From: Ess H. Sanders (linux2@gmail.com)
Date: Fri Apr 07 2006 - 10:18:32 EDT
If you can sniff 23/telnet, that is your best bet. Their operatingsystem didn't even begin to support SSH until V5R3 (recently). Theycan use SSL/telnet on 992, but that is fairly rare. The securityofficer user (qsecofr) is the holy grail. The default password listmentioned in the securityfocus link is good, as well as ShalomCarmel's info also. I have not tried it, but apparently you can sendan AIX version of Netcat. Many AS/400/iSeries have security set todisable the user profile (or the device, be it dumb tube or 5250session) after three failed attempts, so brute forcing usually isfutile.
Yes, the 8xxx ports are for IBM Client Access (5250 emulation softwarefor PC), but you should concentrate on 23/telnet. There's no need tobreak in, if you can log in. Ideally, the users should only useqsecofr for system maintenance, but as always, people get lazy. Theywill copy qsecofr and rename it 'bob' or whatever. It's trivial tosniff logins/passwords on these. Once you can log in, check your (orothers)level of access with WRKUSRPRF <username>. Enter a 5 besideit to display, and check your results. If User Class says *SECOFR, andunder Special Authority you see things like *ALLOBJ, *SECADMIN or*SERVICE you have probably found a qsecofr level user that has justbeen copied. You can view all users with WRKUSRPRF USRPRF(*ALL)
If you get in with lessor access, you can try to look at the logs withDSPLOG. To specify a time/date, use DSPLOG PERIOD((time date)). Youcan page up/down and look for interesting info.
If you have physical access, you can restart the machine and reset theqsecofr password with a combination of keypad entries.
Remember, this 23/telnet is 5250, not regular telnet (it supports 24function keys to emulate the dumb terminals). Windows or Putty telnetwill let you log in, but you will run into problems. Suggested arethe free Mocha 5250 clients for Windows or Linux.
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:49 EDT