You can find hack400scanner in the dist folder.

Either double-click on it or run it from command line using java -jar hack400scanner.jar. Since this tool is intended to be used by professionals, in the current version the debug messages will be presented in the log.

The main window of hack400 looks as follows:

In order to start, enter the system DNS name (or IP address), user name and password into designated fields. If you wish to connect using secure ports, make sure that the Use SSL option is checked. Also, you may wish to specify a library where the temporary output will be stored, as well as choose an option to create a library. For production scans, we recommend using QTEMP in order to minimise the number of scan leftovers on the system. You can also check the various functions like usage of net sockets or JDBC, depending on your system configuration.

Finally, you can select the output folder where all scan results will be stored. By default it is the running folder of the jar file.

To connect to the system, press the Connect button. After a successful connection attempt, the scan functionality will be enabled.

Upon successful connection, you may select one or multiple scan types from the list and press Run scan button. Please note that some of the functions, like generating the user access matrix, checking SST users or grabbing system hashes requires specific access rights such as *ALLOBJ or *SYSADM. Otherwise running the scan may result in error messages or incomplete/unreliable results.

After scan completion the results will be stored in the output directory, and a full job log will be created in the log directory.

Depending on the system (mis)configuration and your privileges, you may be able to use the Privilege escalation function. In order to get an initial list of users you can escalate to, press enter the designated user name in the Escalate to field or push the Get escalation users button to fill in the combo box.

Before using, please note that:

• Make sure you know what you are doing, especially when playing with production systems.
• On large systems (with thousands of users) or when the connection is slow, the user list generation may work very slowly or result in timeouts and error messages.
• Depending on your privileges, the generated list may include also some users you cannot really escalate to due to system restrictions. Examples are users QDBSHR, QDBSHRDO, QTMPLPD. In that case, you will receive an error message after trying to escalate.

After the list of users has been generated, you may choose the user you want to switch to and click on Escalate button. If successfully escalated, a confirmation message in the log will appear.

As a result of escalation:

• All scans will run with the rights of the escalation user.
• You can use Get escalation users again to see whether you can perform another step of privilege escalation.

If you are unsure of this function, please use hack400exploiter first to check the system's reaction.

This program was written and compiled in compatibility mode for JDK1.7 and is designed to automatically accept self signed certificates. However, your specific Java version or settings in java.security may restrict that as well as restrict the usage of e.g. weak encryption algorithms, leading to SSL handshake errors. Please consult Java documentation for your specific situation, should any SSL related errors occur. You may also wish to add your trusted certificates using <JAVA HOME>\bin\keytool -importcert -v -trustcacerts -file <certificate .cer file> -keystore <certificate store, usually cacerts>.