
This limits the length of a password to (returned value) alphanumeric characters.
-
QPWDLVL
Password level the system can be set to
allow for user profile passwords from 1-10 or
1-128 characters
- Audit level
-
QAUDCTL
This ensures that all security related functions are audited and stored
in a log file for review and follow-up
- Recommended value is *SECURITY
- Documentation
- System Audit Settings
-
*AUDLVL System auditing : System auditing events logged and may be audited
*OBJAUD Object auditing : Object auditing activity defined logged and may be audited
*AUTFAIL Authorized failure: All access failure,Incorrect Password or User ID logged and may be audited
*PGMFAIL System integrity violation : Blocked instructions,Validation failure,Domain violation logged and may be audited
*JOBDTA Job tasks : Job start and stop data(disconnect,prestart) logged and may be audited
*NETCMN Communication & Networking tasks : Action that occur for APPN filtering support logged and may be audited
*SAVRST Object restore: Restore(PGM,JOBD,Authority,CMD,System State) logged and may be audited
*SECURITY Security tasks: All security related functions(CRT/CHG/DLT/RST) logged and may be audited
*SERVICE Services HW/SW: Actions for performing HW or SW services logged and may be audited
*SYSMGT System management: Registration,Network,DRDA,SysReplay,Operational not logged and cannot be audited
*CREATE Object creation: Newly created objects, Replace exisitng objects logged and may be audited
*DELETE Object deletion: All deletion of external objects logged and may be audited
*OFCSRV Office tasks: Office tasks(system distribution directory,Mail) logged and may be audited
*OPTICAL Optical tasks: Optical tasks(add/remove optical cartridge,Autho) logged and may be audited
*PGMADP Program authority adoption: Program adopted authority, gain access to an object logged and may be audited
*OBJMGT Object management: Object management logged and may be audited
*SPLFDTA Spool management: Spool management logged and may be audited
- Special Authorities Definitions
-
All-Object Authority (*ALLOBJ) : This is the most powerful authority on any AS400 system. This authority grants the user complete access to everything on the system. A user with All-Object Authority cannot be controlled.
Service Authority (*SERVICE) : Service Authority provides the user with the ability to change system hardware and disk configurations, to sniff network traffic and to put programs into debug mode (troubleshooting mode) and see their internal workings. The system services tools include the ability to trace systems functions and to patch and alter user made and IBM delivered programs on disk
manipulate data on disk.
Save and Restore Authority (*SAVSYS) : This authority allows the user to backup and restore objects. The user need not have authority to those objects. The risk with SAVSYS Authority is that a user with this authority can save all objects (including the most sensitive files) to disk (save file), delete any object (with the Free Storage option), restore the file to an alternate library, and then view and alter the information. Should the user alter the information, they would have the ability to replace the production object with
their saved version.
System Configuration Authority (*IOSYSCFG) : System communication configuration authority can also be used to set up nearly invisible access from the outside as a security officer -- without needing a password. System Configuration Authority provides the ability to configure and change communication configurations (e.g. lines, controllers, devices), including the system's TCP/IP and Internet connection information.
Spool Control Authority (*SPLCTL) : Spool Control authority gives the user read and modify all spooled objects (reports, job queue entries, etc.) on your system. The user may hold, release and clear job and output queues, even if they are not authorized to those queues.
Security Administrator Authority (*SECADM) : Security Administrator grants the authority to create, change and delete user ID’s. This authority should be reserved to essential administration personnel only.
Job Control Authority (*JOBCTL) : Job Control Authority can be used to power down the system or to terminate subsystems or individual jobs at any time, even during critical operational periods. Job Control Authority provides the capability to control other user’s jobs as well as their spooled files and printers.
Audit Authority (*AUDIT) : Audit Authority puts a user in control of the system auditing functions. Such a user can manipulate the system values that control auditing and control user and object auditing. These users could also turn off auditing for sensitive objects in an effort to obscure certain actions
- Users class
-
*PGMR ---> Programmer
*SECADM ---> Security Administrator
*SECOFR ---> Security Officer
*SYSOPR --->System Operator
*USER ---> User
