Evil Mainframe: Beginner z/OS Penetration Testing (Includes Admission to 20...

Event Information

Share this event

Date and Time



Charlotte Convention Center

501 S College St

Charlotte, NC 28202

Event description


Charlotte ISSA Members can take this course for only $200! (Plus EB Fees). If you haven't already, you can register for membership here: https://www.charlotteissa.org/join/ . To get the discount, please enter your MEMBERSHIP EMAIL as your DISCOUNT CODE.

Evil Mainframe: Beginner z/OS Penetration Testing (Includes Admission to 2017 Summit)


Philip Young - Soldier of FORTRAN - @mainframed767

Chad Rikansrud - Big Endian Smalls - @bigendiansmalls

Class Description:

Mainframes, and specifically z/OS, represents a massive blind spot when it comes to penetration testing. People lack the capabilities and language to properly test the security of these corporate mainstays. As it stands today these system sit largely untouched by IT security professionals, until, that is, a breach occurs, such as the breach of a bank and government mainframe in Europe leading to the potential loss of a million USD. If your company has a mainframe chances are it’s never been given it’s proper day in the sun. We’ve heard all the excuses ranging from “system outage” to “we don’t know how”. This training aims to tackle the excuses by demonstrating that mainframes are just computers like everything else, providing the attendees with the language and knowledge to start testing their own mainframes. Arming them with the appropriate responses and tools to tackle every excuse in the book.

This training, and its supplemental materials, provides a solid baseline when it comes to the operating system (z/OS) followed by creating tools and using scripting languages such as python to help with a mock penetration test.

This course provides customized training on the newest attack vectors created by the trainers, techniques for gaining system access and how to perform an end-to-end penetration test. After a quick overview of how z/OS works and how to translate from Linux to z/OS the instructors will lead students through the various attack vectors against a target mainframe. Students will be introduced to the platform by being allowed to explore the operating system with TN3270 and allowing students to understand the weaknesses within the protocol that allows us to automate much of our testing. Students will also get introduced to the only open source tools and libraries available for all the steps of a penetration test including Nmap and metasploit. A goal of this course is teaching students how the various layers of the stack work (Operating System, VTAM, RACF, Network) so they can develop their own techniques and skillets to conduct appropriate mainframe penetration testing.

The majority of the course will be spend performing instructor led hands on mainframe testing with the tools available. Goals for each segment will be laid out with appropriate time afforded to students to allow them the ability to gain a deep understanding of how a test could and should be performed. Exercises will be based on real world attack scenarios.

While this class is outlined as a beginner class to mainframe hacking the attendee should have knowledge of IT security, penetration testing and very basic Python.

Class Outline:

  • Day 1 – Mainframe Basics
    • Mainframe History
    • Operating System introduction
    • z/OS Basics
      • Logging on
      • User interaction
      • ISPF
      • TSO
      • REXX
      • CLIST
      • UNIX
      • Dataset Concatenation
      • JCL
      • Hands On: Creating JCL and submitting it
    • System Startup
      • Walk through IPL Parms
      • TCP/IP Startup/Config
    • Security
      • RACF
      • Profiles
      • Facilities
      • SETROPS
      • Dataset Profiles
      • ACEE
      • APF Authorized
    • Storage
      • Mainframe memory primer
      • Virtual Storage intro
    • Networking
      • SSL Configuration
      • TN3270 setup
      • SNA
      • Hands On: SSH to the mainframe
      • Hands On: FTP to the mainframe
    • Patching/Patch Management
      • SMP/E Walkthrough
    • CICS
      • Walkthrough CICS transactions
      • Hands On: Access a CICS transaction
    • TN3270
      • Protocol Examination
      • Hands On: x3270 -trace walkthrough
      • Nmap/Python library
      • Hands On: Nmap tn3270 library
      • BIRP
  • Day 2 – Mainframe Penetration Testing
    • System Recon
      • Mailing List system information
        • Using public resources to gather info
      • Using Nmap to:
        • Identify system
        • Enumerate available applications (VTAM)
        • Enumerate CICS transactions
        • Enumerate TSO Users
      • Nikto
      • Hands On: Nmap and VTAM/CICS enumeration
    • System Access
      • Python TN3270 Library
        • Interact with a mainframe with Python
        • Logon/Interact
        • Upload a file to z/OS
        • Download a file
        • Hands On: Create Python to interact with mainframe
      • FTP and the SITE Command
        • FTP 'exploit'
        • Hands On: Write simple JCL and execute through JCL
        • Hands On: Netcat and JCL
        • Automate with Metasploit
        • Hands On: Metasploit reverse shell
    • System Enumeration
      • REXX and STORAGE()
      • Gather Information
      • Hands On: REXX system info
    • Cracking
      • Using JtR to crack RACF
    • Buffer Overflow
      • High Level ASM primer
      • Writing Buffer Overflows
    • Privilege Escalation
      • APF Authorized
      • ModeSet
      • Use APF to create system special account

Class Requirements:

VMware player/Fusion – A virtual machine image will be provided prior to class.

If students wish to build their own:

Ubuntu/Redhat Linux with:

  • Nmap – current SVN version
  • Metasploit – Current nightly
  • X3270 Compiled from source
  • BIRP - with x3270 patches installed
  • SSH Client
  • Python 2.7+
  • Git client

Instructor Bios:

Philip Young: Philip Young is a leader in legacy system security. Having spoken at multiple conference around the world, including DEFCON, BlackHat and keynoting at SHARE Europe, he has established himself as the thought leader in this space. Since 2013 Philip has released tools to aid in the testing of mainframe security and contributed to both the Nmap and Metasploit projects, allowing those with little mainframe capabilities the chance to test their mainframes. In addition to speaking, he has built mainframe security programs for multiple Fortune 100 organizations starting from the ground up to creating a repeatable testing program using both vendor and public toolsets. His hope is that through raising awareness about mainframe security more organizations will take their risk profile seriously.

Chad Rikansrud: Chad is a 20+ year veteran within IT. He has held many IT positions including: DBA, Developer, System Administrator and Network Engineer with his primary background in Linux/UNIX and Networking. Chad currently works for a large financial institution in the System Z department as a manager of data / storage and also is helping develop a mainframe penetration testing methodology while building out a penetrations testing team. In his spare time, Chad builds “Capture the Flag” contests for area information security conferences, gives talks about these subjects and helps mentor others just getting started in IT/Security. Chad has established himself as a leader in this space by giving talks on Mainframe security at DEFCON, Derbycon, SHARE

If you have any questions about the class content, please reach out to @mainframed767 or @bigendiansmalls.

If you have any questions about anything else, please reach out to board@charlotteissa.org or the Charlotte ISSA Education Director on twitter: @FrackMacker

Note from Organizer: As with all of our classes, we don't ever plan on it, but sometimes we need to cancel or reschedule classes; therefore, we reserve the right to cancel our classes for any reason. Please plan accordingly in terms of your reservations etc. (out of towners, listen up) - for example make hotel reservations that can be canceled without penalty, same for travel.

Fine print hint: If you're electing to pay $350, you're missing the point. We price the class higher than what it would (cost to join our chapter + tuition), and 100% of that discounted price goes directly to the instructor. Joining will allow you to get similar discounts on other classes or in some cases FREE admittance to some of our classes. Really, we're not trying to make money here, but we will accept it; it'll help pay for the coffee and breakfast <: If you're already a member of another ISSA chapter, it's only like $30 to add us on as an additional chapter. In case you didn't know, many employers will reimburse you for "Professional Memberships" - they usually have some special finance bucket for that and it's not a big deal at all. Check with your employer to be sure - maybe they'll reimburse you and you can enjoy our many benefits.

- Josha @FrackMacker

Share with friends

Date and Time


Charlotte Convention Center

501 S College St

Charlotte, NC 28202

Save This Event

Event Saved