Mainframe Penetration Testing

Finding mainframe security experts is a challenge. As a result, mainframes are often passed over during security reviews, which increases the security risk to your business-critical infrastructure. NetSPI’s mainframe penetration testing is led by the world’s leading experts who bring valuable insight into your LPAR security, provide actionable guidance on how to improve your mainframe security, and help you meet compliance requirements.

z/OS Mainframe Testing

Logical Partition (LPAR)

NetSPI’s mainframe penetration testing provides valuable insight into your LPAR security, with actionable guidance on how to improve your mainframe security and help meet compliance requirements. Our process simulates advanced adversarial attacks and emulates threats that exist today against your mainframe environment.

NetSPI Wins First Place at SHARE Mainframe Capture the Flag Event

Network Blackbox (Unauthenticated)

  • Blackbox network testing conducts comprehensive discovery and assessment of your LPAR’s network exposure. We perform VTAM/SNA discovery, logical unit enumeration, and application ID identification.
  • This is followed by TN3270 and web application testing, password auditing, and network job entry analysis to identify vulnerabilities across your mainframe’s network attack surface.

Operating System ( z/OS – IBMi )

  • z/OS testing combines automated vulnerability discovery with specialized security assessments of RACF/TopSecret/ACF2 configurations, offline password auditing, APF authorization, and SVC privilege escalation along with dataset, TSO, JES2, and UNIX System Services testing.
  • IBMi testing focuses on object-level security, user profiles, special authorities, adoption authority privilege escalation, subsystem security, and IFS assessments to identify unauthorized access paths. 

CICS Mainframe Testing

CICS Application & Region Layers

NetSPI dives deep into both your CICS region and application layers to identify potential vulnerabilities. This comprehensive CICS testing approach goes well beyond individual risk assessments to bridge visibility gaps often overlooked when different teams manage each layer.

Hack Responsibly: The Hidden Hazards of CICS Application Testing

CICS Application Common Vulnerabilities

Comprehensive transaction review and testing to evaluate security controls and identify potential exploitation paths.

  • AID Testing (Attention Identifier)
  • BMS Testing ( Basic Mapping Support )
  • CICS Web Application Testing
  • CICS API Testing
  • CICS Transaction Review / Testing

CICS Region Configuration Weaknesses

CICS region testing checks for misconfigurations and security weaknesses within your environment.

  • Enumerate and brute force transaction IDs
  • Test unauthorized access to critical transactions
  • Conduct password auditing to identify privilege escalation opportunities
  • Find unauthorized access paths within your CICS regions

NetSPI’s Mainframe Security Team

NetSPI is positioned as the industry leader in mainframe pentesting because of our team’s unmatched experience and expertise. Led by Philip Young, with over 15 years providing mainframe testing and advisory services at Fortune 500 giants such as Visa and Wells Fargo. A few highlights of the team include, but are not limited to:

Certifications / Experience:

  • Security+, CISSP, OSCP
  • z/OS, z/TPF, RACF, TSO, VTAM, CICS, TopSecret, Web app, Cloud.

Presentations at Global Conferences:

  • BlackHat, SEC-T, GSE, RSA, Hactivity, DEFCON, and SHARE where the team won the innagural Broadcom CTF event.

Developed open source mainframe tools:

  • CATMAP, APFCHECK, OMVSEnum, NJELib, XMILib & TN3270lib for Nmap, Brute force tools for TSO and CICS.
Headshot of Philip Young

Philip Young

Director Mainframe Penetration Testing

Headshot of David Bryan

David Bryan

Principal overseeing z/OS and IBMi Penetration Testing

Headshot of Michelle Eggers

Michelle Eggers

CICS Application Security Expert

Headshot of NetSPI’s Mainframe Team

NetSPI’s Mainframe Team

Michelle, David, Philip at SHARE

Mainframe Testing Phases

Setup Customized to your mainframe environment

  • Connect – Upload Tooling:

    Most often the client will provide us with a VDI (virtual desktop) with access to their internal network and a TN3270 emulator. Every mainframe is different, and because of that we get creative on how we upload our tools: FTP, IND$FILE , and SCP. Mainframes are batch driven, so we conduct testing using JCL ( Job Control Language ) allowing for automatic compilation / assembly / execution of our enumeration tools.

Enumeration This is when the real testing begins

  • Identify Potential Vulnerabilities:

    We have multiple tools that allows us to identify access to sensitive datasets, unix files, ESM profiles. This can sometimes generate hundreds of megabytes of data we need to sift through. Thankfully the operating system can tell us the location of configuration files, apf authorized datasets, etc. We also identify insecure TSO configurations and gaps in Unix command access.

Vulnerability, Privilege Escalation Take potential vulnerabilities to the next level

  • APF Authorization:

    This step takes potential vulnerabilities identified during enumeration to the next level. For each layer ( Network, System, Application ) the Privilege Escalation testing has the same target, getting APF authorized. Once APF authorized we can create new users, grant privileged access, halt the system, etc.

Vulnerability Verification, Exploitation Validate through exfiltration of test data

  • Determine egress filtering:

    We then determine if the client has implemented any egress filtering for the mainframe. Instead of testing egress to the internal network, we use a java program that runs on the mainframe, along with a python script in AWS to determine if we can connect on any of the 65,535 ports. Once connected to a port we then exfiltrate test data for verification of the vulnerability.

Clean-up & Reporting Full documentation and artifact removal

  • Context driven prioritization:

    Finally in the clean-up and reporting phase, we remove artifacts from client system, and we make sure that everything has been fully documented. Note that we are documenting findings as we’re testing, but this phase ensures that our report findings feature the appropriate level of detail, context, and prioritization.

What does NetSPI test for?

APF Authorization

First, the most dangerous to our clients, allowing detection warnings to be made. Getting APF authorized essentially allows you to become the system, or operate in ring zero.

Misconfigured Services

Simple misconfigurations could lead to an entire system compromise. We look at all the running services and their configurations to ensure they’re closed to the most common misconfiguration gaps we encounter.

ESM Vulnerabilities

Weak ESM configurations raise major red flags if they’re considered to be insecure. This can lead to passwords being stored with DES (dez), not triple DES, single DES. 

Inappropriate Access

Update access to any APF authorized libraries is a critical vulnerability, but update access to configuration files / folders, in Unix could also allow for privilege escalation.

Weak Network Protocols 

Insecure protocols like regular FTP, Basic Auth over HTTP, Telnet, unencrypted TN3270. Every service on the mainframe supports TLS encryption, but many don’t turn it on, making stealing credentials over the network trivial.

TN3270 Field Testing

TN3270 Field Testing checks the hidden or locked fields in CICS / IMS applications. We define applications as vulnerable if hidden fields contain sensitive information (SSN #s) , or if a modification to a field that is locked carries through to other screens.

Mainframe Security Resources

Executive & Technical Blogs written by NetSPI’s Mainframe Security Experts

NetSPI Mainframe Testing Interest

Mainframe

Mainframe Testing Interest

Mainframe Test Interest