Penetration Testing mailing list archives
Re: Hacking AS400
From: "Ess H. Sanders" <linux2 () gmail com>
Date: Fri, 7 Apr 2006 09:18:32 -0500
If you can sniff 23/telnet, that is your best bet. Their operating system didn't even begin to support SSH until V5R3 (recently). They can use SSL/telnet on 992, but that is fairly rare. The security officer user (qsecofr) is the holy grail. The default password list mentioned in the securityfocus link is good, as well as Shalom Carmel's info also. I have not tried it, but apparently you can send an AIX version of Netcat. Many AS/400/iSeries have security set to disable the user profile (or the device, be it dumb tube or 5250 session) after three failed attempts, so brute forcing usually is futile. Yes, the 8xxx ports are for IBM Client Access (5250 emulation software for PC), but you should concentrate on 23/telnet. There's no need to break in, if you can log in. Ideally, the users should only use qsecofr for system maintenance, but as always, people get lazy. They will copy qsecofr and rename it 'bob' or whatever. It's trivial to sniff logins/passwords on these. Once you can log in, check your (or others)level of access with WRKUSRPRF <username>. Enter a 5 beside it to display, and check your results. If User Class says *SECOFR, and under Special Authority you see things like *ALLOBJ, *SECADMIN or *SERVICE you have probably found a qsecofr level user that has just been copied. You can view all users with WRKUSRPRF USRPRF(*ALL) If you get in with lessor access, you can try to look at the logs with DSPLOG. To specify a time/date, use DSPLOG PERIOD((time date)). You can page up/down and look for interesting info. If you have physical access, you can restart the machine and reset the qsecofr password with a combination of keypad entries. Remember, this 23/telnet is 5250, not regular telnet (it supports 24 function keys to emulate the dumb terminals). Windows or Putty telnet will let you log in, but you will run into problems. Suggested are the free Mocha 5250 clients for Windows or Linux.
Current thread:
- Hacking AS400 culdud (Apr 05)
- Re: Hacking AS400 John Kinsella (Apr 07)
- Re: Hacking AS400 Lucien Fransman (Apr 07)
- RE: Hacking AS400 Joseph Jenkins (Apr 07)
- RE: Hacking AS400 Chris Birch (Apr 07)
- Re: Hacking AS400 Pieter Danhieux (Apr 07)
- Re: Hacking AS400 Rusty Bug (Apr 07)
- Re: Hacking AS400 Leif Ericksen (Apr 07)
- Re: Hacking AS400 Ess H. Sanders (Apr 07)
- <Possible follow-ups>
- RE: Hacking AS400 Lloyd Bridges (Apr 07)
- Re: Hacking AS400 Marco Ivaldi (Apr 07)
- RE: Hacking AS400 Clemens, Dan (Apr 07)
- RE: Hacking AS400 Brooks, Shane (Apr 07)
- Re: Hacking AS400 John Kinsella (Apr 07)