hacksomeheavymetal/zOS

z/OS - all things security

Intro

                                PHREAK
                    Look, you wanna be elite? You gotta do a
                    righteous hack. None of this accidental shit.

                                CEREAL
                    Oh yeah, you want a seriously righteous hack,
                    you score one of those Gibsons man. You know,
                    supercomputers they use to like, do physics,
                    and look for oil and stuff?

                                PHREAK
                    Ain't no way, man, security's too tight. The
                    big iron?

                                DADE
                    Maybe. But, if I were gonna hack some heavy
                    metal, I'd, uh, work my way back through some
                    low security, and try the back door.

Motivation

Regardless of anakata's intentions one thing is certain, thanks to him
some people got hooked and started to talk about the security of
mainframes.  Since then, few individuals, and before that even fewer,
did their best sharing their knowledge in the field and contributing to
the infosec and mainframe communities. This however was still not enough
to close the gap between mainframes and the rest of the world.

I'm kicking-off a libre project by sharing the bits and pieces gathered
over the years on the subject.  I want to encourage you to contribute so
we can build together a go to place for everyone who would like to have
fun and learn about mainframe security.

TODO

No ideas what to contribute? We need these (in no particular order), e.g.:

• More username/password combos from those cracked RACF DBs.
• Add a high quality content in pentesting methodology with focus on the verified command samples & tools.
• Samples of a vulnerable code and the list of programming mistakes with focus on REX, COBOL, ASM etc.
• Add information about tools and techniques on z/OS for compilation, debugging code/apps, SAST/DAST, reversing etc.
• If not available, create FLOSS tool(s) for exploiting/testing/verifying vulnerabilities/misconfigurations/techniques.
• Create a VM image (e.g. vagrant) with everything that's required to run a local z/OS instance.

Resources

• default_accounts.txt - the list of default accounts found on mainframes
• firststeps.md - literally the first steps in z/OS
• hyperlinks.md - external resources
• pentesting.md - the crash course to z/OS pentesting
• tools.md - various tools pertaining to z/OS security
• vocabulary.md - the language used in the mainframe world

Contact

Just create a new issue...