Sniffing IBM Mainframe Passwords using MitM

Not too long ago I was on an engagement looking at mainframes and it got me thinking about how difficult it would be sniff logon credentials. We all know that TN3270E is a plaintext protocol because it’s simply based on good ole telnet. So first I’ll walk you through performing a MitM attack against mainframes. With ettercap this is fairly easy to do: Start ettercap, start unified sniffing, select your targets and enable arp poisoning:

Start sniffing and open the connections window under ‘view’

then select (hit enter) on the mainframe connection

and bask in your own glory at sniffing unencrypted mainframe data….


What you’re seeing in that screenshot is an actual logon session to a real mainframe not using SSL. This is not great. The reason it looks like crap and unreadable in any form (except for the IBM-3279-2-E) is because nothing is easy in the mainframe world. For some reason IBM decided they would use EBCDIC encoding for their flagship machine instead of ASCII (it was because of card readers, no seriously). So because it uses EBCDIC all communications to the mainframe over a TN3270E connection are also in EBCDIC. This is good news for mainframe folks because another ‘hacker tool’ proves to be useless in the face of IBM Iron. And for ettercap this is true. There are no TN3270 plugins for ettercap (I checked) and thus no way to sniff those precious usernames and passwords being sent in cleartext. 

Not so! Lets look at a similar session (this time to the Master the Mainframe contest mainframe). Firstly we used ettercap to grab this data doing a MitM attack and dumped it to a pcap file. Then we launched wireshark to review the data and followed the TCP stream:

Same problem, look at all those @’s. But look at the bottom of the wireshark screen, the’ve been nice enough to add the ability to decode the packets as EBCDIC data. If you click on the radio button you get:

Why, you get my username and password (and everything else). Now my user ID, as well as everyone elses, begins with IBM0, which you can see above in pink, and if you look 5 lines from the bottom you’ll see my censored password (the pink item with I6). So we can easily sniff mainframe logon credentials so long as we have the right tools. 

But it got me thinking. I liked the simplicity of ettercap, you perform the poisoning you setup the plugins and ettercap gives you logon credentials. You don’t have to muck your way through a TCP stream and try to understand the protocol, you just fire and forget, come back a while later and you have credentials ready to use. 

With that in mind I wrote a new tool called MFSniffer. It’s a python script that does exactly what ettercap would do. It uses scapy to sniff packets and if the packet meets specific criteria it it logs the username and password. It’s currently available on GitHub here:

To use it you simply run the script as root (sniffing requires root, go read the script if you’re not comfortable with that) and wait to see the logon credentials. You could use ettercap or arpspoof to do the poisoning. 

The script takes only three arguments:

  • -a the IP address of the IBM mainframe you’re targeting
  • -p the port of the IBM mainframe 3270 ‘server’ and
  • -i the name of the interface to use (you can get that from a simple ifconfig). 

Once done you can easily run the script and get some logons:

(the repeats are because of ettercap and the ARP poisoning).

That’s a good overview of how to sniff mainframe passwords over a network, this is obviously a security weakness and to fix it mainframes can wrap TN3270 with SSL. What does this look like when the session is encrypted using SSL?

It looks like an encrypted session. I’ve only played around with this a bit but using both x3270 and TN3270 X (two TN3270 emulator products) I was unable to get SSL MitM attacks working:

but this area warrants some further research. 

  1. flippinhairbitch reblogged this from mainframed767
  2. iamawizard99 reblogged this from mainframed767
  3. frostythesnownoob reblogged this from mainframed767
  4. sleeplesschelovek reblogged this from mainframed767 and added:
    question about it. Also >Mainframe@Wintermute
  5. mainframed767 posted this