Penetration Testing mailing list archives
[PEN-TEST] Pen-Testing AS/400
From: Mike Ahern <mc_ahern () YAHOO COM>
Date: Tue, 12 Dec 2000 09:22:18 -0800
I have tested a good number of AS/400's, and although I am a long ways from an AS/400 guru - here's what I have found. Although AS/400 security features are supposedly pretty excellent, most people do not admin the boxes well. Poor password choices, security configuration, etc., are the rule of the day. Account lockout is often in play tho (on failed login attempts). I have found that often AS/400's do not have many security features enabled, and that extremely poor password conventions are often in effect. Recently testing about 15 of these I found half were vulnerable to simple password guessing (via FTP or emulated session). Many often set a minimum password length way too short (I have found as short as 2 character passwords), and sometimes the operators setup password conventions that defy reason (username=DAN, password=DAN01), etc.. Some of the most common defaults (glommed from one of the hacker tutorial docs and some of the default password lists out there) are: qsecofr qsecofr qpgmr qpgmr qserv qserv qsrv qsrv qserve qserve qsrvbas qsrvbas qsvr qsvr qsvr ibmcel qsysopr qsysopr quser quser secofr secofr 11111111 11111111 22222222 22222222 ibm password ibm 2222 ibm service ibm ibm qsecofr 11111111 qsecofr 22222222 Additionally, there are AS/400 password cracking software and other security audit tools available from Pentasafe. IBM also has some good audit tools. The AS/400 hardware or O/S is supposed to prevent buffer overflows, I understand. I haven't discovered any AS/400 exploit code, tho I hear rumor that a couple of things are out there. Object level security is often extremely poor (file ownership and permissions). FTP & Emulated (telnet) sessions are often sniffable. Also, in many cases people being lazy as they are, if you crack the local NT domain passwords, you will often find that many of these are portable to the AS/400 environment. You can always get the priviledged access you want on the 400 by taking out the appropriate users workstation and installing a keystoke logger (i.e., sysadmin, payroll supervisor, etc.). IBM has a local method of resetting the QSECOFR password (the most powerful user on the system), in the event that normal access is lost. It is documented I believe in some publications and I have come across some info about this on the Net in the past (don't remember where). Hope this helps. -mch __________________________________________________ Do You Yahoo!? Yahoo! Shopping - Thousands of Stores. Millions of Products. http://shopping.yahoo.com/
Current thread:
- [PEN-TEST] Pen-Testing AS/400 Enno Rey (Dec 13)
- Re: [PEN-TEST] Pen-Testing AS/400 Eric (Dec 13)
- <Possible follow-ups>
- Re: [PEN-TEST] Pen-Testing AS/400 David Jahne (Dec 13)
- Re: [PEN-TEST] Pen-Testing AS/400 Joe Traietta (Dec 13)
- Re: [PEN-TEST] Pen-Testing AS/400 Walsh, John (Dec 13)
- [PEN-TEST] Pen-Testing AS/400 Mike Ahern (Dec 13)
- Re: [PEN-TEST] Pen-Testing AS/400 Mary Galligan (Dec 15)
- Re: [PEN-TEST] Pen-Testing AS/400 David Knaack (Dec 15)
- Re: [PEN-TEST] Pen-Testing AS/400 Enno Rey (Dec 15)
- [PEN-TEST] Routing Protocol security paper now available NetW3.COM Consulting (Dec 16)
- Re: [PEN-TEST] Routing Protocol security paper now available Arthur Clune (Dec 19)
- Re: [PEN-TEST] Routing Protocol security paper now available Nicolas GREGOIRE (Dec 20)
- Re: [PEN-TEST] Pen-Testing AS/400 Mary Galligan (Dec 15)