Geeking Out on IBM i - Part 2

By -

(This is part 2 of a three part series.  To view part 1, click here)

Network Configuration

This part in the three-part "Geeking Out on IBM i" series focused on network configuration. This series is an effort to make IBM i (AS/400) lingo and concepts easily accessible to the hacker community, hoping to reduce the barrier of entry for security research.


Configuring the IBM i Network Interfaces was an interesting challenge for me, a primarily Linux/Unix person.  When we finally got time to work on this project, Michigan was just heading into COVID19 lockdown, and remote-access to the machine was becoming urgent.  That made all of this a little more stressful.  I found a couple different “configuring TCP/IP on IBM i” articles on the Internet.  As usual, they were written for other versions of the OS, probably naming the system “AS/400” or “iSeries.”  This created some anxiety for this newly-minted IBM i geek.  I guess I have seen the exact same thing on all the different versions of Linux, but let’s face it, that’s familiar and this was not.  I guess I have a new appreciation for what others feel when reading Linux docs.  :\


Before we begin, it’s important to point out that there are two machines that need TCP/IP configured correctly: the HMC and the IBM i machine itself.  The HMC has an initial setup script that is pretty self-explanatory, and will not be included in this blog post.  From here on, we’ll be discussing the IBM i machine hardware and setup process.  


Once configured, I (as an administrator) can log into the IBM i in two different ways:  Directly against the IBM i using my 5250 terminal emulator, and through the HMC’s “Console” connection (also using 5250).  The key differences are which IP and which TCP port I use.  (The IBM i port is 23 and the HMC port is 2301).  Oh, and out the gate, I can connect using TLS to the HMC, but my connections fail if I try to connect to the IBM i using TLS.


Major Spoiler: Much of my frustration while setting this up the first time was caused by being remote and not understanding how the machine behaves (such as how the system responds when trying to configure a network interface that isn’t currently connected to a network).  Yep, you guessed it, I was setting up a Network port that wasn’t connected, and it was failing miserably… and there were 8 ports.  Not knowing what I was doing, moving through those 8 ports was annoying and disheartening.


Lingo HINT: In Linux we like to say that our network adapter is “up” or “down”.  In Windows, we say “Enabled” or “Disabled”.  The verbs follow as “bringing the NIC up/down” or “enabling the NIC,” etc…  In IBM-land, we “vary on” or “vary off” the various hardware devices, and they are said to be “varied on” or “varied off”.


In order to configure a network adaptor, we need to figure out some information about our hardware.  To do this, we get into “WORK with HARDWARE RESOURCES” and specify “*CMN” as the resource type:



This brings up the Work with Communication Resource screen, which lists resources (and description), their type (a number), and the status.  The items we’re most interested in are the Ethernet Ports, but it’s important to note what LAN Adapter (and Comm Processor) they fall under.  




Note that this screen shows that Ethernet Ports CMN03 thru CMN06 are on the LIN04 LAN Adapter, which is part of the CMB06 Comm Processor.


Armed with this information, we can set up the Ethernet Port to use 100MBPS line speed.  In this line, we’re configuring the first Ethernet Port (CMN03) on LIN04.



Once you have it configured, you may need to vary on the port as follows:

vrycfg cfgobj(ETHLINE) cfgtype(*lin) status(*on)


To see if everything is working, check the interface using the following command:

wrkcfgsts cfgtype(*lin) cfgd(ETHLINE)



It’s probably good to note that our IBM i came with two (2) LAN Adaptors, with a total of 8 Ethernet Ports.  The secondary card is part of the CMB07 Comm Processor, and extends on to the next screen.


However, as we work with the individual Ethernet Port, we can use the Display Resource Detail screen:



Once we have configured the Ethernet Port properly, we configure TCP/IP by entering the cfgtcp command, which will display the Configure TCP/IP menu:



Choose Work with TCP/IP Interfaces:



Now configure a new TCP/IP Interface (assuming you don’t already have the correct one configured).  The following screen will be displayed:



Enter the IP address and Line Description you want.  For this example, we’ve used “192.168.20.11” and “lin04”, keeping the default 24-bit mask (“255.255.255.0”).



Pressing enter is all that’s necessary to create the TCP/IP Interface.  That takes us back to the Work with TCP/IP Interfaces screen, with the added IP configuration entry:



ALTERNATELY, if you would prefer to just add a TCP/IP configuration to an interface, you can use the following command:



Once you’ve added the TCP interface, you may need to “start” it.  You may do so with this command:



Now on to routing.  We’ll go back to the menuing system for routing.  From the Configure TCP/IP screen, choose #2: “Work with TCP/IP Routes” and edit the “default” route:

When


you’re complete, this is what you should see on the Routing screen:



Errors (in my case, I enabled a port that wasn’t connected) were discovered in the QSYSOPR’s Message queue:



Cheat Sheet Commands for Network Configuration:

wrklind

wrkcfgsts *lin

wrkhdwrsc *cmn

cfgtcp

crtlineth

vrycfg

wrksysval

wrkmsg QSYS/QSYSOPR


Conclusion

Today we talked about how TCP/IP networking and network-hardware is configured on IBM i.  While the concepts are largely the same between the different operating systems, IBM i configuration certainly comes with it's own flavor. Hopefully this has been beneficial to you.  Let us know at info@grimm-co.com if you have any additional remarks!

Check back in a few weeks for the conclusion of "Geeking Out on IBM i."  

Popular posts from this blog

New Old Bugs in the Linux Kernel

By Anonymous -
Image
  Introduction Dusting off a few new (old) vulns Have you ever been casually perusing the source code of the Linux kernel and thought to yourself "Wait a minute, that can’t be right"? That’s the position we found ourselves in when we found three bugs in a forgotten corner of the mainline Linux kernel that turned out to be about 15 years old. Unlike most things that we find gathering dust, these bugs turned out to still be good, and one turned out to be useable as a Local Privilege Escalation (LPE) in multiple Linux environments. Who you calling SCSI? The particular subsystem in question is the SCSI (Small Computer System Interface) data transport, which is a standard for transferring data made for connecting computers with peripheral devices, originally via a physical cable, like hard drives. SCSI is a venerable standard originally published in 1986 and was the go-to for server setups, and iSCSI is basically SCSI over TCP. SCSI is still in use today, especially
Read more

Automated Struct Identification with Ghidra

By Anonymous -
Image
At GRIMM, we do a lot of vulnerability and binary analysis research. As such, we often seek to automate some of the analysis steps and ease the burden on the individual researcher. One task which can be very mundane and time consuming for certain types of programs (C++, firmware, etc), is identifying structures' fields and applying the structure types to the corresponding functions within the decompiler. Thus, this summer we gave one of our interns,  Alex Lin , the task of developing a Ghidra plugin to automatically identify a binary's structs and mark up the decompilation accordingly. Alex's writeup below describes the results of the project, GEARSHIFT, which automates struct identification of function parameters by symbolically interpreting Ghidra's P-Code to determine how each parameter is accessed. The Ghidra plugin described in this blog can be found in our GEARSHIFT repository . Background Ghidra is a binary reverse engineering tool developed by the National Sec
Read more

SOHO Device Exploitation

By Anonymous -
Image
Netgear R7000 SOHO Device Exploitation After a long day of hard research, it’s fun to relax, kick back, and do something easy. While modern software development processes have vastly improved the quality of commercial software as compared to 10-15 years ago, consumer network devices have largely been left behind. Thus, when it’s time for some quick fun and a nice confidence boost, I like to analyze Small Office/Home Office (SOHO) devices. This blog describes one such session of auditing the Netgear R7000 router , analyzing the resulting vulnerability, and the exploit development process that followed. The write-up and code for the vulnerability described in this blog post can be found in our NotQuite0DayFriday repository. Initial Analysis The first step when analyzing a SOHO device is to obtain the firmware. Thankfully, Netgear’s support website hosts all of the firmwares for the R7000. The Netgear R7000 version 1.0.9.88 firmware used in this blog post can be downloaded from this web
Read more