Penetration Testing mailing list archives

Re: [PEN-TEST] Pen-Testing AS/400

From: Al Sparks <data345 () YAHOO COM>
Date: Tue, 12 Dec 2000 16:08:58 -0800

Here's my 2 cents regarding AS/400 security.  First, regarding
passwords; AS/400s do allow you to restrict what passwords you can
enter and even use your own password checking program if you so choose.
However, AS/400 passwords do have 2 inherent weaknesses, making brute
force attacks easier, the passwords are not case sensitive, and youre
limited to 10 characters.  That cuts down considerably on the amount of
total passwords a brute force attack needs to check.

Another problem I have with AS/400 security is the default internet
settings.  Unless you write your own program accessing OS/400 APIs
(OS/400 is the AS/400 operating system), the AS/400 doesnt log
internet connections (unless youre logging on interactively; and even
then you dont know from what IP address).  A unix sysadmin is used to
having a configuration where any internet connection is logged, as well
as the ability to restrict what IP number, or DNS domain can use that
service.

IBM provides APIs that can be used by a "roll your own" program to
send output to a log, or restrict what node or class of nodes can use
that internet service.

What this means for most people is they end up getting 3rd party
software (Pentasafe is one of the more expensive) that will do this for
them.  IBM should bundle their own interface with the system.  People
shouldnt have to buy this kind of fundamental security separately.

I second the recommendations regarding Madden and Woodburys
"Implementing AS/400 Security".  When I first got AS/400s at our shop,
I used that book to harden our machines.  When I was on vacation, the
IBM tech rep showed up at our site over a hardware failure, and while
there, the boss invited him to try to break into our machine.  He tried
using all those accounts mentioned in another post (QUSER, for example)
and couldnt.  He also said our machines were the only ones in town he
couldnt break into, which doesnt mean my machines are particularly
super secure, but that most AS/400s in town are very insecure.
    === Al



--- Mike Ahern <mc_ahern () YAHOO COM> wrote:

I have tested a good number of AS/400's, and although
I am a long ways from an AS/400 guru - here's what I
have found.

Although AS/400 security features are supposedly
pretty excellent, most people do not admin the boxes
well. Poor password choices, security configuration,
etc., are the rule of the day. Account lockout is
often in play tho (on failed login attempts).

I have found that often AS/400's do not have many
security features enabled, and that extremely poor
password conventions are often in effect. Recently
testing about 15 of these I found half were vulnerable
to simple password guessing (via FTP or emulated
session). Many often set a minimum password length way
too short (I have found as short as 2 character
passwords), and sometimes the operators setup password
conventions that defy reason (username=DAN,
password=DAN01), etc..

Some of the most common defaults (glommed from one of
the hacker tutorial docs and some of the default
password lists out there) are:

qsecofr qsecofr
qpgmr qpgmr
qserv qserv
qsrv qsrv
qserve qserve
qsrvbas qsrvbas
qsvr qsvr
qsvr ibmcel
qsysopr qsysopr
quser quser
secofr secofr
11111111 11111111
22222222 22222222
ibm password
ibm 2222
ibm service
ibm ibm
qsecofr 11111111
qsecofr 22222222

Additionally, there are AS/400 password cracking
software and other security audit tools available from
Pentasafe. IBM also has some good audit tools.

The AS/400 hardware or O/S is supposed to prevent
buffer overflows, I understand. I haven't discovered
any AS/400 exploit code, tho I hear rumor that a
couple of things are out there.

Object level security is often extremely poor (file
ownership and permissions).

FTP & Emulated (telnet) sessions are often sniffable.
Also, in many cases people being lazy as they are, if
you crack the local NT domain passwords, you will
often find that many of these are portable to the
AS/400 environment. You can always get the priviledged
access you want on the 400 by taking out the
appropriate users workstation and installing a
keystoke logger (i.e., sysadmin, payroll supervisor,
etc.).

IBM has a local method of resetting the QSECOFR
password (the most powerful user on the system), in
the event that normal access is lost. It is documented
I believe in some publications and I have come across
some info about this on the Net in the past (don't
remember where).


Hope this helps.


   -mch



__________________________________________________
Do You Yahoo!?
Yahoo! Shopping - Thousands of Stores. Millions of Products.
http://shopping.yahoo.com/



__________________________________________________
Do You Yahoo!?
Yahoo! Shopping - Thousands of Stores. Millions of Products.
http://shopping.yahoo.com/

Current thread:

Re: [PEN-TEST] Pen-Testing AS/400, (continued)
- Re: [PEN-TEST] Pen-Testing AS/400 Joe Traietta (Dec 13)
- Re: [PEN-TEST] Pen-Testing AS/400 Walsh, John (Dec 13)
- [PEN-TEST] Pen-Testing AS/400 Mike Ahern (Dec 13)
  - Re: [PEN-TEST] Pen-Testing AS/400 Mary Galligan (Dec 15)
    - Re: [PEN-TEST] Pen-Testing AS/400 David Knaack (Dec 15)
    - Re: [PEN-TEST] Pen-Testing AS/400 Enno Rey (Dec 15)
    - [PEN-TEST] Routing Protocol security paper now available NetW3.COM Consulting (Dec 16)
    - Re: [PEN-TEST] Routing Protocol security paper now available Arthur Clune (Dec 19)
    - Re: [PEN-TEST] Routing Protocol security paper now available Nicolas GREGOIRE (Dec 20)
- Re: [PEN-TEST] Pen-Testing AS/400 Bias, Harry (Dec 13)
- Re: [PEN-TEST] Pen-Testing AS/400 Al Sparks (Dec 13)
- Re: [PEN-TEST] Pen-Testing AS/400 Mike Ahern (Dec 14)