Re: [PEN-TEST] Pen-Testing AS/400

[Mary Galligan <mgalligan () KSCABLE COM>]

----- Original Message -----
From: "Mike Ahern" <mc_ahern () YAHOO COM>
To: <PEN-TEST () SECURITYFOCUS COM>
Sent: Tuesday, December 12, 2000 11:22 AM
Subject: Pen-Testing AS/400


> I have tested a good number of AS/400's, and although
> I am a long ways from an AS/400 guru - here's what I
> have found.
>
> Although AS/400 security features are supposedly
> pretty excellent, most people do not admin the boxes
> well. Poor password choices, security configuration,
> etc., are the rule of the day. Account lockout is
> often in play tho (on failed login attempts).
>
> I have found that often AS/400's do not have many
> security features enabled, and that extremely poor
> password conventions are often in effect. Recently
> testing about 15 of these I found half were vulnerable
> to simple password guessing (via FTP or emulated
> session). Many often set a minimum password length way
> too short (I have found as short as 2 character
> passwords), and sometimes the operators setup password
> conventions that defy reason (username=DAN,
> password=DAN01), etc..
>
> Some of the most common defaults (glommed from one of
> the hacker tutorial docs and some of the default
> password lists out there) are:
>
> qsecofr qsecofr
> qpgmr qpgmr
> qserv qserv
> qsrv qsrv
> qserve qserve
> qsrvbas qsrvbas
> qsvr qsvr
> qsvr ibmcel
> qsysopr qsysopr
> quser quser
> secofr secofr
> 11111111 11111111
> 22222222 22222222
> ibm password
> ibm 2222
> ibm service
> ibm ibm
> qsecofr 11111111
> qsecofr 22222222
>
> Additionally, there are AS/400 password cracking
> software and other security audit tools available from
> Pentasafe. IBM also has some good audit tools.
>
> The AS/400 hardware or O/S is supposed to prevent
> buffer overflows, I understand. I haven't discovered
> any AS/400 exploit code, tho I hear rumor that a
> couple of things are out there.
>
> Object level security is often extremely poor (file
> ownership and permissions).
>
> FTP & Emulated (telnet) sessions are often sniffable.
> Also, in many cases people being lazy as they are, if
> you crack the local NT domain passwords, you will
> often find that many of these are portable to the
> AS/400 environment. You can always get the priviledged
> access you want on the 400 by taking out the
> appropriate users workstation and installing a
> keystoke logger (i.e., sysadmin, payroll supervisor,
> etc.).
>
> IBM has a local method of resetting the QSECOFR
> password (the most powerful user on the system), in
> the event that normal access is lost. It is documented
> I believe in some publications and I have come across
> some info about this on the Net in the past (don't
> remember where).
>
>
> Hope this helps.
>
>
>    -mch
>
>
>
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Shopping - Thousands of Stores. Millions of Products.
> http://shopping.yahoo.com/