NetSPI discusses using a testing LPAR to quickly prototype tools for mainframe pentesting and demonstrates a method to access in-memory z/OS data when standard commands are unavailable. A REXX script visualizes the Command Tables Location Table (CTLT) to reveal data and potential privilege escalation paths. #zOS #CTLT #REXX #NetSPI #Mainframe
Keypoints
- Access to a testing LPAR enables rapid tool creation during penetration tests.
- In-memory tables (e.g., IKJEFTE2, IKJEFTE8) store vital information for pentesting on z/OS.
- Control blocks can be traversed to retrieve data when permissions are limited.
- A REXX script is provided to visualize and enumerate the contents of the CTLT.
- The script helps uncover privilege escalation paths that may be overlooked.
- Continuous innovation in tools and techniques enhances penetration testing capabilities.
- NetSPI offers mainframe penetration testing services to bolster security.
MITRE Techniques
- [T1003] Credential Dumping β Use REXX scripts to access in-memory tables to retrieve sensitive information. (βUse REXX scripts to access in-memory tables to retrieve sensitive information.β)
- [T1068] Privilege Escalation β Uncover privilege escalation paths through analysis of control blocks and command tables. (βUncover privilege escalation paths through analysis of control blocks and command tables.β)
Indicators of Compromise
- [Program/Executable] β In-memory table entries used by CTLT (IKJEFTE2, IKJEFTE8, IKJEFTAP, IKJEFTNS) β example: IKJEFTE2, IKJEFTE8, IKJEFTAP, IKJEFTNS (in CTLT entries for authorized commands/programs)
- [Memory Structure] β Command Tables Location Table (CTLT) β example: CTLT contents and addresses
- [Memory Block] β Control blocks (CVT, TSVT, TPVT) β example: CVT, TSVT, TPVT as base control blocks in memory
Read more: https://www.netspi.com/blog/technical-blog/mainframe-penetration-testing/mapping-mainframe-memory/