summaryrefslogtreecommitdiffstats
path: root/scripts/nje-pass-brute.nse
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--scripts/nje-pass-brute.nse148
1 files changed, 148 insertions, 0 deletions
diff --git a/scripts/nje-pass-brute.nse b/scripts/nje-pass-brute.nse
new file mode 100644
index 0000000..5cb29f6
--- /dev/null
+++ b/scripts/nje-pass-brute.nse
@@ -0,0 +1,148 @@
+local string = require "string"
+local stdnse = require "stdnse"
+local shortport = require "shortport"
+local brute = require "brute"
+local creds = require "creds"
+local unpwdb = require "unpwdb"
+local drda = require "drda"
+local comm = require "comm"
+
+description = [[
+z/OS JES Network Job Entry (NJE) 'I record' password brute forcer.
+
+After successfully negotiating an OPEN connection request, NJE requires sending,
+what IBM calls, an 'I record'. This initialization record may sometimes require
+a password. This script, provided with a valid OHOST/RHOST for the NJE connection,
+brute forces the password.
+
+Most systems only have one password, it is recommended to use the
+<code>brute.firstonly</code> script argument.
+]]
+
+
+---
+-- @usage
+-- nmap -sV --script=nje-pass-brute --script-args=ohost='POTATO',rhost='CACTUS' <target>
+-- nmap --script=nje-pass-brute --script-args=ohost='POTATO',rhost='CACTUS',sleep=5 -p 175 <target>
+--
+-- @args nje-pass-brute.ohost The target NJE server OHOST value.
+--
+-- @args nje-pass-brute.rhost The target NJE server RHOST value.
+--
+-- @args nje-pass-brute.sleep NJE only allows one connection from a valid OHOST.
+-- The sleep value ensures only one connection is valid
+-- at a time. The default is 1 second.
+-- @output
+-- PORT STATE SERVICE VERSION
+-- 175/tcp open nje IBM Network Job Entry (JES)
+-- | nje-pass-brute:
+-- | NJE Password:
+-- | Password:A - Valid credentials
+-- |_ Statistics: Performed 8 guesses in 12 seconds, average tps: 0
+--
+-- @changelog
+-- 2016-03-22 - v0.1 - created by Soldier of Fortran
+
+author = "Soldier of Fortran"
+license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
+categories = {"intrusive", "brute"}
+
+portrule = shortport.port_or_service({175,2252}, "nje")
+
+local openNJEfmt = "\xd6\xd7\xc5\xd5@@@@%s\0\0\0\0%s\0\0\0\0\0"
+local sohenq = "\0\0\0\x12\0\0\0\0\0\0\0\x02\x01\x2d\0\0\0\0"
+local dleack = "\0\0\0\x12\0\0\0\0\0\0\0\x02\x10\x70\0\0\0\0"
+-- NJE I Record: first %s is RHOST second is password * 2
+local iRECfmt = "\0\0\0\x3e\0\0\0\0\0\0\0\x2e\x10\x02\x80\x8f\xcf\xf0\xc9\x29%s\x01\0\0\0\0\0\x64\x80\x00%s\0\x15\0\0\0\0\0\0\0"
+
+Driver = {
+ new = function(self, host, port, options)
+ local o = {}
+ setmetatable(o, self)
+ self.__index = self
+ o.host = host
+ o.port = port
+ o.options = options
+ return o
+ end,
+
+ connect = function( self )
+ -- the high timeout should take delays into consideration
+ local s, r, opts, _ = comm.tryssl(self.host, self.port, '', { timeout = 50000 } )
+ if ( not(s) ) then
+ stdnse.debug("Failed to connect")
+ return false, "Failed to connect to server"
+ end
+ self.socket = s
+ return true
+ end,
+
+ disconnect = function( self )
+ stdnse.sleep(self.options['sleep'])
+ return self.socket:close()
+ end,
+
+ login = function( self, username, password )
+ stdnse.verbose(2,"Trying... %s", password)
+
+ -- Open the connection by sending OPEN NJE packet
+ local openNJE = openNJEfmt:format(drda.StringUtil.toEBCDIC(("%-8s"):format(self.options['rhost'])),
+ drda.StringUtil.toEBCDIC(("%-8s"):format(self.options['ohost'])) )
+ local status, err = self.socket:send( openNJE )
+ if not status then return false, brute.Error:new("Failed to send OPEN") end
+ local status, data = self.socket:receive_bytes(33)
+ if not status then return false, brute.Error:new("Failed to receive") end
+ -- Make sure the response is valid
+ if data:sub(-1) ~= "\0" then
+ err = brute.Error:new("Invalid OHOST (".. self.options['ohost'] ..") or RHOST (".. self.options['rhost'] ..")")
+ err:setAbort(true) -- no point continuing if these aren't correct
+ return false, err
+ end
+ -- Next send SOH & SEQ
+ status, err = self.socket:send( sohenq )
+ if not status then return false, brute.Error:new("Failed to send SOH/ENQ") end
+ status, data = self.socket:receive_bytes(18)
+ if not status or data ~= dleack then return false, brute.Error:new("Failed to receive") end
+ -- Finally send an I record with the password
+ local njePKT = iRECfmt:format( drda.StringUtil.toEBCDIC(("%-8s"):format(self.options['rhost'])),
+ drda.StringUtil.toEBCDIC(("%-8s"):format(password:upper())):rep(2))
+ status, err = self.socket:send( njePKT )
+ if not status then return false, brute.Error:new("Failed to send NJE Packet") end
+ status, data = self.socket:receive_bytes(19)
+ if not status then return false, "Failed to receive" end
+ -- When we send an 'I' record, if the password is invalid it will reply with a 'B' record
+ -- B in EBCDIC is 0xC2
+ if data:sub(19,19) ~= "\xc2" then
+ stdnse.verbose(2,"Valid NJE Password: %s", password)
+ return true, creds.Account:new("Password", password, creds.State.VALID)
+ end
+ return false, brute.Error:new( "Invalid Password" )
+ end,
+}
+
+-- Checks string to see if it follows node naming limitations
+local valid_pass = function(x)
+ local patt = "[%w@#%$]"
+ return (string.len(x) <= 8 and string.match(x,patt))
+end
+
+action = function( host, port )
+ local r_host = stdnse.get_script_args('nje-pass-brute.rhost') or nil
+ local o_host = stdnse.get_script_args('nje-pass-brute.ohost') or nil
+ local sleep = stdnse.get_script_args('nje-pass-brute.sleep') or 1
+ if not o_host or not r_host then
+ return false, "No OHOST or RHOST set. Use --script-args nje-node-brute.rhost=\"<rhost>\",nje-node-brute.ohost=\"<ohost>\""
+ end
+ stdnse.verbose(2, "Using RHOST / OHOST: %s / %s", r_host:upper(), o_host:upper())
+ local options = { rhost = r_host:upper(), ohost = o_host:upper(), sleep = sleep }
+ local engine = brute.Engine:new(Driver, host, port, options)
+ local passwords = unpwdb.filter_iterator(brute.passwords_iterator(),valid_pass)
+ engine.options:setOption("passonly", true )
+ engine:setPasswordIterator(passwords)
+ -- Unfortunately only one OHOST/RHOST may be connected at once
+ engine:setMaxThreads(1)
+ engine.options.script_name = SCRIPT_NAME
+ engine.options:setTitle("NJE Password")
+ local status, result = engine:start()
+ return result
+end