MF-RACF-BRUTECredential Access

z/OS RACF / TopSecret Brute

Mainframe userIDs with predictable patterns and short / dictionary passwords — Kerberos / RACF TN3270 sessions are bruteforceable.

§ Where this technique fits

MF-RACF-BRUTE is catalogued under the Credential Access tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 3 on average.

§ Dossiers chaining this technique

z/OS TN3270 → RACF userID brute → mainframe shell
Internet-/intranet-exposed TN3270 mainframe terminal. Userids follow predictable HR scheme. Brute-force passwords; many environments allow short / dictionary passwords for legacy reasons.
step 3 / 6

§ What commonly comes next

01
Valid Accounts
T1078 · Initial Access
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

z/OS TN3270 → RACF userID brute → mainframe shell

§ What commonly comes next