So why are we talking about the hacking of an IBM i? That's certainly not a headline we see very often, as IBM i systems have been considered un-hackable for years. Anyone who has worked on IBM i has heard some of these statements:
- “Nobody wants to hack an IBM I.”
- “Never in my 40 years in the business has anyone hacked an IBM i!”
- “IBM i’s don’t have hacking problems like Windows computers.”
- “IBM i’s are bullet-proof. They don’t have zero-days like other computers.”
Unfortunately, common misconfigurations on any platform may lead to a system compromise. In the end, all systems are programmed and configured by humans. The issues that we're going to talk about are not unique to the old white boxes that no longer exist. But they do apply to even the latest and greatest of systems, including version 7.X Power Systems server running IBM i.
Why Perform Penetration Testing?
The only way to truly confirm system vulnerabilities is to try to exploit them. Security penetration testing, commonly known as ethical hacking, is a critical step organizations should take to ensure their data security. Fortra’s Core Impact can perform Penetration Testing to confirm whether the risks identified pose a real threat to data. And now, Core Impact's penetration testing is available for IBM i.
The supplied automated walkthrough to perform an IBM i penetration test and security audit will help ensure that it is done right and can provide an unbiased assessment of your security to help guide you towards remediation. Read on to learn what it takes to complete a successful pen test on IBM i.
Discovery
Once the scope has been established, pen testing teams can get to work. In this discovery phase, teams perform different types of reconnaissance on their target. Often referred to as foot printing, this phase of discovery involves gathering as much information about the target systems, networks, and their owners as possible without trying to penetrate them.
Attack and Penetrate
Now informed about their target, pen testers can begin using these newly discovered entry points, testing all the weaknesses they discovered. They will try to enter the target through these identified entry points.
The first attempt to penetrate the system will try to take advantage of misconfigurations (No password, easy to guess password, or default password) in the System Default user accounts.
The Network Attack and Penetration module will launch and run the TN3270 Identity Verifier. This module spawns several child tasks to perform parallel tests based on the configuration and rotate the tested usernames to try to prevent lockout.
After a while, the module might find a valid set of credentials on the target system and use them to deploy an OS Agent on the target.
Local Information Gathering
Once inside the system, several local modules that perform information gathering can be launched through the Network Local Information Gathering RPT module.
The information specific to the IBM i systems that can be retrieved through the LIG modules is:
- System Values assessment
- Current Value
- Recommended Value
- Deviation from recommendation
- Users and Groups assessment
- Checks the users with default password
- Highlights users with special authorities, profile object *PUBLIC and not *EXCLUDE
- Adds the users as identities that could be used further in the test