So it’s very likely you’ve encountered a Mainframe in your security scans, pentests or whatever and didn’t even know it. Over the last few weeks I’ve been using some googlefu to find mainframes that are internet accessible. No surprises but its mostly university mainframes (but some government and some corporations). Once I had compiled a list I was satisfied with (about 35+ domain names) I started scanning them with NMAP looking at the common ports. Historically mainframes were setup when ‘security through obscurity’ was seen as a good thing, fortunately that seems to be falling to the wayside for now but it’s still a very real thing. What this means is that sometimes a port on the mainframe is set to something weird like 12456. Weird I know, and generally won’t get picked up in a narrow port scan. That is, unless they post the configuration instructions on how to connect to the mainframe on their website and outline the specific port!
Generally I scanned for the common ports (23, 992, 1023) unless the instructions on connecting to the mainframe specified otherwise (port 2323 or 8999 for example). Often times places had setup ‘Host on Demand’ to make connecting to the mainframe easier. Whats great about host on demand is if you look at the ‘Configured Sessions’ you can right click on it and get the preferences which tell you the exact hostname and port for the mainframe.
For example, at http://mustang.nevada.edu/ you can run the Host On-Demand (thanks IBM) Java runtime which presents to you a screen like so:
then you just right click that connection
and select properties, which will give you the hostname and port for the mainframe!
So using that (and other techniques I’ll save for talks around beer, mostly inurl:gov and -site:ibm) I was able to get a lot of hosts, ports and if it uses SSL or not. Based on these port scans some very interesting statistics have presented themselves. Now obviously this is a small sample of all publicly availably mainframes but being a sample of 35 it should hopefully be enough to make some conclusions.
The majority of places are using encryption. Not everyone, but a surprisingly large number are using SSL to encrypt their telnet 3270 connections.
If you look at the above table you can see that just over 82% of sites are using encryption. I’m super skeptical when it somes to the government/corporations meeting requirements so this came as a welcome surprise. What was interesting was that some .gov domains didn’t require encryption to connect to their mainframe. It shouldn’t really be a surprise to me anymore, as they also offered encrypted connections and likely had a ‘policy’ enforcing the use of the encrypted connection to appease FISMA auditors ;)
NMAP you LIAR!
Let’s look at what NMAP service can (-sV) was able to ascertain:
By far the most interesting statistic to come out of this is the fact that NMAP (for some reason) gets a Microsoft IIS SSL banner in 27% of cases, and a GNU Gatekeeper banner in 36% of cases. Without knowing what you’re looking at you’d probably assume the MS IIS server was really a Microsoft webserver running on a weird port (23/992), at least the GNU Gatekeeper banner has ‘telnetd’ in it, but you still likely wouldn’t know you’re looking at a mainframe unless you knew what to look for. Also of interest is the publicly available “Cisco or Edge-core switch telnetd”. Why is this interesting? It’s because its the same banner that Hercules presents when connecting to OS/360. Am I saying that those two sites are running hercules? I doubt it, but it’s still interesting. Basically the only way you’d know you were connecting to an actual mainframe, if you were using NMAP, would be if you were to connect to a non-encrypted port and it gave you the IBM OS/390 banner. Still I doubt most pentesters would mark it as significant.
Those Open Ports
No we get to the analysis of default ports. What’s interesting here is that for the majority of sites the port is the standard port (23 or 992). Now in some instances online documentation didn’t specify a port (obscurity!), in those cases a scan with the default ports, surprise surprise, yielded the default port. In some cases though, I noticed that port 2323 was the port being used, sometimes documented, sometimes not:
I guess a sysadmin thought 23 was too obvious but anything other than 2323 would be too hard to remember. You also get the weird places where someone thought 9023 or 5023 would be impossible to guess. They’re probably right about the guessing part but it defeats the point of using a non standard port if you:
- don’t change the banner, and
- DOCUMENT THE PORT IN INTERNET ACCESSIBLE DOCUMENTS
When I gave my talk at BSidesLV I presented a POC script, using Expect and C3270, to take advantage of the TSO/E panel helpfully telling you if your userid was invalid (I’ve since written a far better, cross platform, Python script but thats another post for another day). Now, I presented that knowing that most of the mainframes I’ve encountered required a password before even getting to the TSO/E logon screen. So imagine my shock at finding a handful of publicly available mainframes that allowed you to get to the TSO panel without first providing a valid ID!
For example the Driver Services Database for the state of New Mexico:
The National Institute of health (NIHTSO for the more curious):
Texas A&M University (you just type TSO at the prompt):
Washington State University (they, helpfully, tell you to type TSO at the prompt):
University of Florida (you just type TSO at the prompt):
and UC Santa Barbara (samesies):
(please note, all I did was write a script to grab the logon screen, I didn’t actually try to get to the TSO/E panel. The script used s3270 and TOR, see my previous post)
In the end I was surprised how easy it was to find government, corporate and educational mainframes publicly available on the internet. Especially given that the educational mainframes where mostly administrative systems (not used by students). I was also alarmed by the lack of enforced encryption by some sites and the fact that you could get to the TSO/E panel without first singing in, in 18% of internet accessible mainframes!