My health is a little bit rusty for the past few weeks. A sign that you are getting older and closer to the grave. Bi-'aunika ya Latif!
I was asked by some random collegues about the usual findings in AS-400 I-System. Pentesting a AS400 is quite rare frankly. you can use your typical scanner to find the usual bugs, but for a specific Isystem vulnerability here is the list of findings that could give you a kickstart.
- Check for Access Security Level via the QSECURITY Command (https://www.ibm.com/support/knowledgecenter/ssw_ibm_i_74/rzarl/rzarlseclvl.htm) at best it should be at level 30 and above. Running at level 20 and below is danger as any user of the system will be able to access all objects.
- Weak System Password Policy . Using the ANZDFTPWD (https://www.ibm.com/support/knowledgecenter/es/ssw_ibm_i_73/cl/anzdftpwd.htm) command will exposed the list of users that is using the default/same passwords .
- Check for Insecure User Profile Authorities. Using the command PRTPUBAUT OBJTYPE (*USRPRF) i(https://www.ibm.com/support/knowledgecenter/ssw_ibm_i_74/cl/prtpubaut.htm) will print the user profile objects. It will list down all the insecure user profiles that can be impersonated by any authenticated system user. Impersonation is confirmed if the profile have other authority besides *PUBLIC *EXCLUDE
- Unprotected Web-Sphere Console . Check port 9060
- Check if user profile has access to QCMD Program. It's possible to run/view system level command. https://community.helpsystems.com/knowledge-base/rjs/rjs-general/iseries-command-line-commands/
- Clear Text Protocol Support .
- FTP Privileged Anonymous Access. In some case , just by entering a correct username, without a password will allow access.
For SCR : most of the code are written in RPG or Cobol. Any exposed application via web is usually executed under CGI.