How Hackers Can Now Breach Mainframes for Free: Unleashing the Gibson Simulator + Video

Listen to this Post

Featured Image

Introduction

Mainframe systems power 71% of Fortune 500 enterprises, yet offensive security training remains dangerously scarce. The newly integrated Gibson Mainframe Simulator—a free, open-source Python environment—democratizes mainframe penetration testing by emulating TSO, CICS, and Db2 without requiring costly z/OS hardware.

Learning Objectives

  • Deploy and configure the Gibson Mainframe Simulator on Linux/Windows for realistic TSO/CICS attack simulations
  • Execute common mainframe enumeration and privilege escalation techniques using native commands
  • Apply free HVCK Academy missions to bridge the mainframe pentesting skills gap

You Should Know

  1. Setting Up the Gibson Mainframe Simulator on Your Lab

The Gibson simulator, named after the 1995 cult classic Hackers, is a Python-based tool that mimics IBM mainframe environments. It allows you to practice JCL injection, RACF bypasses, and CICS transaction abuse without a real mainframe.

Step‑by‑step installation (Linux/macOS/Windows WSL):

 Clone the repository
git clone https://github.com/kevmilne/gibson-simulator.git
cd gibson-simulator

Create a virtual environment (recommended)
python3 -m venv gibson-env
source gibson-env/bin/activate  Linux/macOS
 .\gibson-env\Scripts\activate (Windows cmd)

Install dependencies
pip install -r requirements.txt

Launch the simulator
python gibson.py --port 2023 --host 127.0.0.1

Windows native (without WSL): Install Python 3.9+, then follow same steps in PowerShell. The simulator runs as a local TCP service. Once active, you can connect via telnet or netcat:

telnet localhost 2023

You’ll see a TSO‑like prompt: READY. This is your playground for mainframe offensive exercises.

What this does: The simulator emulates a subset of z/OS commands, JCL interpreters, and CICS transaction gateways. It logs all attempted injections, making it ideal for training.

2. Enumerating TSO Users and Resources

In a real mainframe pentest, your first step is reconnaissance. The Gibson simulator provides synthetic datasets for practice. Use these commands inside the TSO session:

LISTUSER   List all user profiles
LISTUSER ADMIN  Detailed info on a specific user
LISTDS 'USER.'  List datasets owned by a user
STATUS TSOUSER  Check TSO/E logon status

If the simulator supports RACF‑like policies, you can also attempt:

RLIST USER   Display RACF user profiles
SEARCH 'SYS1.'  Find system datasets

Step‑by‑step enumeration guide:

1. Connect to the simulator (`telnet localhost 2023`).

  1. Log in using default credentials (check `docs/default_creds.md` in the repo; often USER01/PASS01).

3. Run `LISTUSER ` to map existing accounts.

  1. Identify high‑privileged users like SYSADMIN, OPERATOR, or RACFADM.
  2. Use `LISTDS ‘userid.’` to find potentially sensitive datasets (e.g., SYS1.PARMLIB).

This mimics the first phase of a mainframe attack – understanding the environment before exploitation.

3. JCL Injection and Privilege Escalation

Job Control Language (JCL) is the scripting backbone of mainframes. Injecting malicious JCL can lead to arbitrary command execution or dataset manipulation. The Gibson simulator supports basic JCL execution for training.

Example malicious JCL to list system catalogs:

//INJECT JOB (ACCT),'HACKER',CLASS=A,MSGCLASS=X
//STEP1 EXEC PGM=IEFBR14
//SYSOUT DD SYSOUT=
//SYSIN DD 
LISTCAT ENTRIES('SYS1.')
/
//

Step‑by‑step JCL injection attack:

1. Access the TSO `READY` prompt.

  1. Submit a JCL stream using the `SUBMIT` command or through a vulnerable CICS transaction (if exposed).

3. Example: `SUBMIT ‘USER01.INJECT.JCL’`

  1. Monitor output via `STARTOUT` or check spool files using OUTPUT.

Linux/Windows alternative for scripted testing: Use `expect` or Python sockets to automate JCL submission:

import socket
s = socket.socket()
s.connect(('localhost', 2023))
s.send(b"SUBMIT 'USER01.INJECT.JCL'\n")
print(s.recv(1024))

Mitigation: Real mainframes should restrict JCL submission to authorized users, implement RACF dataset protections, and monitor for anomalous `SUBMIT` commands.

4. Exploiting CICS Transactions (CSCK, CEMT, CEBR)

Customer Information Control System (CICS) often runs critical business logic. Default or misconfigured transactions can be abused. The Gibson simulator emulates common CICS transaction codes:

– `CEMT` – System management (e.g., `CEMT I PROG()` to list programs)
– `CSCK` – Security checking
– `CEBR` – Temporary storage browse

Step‑by‑step CICS enumeration and abuse:

  1. From TSO, start a CICS terminal: `CESN` (sign on) with default credentials.
  2. Run `CEMT I PROG()` to list all available programs.
  3. Look for development or debugging programs like DFH$MEND, EYUPROG.
  4. Attempt to invoke vulnerable transactions: `CESF` (file control), `CECI` (command interpreter).
  5. If `CECI` is enabled, execute commands like `CECI INQUIRE SYSTEM` to leak system info.

Real‑world equivalent: In many legacy systems, unauthenticated CICS transactions allowed attackers to bypass RACF entirely. Use Gibson to practice identifying and exploiting such misconfigurations.

5. Attacking Db2 from the Mainframe Simulator

Db2 for z/OS is a common backend. The Gibson simulator includes a lightweight Db2 emulation for SQL injection training. Connect to the Db2 subsystem using TSO:

DSN SYSTEM(DB2G)
RUN PROGRAM(DSNTEP2) PLAN(DSNTEP12)

Sample SQL injection in a vulnerable CICS program:

SELECT  FROM SYSIBM.SYSTABLES WHERE CREATOR = 'ADMIN' AND NAME = '‘ OR ’1’=’1’

Step‑by‑step Db2 attack:

  1. Access the Db2 interface via TSO or a CICS transaction that passes user input to dynamic SQL.
  2. Inject `’ OR ’1’=’1` in a search field to bypass authentication.

3. Extract schema: `SELECT NAME, CREATOR FROM SYSIBM.SYSTABLES`.

4. Dump sensitive tables like `USERS` or `CREDIT_CARDS`.

Command to list all Db2 tables in Gibson:

LIST TABLES FOR SCHEMA SYSIBM

Mitigation: Use static SQL with parameter markers, enforce RACF Db2 plans and packages, and monitor Db2 audit traces.

6. Hardening the Gibson Simulator (Blue Team Perspective)

Even though Gibson is a training tool, understanding how to secure it translates to real mainframes. Here are key hardening steps you can apply in the simulator’s configuration:

Linux/Windows hardening commands (applied to the host running Gibson):

 Restrict access to the simulator port (e.g., 2023)
sudo ufw allow from 192.168.1.0/24 to any port 2023  Allow only lab subnet
sudo ufw deny 2023

Run Gibson as a non‑root user
sudo useradd -r -s /bin/false gibson
sudo -u gibson python gibson.py

Enable logging and monitoring
python gibson.py --log-level DEBUG --log-file /var/log/gibson.log

Configuration changes inside `gibson.ini`:

[bash]
ENABLE_RACF = true
DEFAULT_PW_EXPIRY = 30
MAX_LOGIN_ATTEMPTS = 3
AUDIT_ALL_COMMANDS = true

Step‑by‑step blue team exercise:

  1. Modify the simulator config to enforce strong password policies.
  2. Enable audit logging of all TSO and JCL commands.
  3. Simulate a brute‑force attack using Hydra against the TSO port.

4. Review logs to detect the intrusion.

5. Implement rate limiting using iptables or `fail2ban`.

This exercise bridges the gap between offensive and defensive mainframe security.

7. Integrating HVCK Academy Missions (Free Tier)

The post mentions that HVCK Academy has integrated Gibson with five new missions available for free. Visit hvck.academy (no paywall). The missions are structured as CTF‑style challenges:

  • Mission 1: Find and read the hidden dataset `SECRET.DATA` using TSO commands.
  • Mission 2: Submit a JCL job that prints the system’s IPL date.
  • Mission 3: Exploit a CICS transaction to list all active users.
  • Mission 4: Perform a basic SQL injection on the Db2 emulator to extract the flag.
  • Mission 5: Escalate from a low‑privileged TSO user to operator level.

How to use the missions:

1. Register a free account on HVCK Academy.

  1. Download the pre‑configured Gibson Simulator (or use your own).
  2. Each mission provides a target IP/port and a scenario description.
  3. Submit your answers (e.g., dataset contents, JCL output) via the academy portal.

The missions are self‑contained and run entirely in your local Gibson instance – no cloud or real mainframe required.

What Undercode Say

  • Key Takeaway 1: Mainframe pentesting is no longer a black‑art reserved for legacy experts; open‑source simulators like Gibson and free academy missions eliminate cost barriers, enabling a new generation of security researchers.
  • Key Takeaway 2: The skills gap is not due to lack of interest but lack of accessible training environments. By integrating TSO, CICS, and Db2 emulation, Gibson offers hands‑on exposure to attack vectors rarely covered in standard pentesting courses (e.g., JCL injection, CEMT abuse, RACF enumeration).

Analysis: While Gibson is a simulator, it accurately reflects the command syntax and logical vulnerabilities of real mainframes. Practitioners who master these exercises will be better prepared to assess actual z/OS environments. Moreover, the inclusion of logging and configurable security controls allows for both red and blue team drills. The mainframe security community has long suffered from a “no test system” excuse – Gibson shatters that. With 71% of Fortune 500 reliant on mainframes, the demand for these skills will only grow. Expect to see Gibson integrated into mainstream certifications (OSCP, GPEN) within two years.

Prediction

As mainframe simulators mature and more free training emerges, the cost of entry for mainframe security research will approach zero. This will trigger a surge in published vulnerabilities, tooling (e.g., automated JCL fuzzers, CICS scanners), and eventually, real‑world breaches from new researchers applying their skills. Enterprises will be forced to modernize mainframe security monitoring, treat mainframes as high‑value targets in purple team exercises, and adopt DevSecOps for legacy COBOL applications. The Gibson Simulator is the spark; the fire is coming.

▶️ Related Video (84% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Ryan Williams – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky