Usage of hack400exploiter
You can find hack400exploiter in the dist folder.
Either double-click on it or run it from command line using java -jar hack400exploiter.jar.
Since this tool is intended to be used by professionals, in the current version the debug messages will be presented in the log.
The main window of hack400 looks as follows:
In order to start, enter the system DNS name (or IP address), user name and password into designated fields. If you wish to connect using secure ports, make sure that the Use SSL option is checked. Also, you may wish to specify a library where the temporary output will be stored, as well as choose an option to create a library. For production scans, we recommend using QTEMP in order to minimise the number of scan leftovers on the system. You can also check the Use JDBC option, should you wish to run SQL queries. To connect to the system, press the Connect button. After a successful connection attempt, the functionality on the right side will be enabled.
Upon successful connection, you may use multiple functionalities of this program, such as:
- Running CL commands
- Working with QSYS objects
- Editing and displaying physical file members
- Running SQL queries
- Exploring the system by remote QShell facility
- Escalating privileges and grabbing password hashes. 🌶
Please explore the tabs to run a specific function.
Depending on the system (mis)configuration and your privileges, you may be able to use the Privilege escalation function. In order to get an initial list of users you can escalate to, press the Generate user list button on the Privilege escalator tab. A progress bar will indicate the current scan status.
Before using, please note that:
- Make sure you know what you are doing, especially when playing with production systems.
- On large systems (with thousands of users) or when the connection is slow, the user list generation may work very slowly or result in timeouts and error messages. If that's the case, wait patiently or use the Cancel button and try your luck again.
- Depending on your privileges, the generated list may include also some users you cannot really escalate to due to system restrictions. Examples are users QDBSHR, QDBSHRDO, QTMPLPD. In that case, you will receive an error message after trying to escalate.
After the list of users has been generated, you may choose the user you want to switch to and click on Escalate privileges button. If successfully escalated, a confirmation message in the log will appear.
As a result of escalation:
- All functionalities but SQL query* will run with the rights of the escalation user. You can check it by performing
idcommand in Remote QShell. - You can use Generate user list again to see whether you can perform another step of privilege escalation.
*Please note that the privilege escalation function does not affect the SQL query functionality, unless you'd run SQL queries from the Remote QShell facility.
The Privilege escalator tab allows for grabbing the password hashes as well. After clicking the Generate user list button and choosing the designated user in the list, you may click Grab the hash function to get password hash details. Please note that this functionality requires at least *ALLOBJ and *SECADM privileges. If you don't have these (either directly or by escalating your rights to another profile), you will receive an error message.
This program was written and compiled in compatibility mode for JDK1.7 and is designed to automatically accept self signed certificates. However, your specific Java version or settings in java.security may restrict that as well as restrict the usage of e.g. weak encryption algorithms, leading to SSL handshake errors. Please consult Java documentation for your specific situation, should any SSL related errors occur. You may also wish to add your trusted certificates using <JAVA HOME>\bin\keytool -importcert -v -trustcacerts -file <certificate .cer file> -keystore <certificate store, usually cacerts>.