Penetration Testing mailing list archives
Re: [PEN-TEST] Pen-Testing AS/400
From: Al Sparks <data345 () YAHOO COM>
Date: Tue, 12 Dec 2000 16:08:58 -0800
Here's my 2 cents regarding AS/400 security. First, regarding passwords; AS/400s do allow you to restrict what passwords you can enter and even use your own password checking program if you so choose. However, AS/400 passwords do have 2 inherent weaknesses, making brute force attacks easier, the passwords are not case sensitive, and youre limited to 10 characters. That cuts down considerably on the amount of total passwords a brute force attack needs to check. Another problem I have with AS/400 security is the default internet settings. Unless you write your own program accessing OS/400 APIs (OS/400 is the AS/400 operating system), the AS/400 doesnt log internet connections (unless youre logging on interactively; and even then you dont know from what IP address). A unix sysadmin is used to having a configuration where any internet connection is logged, as well as the ability to restrict what IP number, or DNS domain can use that service. IBM provides APIs that can be used by a "roll your own" program to send output to a log, or restrict what node or class of nodes can use that internet service. What this means for most people is they end up getting 3rd party software (Pentasafe is one of the more expensive) that will do this for them. IBM should bundle their own interface with the system. People shouldnt have to buy this kind of fundamental security separately. I second the recommendations regarding Madden and Woodburys "Implementing AS/400 Security". When I first got AS/400s at our shop, I used that book to harden our machines. When I was on vacation, the IBM tech rep showed up at our site over a hardware failure, and while there, the boss invited him to try to break into our machine. He tried using all those accounts mentioned in another post (QUSER, for example) and couldnt. He also said our machines were the only ones in town he couldnt break into, which doesnt mean my machines are particularly super secure, but that most AS/400s in town are very insecure. === Al --- Mike Ahern <mc_ahern () YAHOO COM> wrote:
I have tested a good number of AS/400's, and although I am a long ways from an AS/400 guru - here's what I have found. Although AS/400 security features are supposedly pretty excellent, most people do not admin the boxes well. Poor password choices, security configuration, etc., are the rule of the day. Account lockout is often in play tho (on failed login attempts). I have found that often AS/400's do not have many security features enabled, and that extremely poor password conventions are often in effect. Recently testing about 15 of these I found half were vulnerable to simple password guessing (via FTP or emulated session). Many often set a minimum password length way too short (I have found as short as 2 character passwords), and sometimes the operators setup password conventions that defy reason (username=DAN, password=DAN01), etc.. Some of the most common defaults (glommed from one of the hacker tutorial docs and some of the default password lists out there) are: qsecofr qsecofr qpgmr qpgmr qserv qserv qsrv qsrv qserve qserve qsrvbas qsrvbas qsvr qsvr qsvr ibmcel qsysopr qsysopr quser quser secofr secofr 11111111 11111111 22222222 22222222 ibm password ibm 2222 ibm service ibm ibm qsecofr 11111111 qsecofr 22222222 Additionally, there are AS/400 password cracking software and other security audit tools available from Pentasafe. IBM also has some good audit tools. The AS/400 hardware or O/S is supposed to prevent buffer overflows, I understand. I haven't discovered any AS/400 exploit code, tho I hear rumor that a couple of things are out there. Object level security is often extremely poor (file ownership and permissions). FTP & Emulated (telnet) sessions are often sniffable. Also, in many cases people being lazy as they are, if you crack the local NT domain passwords, you will often find that many of these are portable to the AS/400 environment. You can always get the priviledged access you want on the 400 by taking out the appropriate users workstation and installing a keystoke logger (i.e., sysadmin, payroll supervisor, etc.). IBM has a local method of resetting the QSECOFR password (the most powerful user on the system), in the event that normal access is lost. It is documented I believe in some publications and I have come across some info about this on the Net in the past (don't remember where). Hope this helps. -mch __________________________________________________ Do You Yahoo!? Yahoo! Shopping - Thousands of Stores. Millions of Products. http://shopping.yahoo.com/
__________________________________________________ Do You Yahoo!? Yahoo! Shopping - Thousands of Stores. Millions of Products. http://shopping.yahoo.com/
Current thread:
- Re: [PEN-TEST] Pen-Testing AS/400, (continued)
- Re: [PEN-TEST] Pen-Testing AS/400 Joe Traietta (Dec 13)
- Re: [PEN-TEST] Pen-Testing AS/400 Walsh, John (Dec 13)
- [PEN-TEST] Pen-Testing AS/400 Mike Ahern (Dec 13)
- Re: [PEN-TEST] Pen-Testing AS/400 Mary Galligan (Dec 15)
- Re: [PEN-TEST] Pen-Testing AS/400 David Knaack (Dec 15)
- Re: [PEN-TEST] Pen-Testing AS/400 Enno Rey (Dec 15)
- [PEN-TEST] Routing Protocol security paper now available NetW3.COM Consulting (Dec 16)
- Re: [PEN-TEST] Routing Protocol security paper now available Arthur Clune (Dec 19)
- Re: [PEN-TEST] Routing Protocol security paper now available Nicolas GREGOIRE (Dec 20)
- Re: [PEN-TEST] Pen-Testing AS/400 Mary Galligan (Dec 15)