Re: Hacking AS400

["Ess H. Sanders" <linux2 () gmail com>]

If you can sniff 23/telnet, that is your best bet. Their operating
system didn't even begin to support SSH until V5R3 (recently). They
can use SSL/telnet on 992, but that is fairly rare. The security
officer user (qsecofr) is the holy grail. The default password list
mentioned in the securityfocus link is good, as well as Shalom
Carmel's info also.  I have not tried it, but apparently you can send
an AIX version of Netcat. Many AS/400/iSeries have security set to
disable the user profile (or the device, be it dumb tube or 5250
session) after three failed attempts, so brute forcing usually is
futile.

Yes, the 8xxx ports are for IBM Client Access (5250 emulation software
for PC), but you should concentrate on 23/telnet. There's no need to
break in, if you can log in. Ideally, the users should only use
qsecofr for system maintenance, but as always, people get lazy. They
will copy qsecofr and rename it 'bob' or whatever.  It's trivial to
sniff logins/passwords on these. Once you can log in, check your (or
others)level of access with WRKUSRPRF <username>.   Enter a 5 beside
it to display, and check your results. If User Class says *SECOFR, and
under Special Authority you see things like *ALLOBJ, *SECADMIN or
*SERVICE you have probably found a qsecofr level user that has just
been copied. You can view all users with WRKUSRPRF USRPRF(*ALL)

If you get in with lessor access, you can try to look at the logs with
DSPLOG. To specify a time/date, use DSPLOG PERIOD((time date)). You
can page up/down and look for interesting info.

If you have physical access, you can restart the machine and reset the
qsecofr password with a combination of keypad entries.

Remember, this 23/telnet is 5250, not regular telnet (it supports 24
function keys to emulate the dumb terminals). Windows or Putty telnet
will let you log in, but you will run into problems.  Suggested are
the free Mocha 5250 clients for Windows or Linux.