TN3270 Mainframe Penetration Testing
TN3270 Protocol Essentials
Unformatted vs Formatted Screens
Sending the wrong packet format causes APCT abends. This distinction is critical.
Unformatted (after CLEAR, or blank screen with no fields):
AID + cursor_addr(2 bytes) + EBCDIC_data + IAC_EOR
DO NOT include SBA (0x11) on unformatted screens. There are no fields, so SBA corrupts the transaction name and causes APCT abends.
Formatted (has input/protected fields):
AID + cursor_addr + [SBA + field_addr + data]... + IAC_EOR
Use analyze_screen_fields() to discover field addresses first.
Key 3270 Orders
| Byte | Order | Purpose |
|---|---|---|
| 0x11 | SBA | Set Buffer Address |
| 0x1D | SF | Start Field (attributes) |
| 0x29 | SFE | Start Field Extended (hidden fields use this) |
| 0x3C | RA | Repeat to Address |
| 0x13 | IC | Insert Cursor |
Screen: 24x80 = 1920 positions. Position = row*80 + col (0-indexed). Addresses are 12-bit encoded into 2 bytes.
AID Keys
| Hex | Key | Hex | Key |
|---|---|---|---|
| 0x7D | ENTER | 0x6D | CLEAR |
| 0xF1-0xFC | PF1-12 | 0xC1-0xCC | PF13-24 |
| 0x6C | PA1 | 0x6E | PA2 |
| 0x6B | PA3 | 0xF0 | SYSREQ |
All text is EBCDIC-encoded on the wire. Use convert_ascii_to_ebcdic().
Mainframe Access Layers
Layer 1: VTAM / Network
Before reaching CICS, you traverse VTAM (Virtual Telecommunications Access Method).
- •APPLID enumeration: Discover CICS region names via
LOGON APPLID(name). Common APPLIDs:CICS,CICSPROD,CICSTS51,DBDCCICS. Use NMAPvtam-enumor brute-force withsend_command("LOGON APPLID(name)"). - •USSTAB screens: Custom logon screens defined by USS tables. May display banner info, version numbers, or region names.
- •Multiple CICS regions: Production systems often have multiple CICS regions (dev/test/prod). Always enumerate all APPLIDs.
Layer 2: TSO / ISPF
For MVS/z/OS systems, you may first land at TSO:
- •At TSO Logon prompt:
LOGON useridor type userid into field - •Enter password at password prompt
- •After login: CICS may auto-start, or issue
CLEAR+ transaction code
Layer 3: CICS Application
Standard CICS entry: CLEAR then type 4-character transaction code (no SBA).
CICS System Transactions (High-Value Targets)
These IBM-supplied transactions are present in every CICS region. Access to ANY of these is a significant finding.
| Transaction | Purpose | Attack Value |
|---|---|---|
| CESN | Sign-on (authentication) | Default creds, brute force |
| CESF | Sign-off | Session termination |
| CEMT | Master terminal (admin) | System enumeration, config changes |
| CEDA | Resource definition | Define new transactions, RACF bypass |
| CECI | Command interpreter | Execute arbitrary EXEC CICS commands |
| CEDF | Execution debugger | Step through programs, inspect data |
| CEBR | Queue browser | Read temporary storage queues |
| CSGM | Good morning (splash) | Version info disclosure |
CEMT Exploitation
If CEMT is accessible, use it for reconnaissance:
- •
CEMT I TASK-- list active tasks and userids - •
CEMT I TRAN(*)-- enumerate ALL defined transactions - •
CEMT I FILE(*)-- list all VSAM files - •
CEMT I PROG(*)-- list all installed programs - •
CEMT I TERM(*)-- list terminals with session info - •
CEMT I SYSTEM-- CICS version, region info - •
CEMT SET TRAN(xxxx) ENA-- enable a disabled transaction - •
CEMT SET FILE(xxxx) OPE REA-- open a file for reading
CEDA RACF Bypass
If CEDA is accessible but CEMT/CECI are RACF-protected, use CEDA to copy restricted transactions to new names that bypass RACF:
CEDA COPY TRAN(CEMT) AS(XEMT) GROUP(DFHLIST) CEDA COPY TRAN(CECI) AS(XECI) GROUP(DFHLIST) CEDA INSTALL TRAN(XEMT) GROUP(DFHLIST)
The copies (XEMT, XECI) may not have RACF rules and are freely accessible.
CECI Command Execution
CECI is the most dangerous transaction -- it executes arbitrary EXEC CICS commands:
- •
CECI READ FILE(filename) RIDFLD(key)-- read VSAM file records - •
CECI WRITEQ TS QUEUE(name) FROM(data)-- write to temp storage - •
CECI LINK PROGRAM(progname)-- call any installed program - •
CECI SPOOLOPEN-- access JES spool for JCL submission - •
CECI SEND TEXT FROM('data')-- send data to terminal
CEBR Queue Reading
Browse temporary storage queues for sensitive data:
- •
CEBR queuename-- read queue contents - •Queues may contain: session tokens, debugging data, application state, credentials
Attack Patterns
1. Hidden Fields (Every Screen)
CICS applications hide fields using SFE with non-display attribute. Always run analyze_hidden() on every screen.
Common findings:
- •Hidden menu options with real functionality
- •Status flags controlling business logic (e.g., "Purchaseable: Y/N")
- •Internal IDs, debug data, authorization tokens
Hiding is not access control. If the server doesn't validate separately, hidden values can be submitted by anyone.
2. Protected Field Tampering (Critical)
The terminal prevents typing in protected fields, but send_raw_hex() bypasses this entirely. COBOL's RECEIVE MAP reads ALL fields from the input stream including protected ones.
Attack: Modify prices, quantities, account numbers, or status codes in protected fields:
AID + cursor_addr + SBA + protected_field_addr + tampered_EBCDIC_data + SBA + input_field_addr + legitimate_data + IAC_EOR
Use analyze_screen_fields() to find protected fields with financial data, then encode_buffer_address() and convert_ascii_to_ebcdic() to build the raw packet.
3. Transaction Enumeration
Discover all defined transactions, not just what menus show:
- •CEMT:
CEMT I TRAN(*)lists all transactions if accessible - •Pattern guessing: Applications use prefixes (e.g., MC** for "Mels Cargo", AP** for "Accounts Payable")
- •Wordlists: Use
fuzz_transaction_codes()withcics-default-transactions.txt - •Config files: CICS PCT (Program Control Table) or CSD defines all transactions. KICKS uses KIKPCT.
- •Direct access: Transactions can be invoked directly via CLEAR + code, bypassing menu-level access controls
4. Default Credentials & Users
| Default | Notes |
|---|---|
| CICSUSER / CICSUSER | Common default CICS region userid |
| No external security | Some regions run WITHOUT RACF/ACF2/TopSecret -- every user has region-level access |
| Preset terminal security | Terminals may be pre-signed-on as a default user |
| CESN with blank password | Some configurations allow sign-on without password |
Always check: CEMT I SYSTEM for security manager status. If CICS reports no external security, all users have full region ID authority.
5. Brute Force
Use setup_injection() + brute_force_field():
- •PINs/supervisor codes:
numeric-4.txt(10K entries),pin-common.txt - •Passwords:
default-passwords.txt - •Userids:
common-userids.txt - •Set
fail_patternto the error message text
6. AID Key Scanning (Including PA Keys!)
AID keys are handled by COBOL programs, not CICS. Any AID key can trigger hidden functions. Use scan_aid_keys() on every major screen, but also manually test PA1, PA2, and PA3 -- these are often missed by automated scanners.
Critical: Do NOT skip PA keys. In real-world testing, PA3 on a main menu was found to silently navigate to a hidden/secret transaction, and PA1 on that secret screen revealed a nested easter egg. PA keys are dangerous because:
- •They only transmit the AID byte (no field data), making them invisible to field-level monitoring
- •Most users never press PA keys, so developers use them as "hidden" shortcuts
- •COBOL programs handle them via
WHEN DFHPA1/WHEN DFHPA2/WHEN DFHPA3inEVALUATE EIBAID - •They may serve as backdoors to admin screens, debug modes, or privileged functions
Watch for:
- •PA keys (PA1-PA3): Hidden navigation, backdoor access, easter eggs, debug screens
- •Undocumented admin screens on unusual PF keys (PF13-24)
- •Deceptive key labels (PF3 labeled "Quit" but does something else)
- •CLEAR key intercepted by COBOL (doesn't exit, just redisplays -- could also navigate)
- •SYSREQ key behavior
- •Nested hidden AIDs: After discovering a hidden screen, scan ALL keys on THAT screen too
Testing approach: The scan_aid_keys() tool may fail to properly test keys after PF3 (Quit) exits the application, since subsequent keys are sent to a blank CICS screen instead. Manually test keys on each screen to ensure accuracy, or exclude PF3 from automated scans and test it separately.
7. File Access via CECI
If CECI is available, read application files:
- •
CECI STARTBR FILE(name) RIDFLD(*)-- start browsing a file - •
CECI READNEXT FILE(name)-- read records sequentially - •Files may contain: customer data, credentials, configuration, audit logs
Use CEMT I FILE(*) first to enumerate available files.
8. JCL Submission (Remote Code Execution)
If spool access is available via CECI, submit JCL for system-level access:
- •SPOOLOPEN/SPOOLWRITE: Write JCL to JES spool
- •TDQueue: Write JCL to transient data queue (CXRA) for execution
- •Payloads: reverse shells (TSO/REXX/Unix), FTP commands, custom JCL
This escalates from CICS application access to z/OS system access.
9. SURROGAT / User Impersonation
The SURROGAT resource class controls whether users can submit jobs as other userids. Check:
- •
CECI SPOOLOPENwith a different userid - •If SURROGAT checks are not enforced, you can impersonate privileged users
10. Information Disclosure
Look for leaked information on every screen:
- •CICS version numbers (CSGM splash screen, CEMT I SYSTEM)
- •z/OS version, LPAR name, SYSPLEX info
- •Userid display in headers/footers
- •File HLQ (High-Level Qualifier) paths revealing dataset naming conventions
- •Library paths exposing CICS installation directories
Abend Codes
| Code | Meaning | Severity |
|---|---|---|
| APCT | Program not found/disabled | Low |
| ASRA | Program check (crash) | Critical |
| AICA | Runaway task | Critical |
| AEY7 | Timeout | Medium |
| SOC7/S0C7 | Data exception (bad decimal) | Critical |
| SOC4/S0C4 | Protection exception (memory) | Critical |
| ASRB | Operating system abend | Critical |
| AEIP | Invalid EXEC CICS command | Low |
| AKCS | Storage violation | Critical |
Any ASRA, SOC7, SOC4, or AKCS during testing indicates the application doesn't validate input -- a critical finding.
Pen Test Methodology
- •Enumerate VTAM APPLIDs -- discover all CICS regions
- •Check system transactions -- try CESN, CEMT, CEDA, CECI, CEDF, CEBR
- •Check security manager -- is RACF/ACF2/TopSecret active? (
CEMT I SYSTEM) - •Enumerate transactions --
CEMT I TRAN(*)orfuzz_transaction_codes() - •Navigate all screens -- record every transaction code (top-left of screen)
- •Check hidden fields --
analyze_hidden()on every screen - •Test protected field tampering -- prices, quantities, status codes via
send_raw_hex() - •Test hidden options -- enter discovered hidden values into input fields
- •Direct transaction access -- bypass menus by invoking transaction codes directly
- •Brute force PINs/codes --
setup_injection()+brute_force_field() - •Scan AID keys --
scan_aid_keys()on each major screen, plus manual PA1/PA2/PA3 and CLEAR tests on every screen (scan tools may miss these) - •Fuzz inputs --
fuzz_all_input_fields()for crashes/abends - •Check authorization -- do destructive actions require auth/confirmation?
- •Attempt file access --
CECI READ FILE()if available - •Check JCL submission -- spool/TDQueue access for RCE
- •Examine traffic -- load session DB, compare packets, look for anomalies
hack3270 MCP Tools Quick Reference
Connection: connect_api, reconnect_api, ping, check_connection
Screen: get_screen, get_screen_raw, get_screen_raw_hex, find_text, get_text_at
Fields: analyze_screen_fields, get_input_fields, get_hidden_fields, analyze_hidden
Send: send_enter, send_clear, send_aid_key, send_pf_key, send_command, send_field_data, send_raw_hex, build_and_send_packet
Attack: fuzz_field, fuzz_all_input_fields, fuzz_transaction_codes, brute_force_field, scan_aid_keys, setup_injection, inject_value
Session DB: load_database, get_logs, get_log_entry, replay_client_data, replay_sequence
Utility: convert_ascii_to_ebcdic, convert_ebcdic_to_ascii, encode_buffer_address, decode_buffer_address, check_abend, wait_for_text, wait_for_screen_change