Bouncing NMAP Scans through the mainframe

For a long time the world has known about the FTP bounce attack. Just look at this email from the Hobbit from ‘95. It’s been in NMAP for a very long time and a CVE has existed since ‘97 (the year Du Hast came out). So it should come as no surprise that most modern ftp servers won’t let you perform a bounce attack by default. Take for example this Debian FTP server:

I didn’t do anything to the server other than apt-get install. Generally though, regardless of the server architecture, this risk is well understood and disabled by default. So imagine my surprise when I was looking up instructions to setting up security for your FTP servers on z/OS and saw the section called “Preventing Exploitation of your FTP server”. This section essentially outlines preventing people using the nmap bounce attack. This section exists because the PORT commands are enabled by default and you have to go through and disable them. Now usually not a big deal, it would get caught in an audit or changed by the mainframe security experts. Problem is most mainframes are setup to run and you don’t change what ain’t broke and I wouldn’t be surprised if auditors are reading this right now and realizing that a) FTP was still being used on the mainframe (in clear text) and b) that this was even something they should’ve looked at when they did their audit (hint: they likely didn’t). 

The problems here are twofold. Oftentimes mainframes are (or were) setup inside the corporate network to allow operators, system programmers (aka administrators) and users access to the mainframe. In addition these mainframes are often on multiple networks (which you can see with “NETSTAT HOME” in TSO or “netstat -h” in OMVS) because they need to talk to other mainframes, servers or databases (or the other way around).  Second changing settings on a mainframe, while easy to change from a configuration standpoint, is sometimes impossible because of internal political reasons. 

To take advantage of this all you need is a version of NMAP circa 1998 and a userid on the mainframe (see my multiple entries on getting a user id). Once you have that, assuming that FTP is enabled, you just pass it the -b option (for bounce) and target the internal network segments or IP addresses you wish to scan:

If you want to make sure this isn’t enabled on your mainframe you need to look in the TCPIP setings, specifically the FTP proclib (ask the operators/system programmers what proclib is invoked to start/stop the FTP service). The proclib will identify the settings used when the FTP server is started. What you want to ensure is that the following are set:

  • PORTCOMMAND REJECT
  • PORTCOMMANDPORT NOLOWPORTS
  • PORTCOMMANDIPADDR NOREDIRECT
  • PORTCOMMANDPORT NOLOWPORTS
  • PORTCOMMANDIPADDR NOREDIRECT

If you checked and still see that these settings aren’t enabled the next steps are to confirm that the business has a valid reason for enabling these features, that it’s documented and approved. If this is externally facing and in a PCI environment you’ll need to get documented justification for the QSA’s as it’s part of the PCI-DSS requirements.  

  1. chrisjohnriley reblogged this from mainframed767
  2. mainframed767 posted this