Many have seen Hackers (1995) a movie which is now considered a classic. Some say it is humorous and unrealistic, but upon closer inspection you may notice that these keyboard cowboys were dealing with some serious hardware.
In the film, the mainframe user they breached uses a ridiculously short password, which is accurate to an extent. In the early days of z/OS, passwords were alphanumeric and surprisingly uppercase only. Three special characters were permitted (#, $, @) and the maximum length was 8 characters. As of z/OS V1R7, RACF passwords support lowercase and have a min/max of 14/100 characters respectively.
“If you examine the amount of workload running the world’s production for mission-critical workloads, mainframes handle about 68 percent of that. But the IBM Z platform is only 6 percent of the IT spend.”–Tom Rosamilia, senior vice president, IBM Systems
It is a misconception that these are legacy systems, despite the masses moving to cloud providers, mainframes are still widely used and supported today. Modern mainframes can commonly be found operating in financial institutions and governments. The amount of processing power in one of these refrigerator sized systems is enough to process 100 Black Friday’s worth of transactions in 1 day. Such systems are how VISA and common banking systems operate, handling very high volumes of data with ease.
“About 80 percent of the world’s data is behind a firewall still. The IBM Z platform has the crown jewels of data that companies want to analyze and need to protect.”–Tom Rosamilia, senior vice president, IBM Systems
Infrastructure with this much power is generally locked up deep within internal networks, however some are connected to the public internet. Using fingerprinting and publicly available services such as Shodan we can quickly find a number of them. A simple way to locate these systems is by profiling unique services that come preinstalled. The terminal emulation program can be easily spotted by fingerprinting their telnet daemon. To enable access into mainframe terminals over TCP/IP IBM developed TN3270. This is like an upgraded telnet daemon with keyboard emulation and block mode service.
Performing a quick search query for ‘telnet.option:tn3270e port:23’ we can see a number of systems listed:
A TN3270 emulator can be used to interact with these services. Connecting directly with a telnet client will not work, and will yield an error message:
TN3270E Service Error 511
Telnet negotiation failure: client did not send a valid configured TN3270
Using an emulator, we can look at, and interact with the actual terminals and authentication prompts: