Hacking AS/400

by radiat

Well, first off let's say a little about the AS/400 OS.

AS/400 is a mainframe system built by IBM and is highly configurable for the operating company.  This text may not be accurate for every AS/400 machine you encounter, but I will try to give some basic tips and information.

AS/400 systems are mostly report computers.  They process company orders, print files, keep information or money, and account status.  All that good stuff.  So why do you care?  Well, call it "learning another computer" - and hey, it's a really friendly system and can be fun to play with.

Let's start with the basics.  Now, since a lot of people don't know about AS/400 computers (and most operators don't know the difference between a mouse and a joy stick), I will start at the beginning and work on through.

First off - the online help.  Possibly the best thing on this system.  Say you don't know what something is.  Just move the cursor to what you want to know about, hit F1, and help is on the way!  So, with that in mind, on to the good stuff.

User IDs

IBM has a few preset User IDs.  These include:

QSECOFR  Security Officer:  Has ALLOBJ (ALL OBJECT) access like root.

QSYSOPR  System Operator:  Receives break messages and has ALLOBJ access.

QUSER  Default User:  Has limited access.

For the purposes of this text, we will remain on QSECOFR and QSYSOPR.  Other IDs will more than likely have limited access, and may not even have command line access.  Those IDs may follow this basic outline:

• Example User ID: OPJCO999
• OP being the user status (in this case OP= operator)
• JCO being the user initials (e.g., Jim Computer Operator)
• 999 being the company number

So Which One Do I Want?

Well QSECOFR sure sounds nice, but it's more than likely you won't get QSECOFR, since it is rarely used, especially by the common operator.  So we will concentrate on QSYSOPR.  QSYSOPR is like su to root, meaning you will most likely have all the security rights you need.

QSYSOPR will receive break messages.  This means that when QSYSOPR is signed onto DSP01 (main terminal) it will receive active messages that will break, or interrupt, the user's activities.  This is very important because if you cause some trouble on the system, the on duty operator will be notified of your activities, and that's bad.

On a happier note, you too can send messages across the system with SNDBRKMSG.  Good if you're caught in a jam.

Three Strikes And You're Out!

Now, if you disable yourself, QSYSOPR will get a message along the lines of: OPJCO999 has disabled themselves.  Contact the user immediately.

Again, this only gives you unnecessary attention, so we want to steer clear of that.

Passwords

By default, the first password is the User ID (OPJCO999:OPJCO999), but once logged in, the user is not allowed to continue until the password is changed.

Once the password is set it can never be used again if disabled.  That is, of course, unless the operator changes that user environment (not recommended).  All passwords will expire automatically after 75 days (system default), so when logging on to an AS/400 system, be sure you know your password.  If you don't, you will disable the ID after three strikes, and QSYSOPR on DSP01 will get that nasty message.

"He's Dead, Jim."

O.K., so you killed your User ID.  Now what?

At this point the operator has two choices.  One - he can just reset you.  Two - he can wait for you to call and say, "Jim, I disabled myself.  Can you reset me?"  Now, disablement happens all the time, so you have a good chance that the operator may just reset you, and if the ID is important - say QSYSOPR - then they will have to reset it.  If you act fast you might be able to catch it before they change the password.

So I'm In - What Now?

If you don't see a command line, or if you have limited options, the User ID you have doesn't have enough power.

You may be able to reset another User ID and get more power (reset OPJCO999), or create a new one (CRTUSRPREF).  Well, assuming you have command line access, there are a couple of key rules to remember:

1.)  The AS/400 likes to abbreviate its commands.  Say I wanted to modify my User ID.  I would type: WRKUSRPRE

Let's examine this command:

• WRK:  Work With
• USR:  User
• PRF:  Profile

This is very important, because all commands follow this basic rule.  Let's look at some important ones:

• WRKACTJOB:  Work with active jobs.
• WRKUSRPRF:  Work with user profile.
• WRKCFGSTS *CTL:  Work with config status (*CTL is for controllers).

The list goes on, but those are some of the more important ones.

2.)  Let's talk options.  First off, we need to go over the keyboard mappings.  At the main terminal the keyboard is much different than a PC's.  The major differences will be the Function keys (F1 - F12), and the keypad.  The AS/400 uses 24 function keys.  They are important to know, because you may need them for certain options which are displayed under the command line.  So, how do I make my keyboard go to F24?  Simple, add 12 to each F key, and hold Shift (F13 = Shift+F1).

On to the keypad.  The + key on your keypad no longer means +, but rather, Field Exit.  This is a useful key as it will clear anything left of the cursor and will also enter data on lines that have a + (________+) at the end.  If you happen to hit Enter before you hit Field Exit, your terminal will lock up to tell you that you made a mistake.  To get out of this, hit the right Ctrl key (reset).

Last but not least, two of the most commonly used keys are the Prompt Key (F4) and the Attn key, or Esc on PC.  The Prompt Key will allow you to see more options on certain commands.  For instance, say I wanted to look up every User ID on my system, but I didn't know how to get all of them.  Well, typing WRKUSRPRF and hitting F4 will allow the system to tell me if I used the *ALL option so I could see all the User IDs.  This is also good if you want to option a specific file or job.  The Attn key will allow you to see an Operator Menu.  This menu will have the commands listed with a numerical option number beside it.  Sort of a shortcut key.

I Wanna See The World!

So we know it's a mainframe, and that means networks.

Well, as listed above, the command WRKCFGSTS *CTL will allow you to see all the machines connected to AS/400.  If you want to play on another machine, you can Telnet over with the TN or TELNET command, but that's another story.

Covering Your Tracks

This is perhaps one of the most important areas.

I use it all the time (like when I downloaded all the corporate IDs or Telnet to the UNIX box).  Every user has space allocated for their User ID.  Most of this is taken up by specific user reports, but it also contains a user Job Log.

To access your space you would type WRKSPLF (Work Spool File) and hit F11 to see the dates the files were created.

Look for something titled QPJOBLOG with today's date and delete it with Option 4.  Now, the job log contains mostly garbage, sometimes spanning 64 pages for eight hours of work (to view it use Option 5), but it will still contain 90 percent of what you were doing.

Say you moved something or ran a job.  The Job Log will show it and the return code of the job you ran.  Now, your User ID may not have the ability to delete items.  If this is the case, then you'd better find another ID, or play nice so they have no reason to look at your log.

Job Logs are deleted regularly after an extended period of time depending on the system's configuration, but don't count on that.  Always cover yourself.

In Conclusion

You know what everyone says, but keep this in mind.

Most companies that own an AS/400 system are rather rich and will go after you if you f*ck something up.  So, play it safe... and happy hacking.