1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
|
local stdnse = require "stdnse"
local shortport = require "shortport"
local stringaux = require "stringaux"
local tn3270 = require "tn3270"
local table = require "table"
description = [[
Using the CICS transaction CEMT, this script attempts to gather information
about the current CICS transaction server region. It gathers OS information,
Datasets (files), transactions and user ids. Based on CICSpwn script by
Ayoub ELAASSAL.
]]
---
-- @args cics-info.commands Command used to access cics. Default is <code>cics</code>
-- @args cics-info.cemt CICS Transaction ID to be used. Default is <code>CEMT</code>
-- @args cics-info.trans Instead of gathering all transaction IDs supplying a name here
-- will make the script only look up one transaction ID
-- @args cics-info.user Username to use if access to CEMT requires authentication
-- @args cics-info.pass Password to use if access to CEMT requires authentication
--
-- @usage
-- nmap --script=cics-info -p 23 <targets>
--
-- nmap --script=cics-info --script-args cics-info.commands='logon applid(coolcics)',
-- cics-info.user=test,cics-info.pass=test,cics-info.cemt='ZEMT',
-- cics-info.trans=CICA -p 23 <targets>
--
-- @output
-- PORT STATE SERVICE VERSION
-- 23/tcp open tn3270 IBM Telnet TN3270 (TN3270E)
-- | cics-info:
-- | Security: Disabled
-- | System:
-- | z/OS Version: 02.01.00
-- | CICS Version: 05.02.00
-- | System ID: CICS
-- | Application ID: CICSFAKE
-- | Default User: USERCICS
-- | Datasets:
-- | CICS.FILEA
-- | HLQ123.CICS.DFHCSD
-- | HLQ123.CICS.DFHLRQ
-- | Libraries:
-- | HLQ123.CICS.SDFHLOAD
-- | Users:
-- | USERCICS
-- | Transaction / Program:
-- | AADD / DFH$AALL
-- | ABRW / DFH$ABRW
-- | AINQ / DFH$AALL
-- | AMNU / DFH$AMNU
-- | AORD / DFH$AREN
-- | AORQ / DFH$ACOM
-- | AREP / DFH$AREP
-- | AUPD / DFH$AALL
-- | CADP / DFHDPLU
-- ...
-- | CEDX / DFHEDFP
-- | CEGN / DFHCEGN
-- | CEHP / DFHCHS
-- | CEHS / DFHCHS
-- | CEJR / DFHEJITL
-- | CEMN / DFHCEMNA
-- | CEMT / DFHEMTP
-- | CEOT / DFHEOTP
-- | CXRT / DFHCRT
-- | DSNC / DFHD2CM1
-- @changelog
-- 2017-01-30 - v0.1 - created by Soldier of Fortran
author = "Philip Young aka Soldier of Fortran"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"discovery", "safe"}
portrule = shortport.port_or_service({23,992}, "tn3270")
--- Gathers CICS transaction server information
--
-- @param host host NSE object
-- @param port port NSE object
-- @param user CICS userID
-- @param pass CICS userID password
-- @param commands optional script-args of commands to use to get to CICS
-- @param cemt transaction ID to use instead of CEMT
-- @param trans transaction ID to check instead of gathering all
-- @return Status boolean true if CICS was detected.
-- @return Table of information or error message
local function cics_info( host, port, commands, user, pass, cemt, trans )
stdnse.debug("Checking for CICS")
local tn = tn3270.Telnet:new()
local status, err = tn:initiate(host,port)
local msg = 'Unable to get to CICS'
local more = true
local count = 1
local results = stdnse.output_table()
if not status then
stdnse.debug("Could not initiate TN3270: %s", err )
return false, msg
end
tn:get_screen_debug(2) -- prints TN3270 screen to debug
stdnse.debug("Getting to CICS")
local run = stringaux.strsplit(";%s*", commands)
for i = 1, #run do
stdnse.debug(1,"Issuing Command (#%s of %s): %s", i, #run ,run[i])
tn:send_cursor(run[i])
tn:get_all_data()
tn:get_screen_debug(2)
end
tn:get_all_data()
tn:get_screen_debug(2) -- for debug purposes
-- we should technically be at CICS. So we send:
-- * F3 to exit the CICS program
-- * CLEAR (a tn3270 command) to clear the screen.
-- (you need to clear before sending a transaction ID)
-- * a known default CICS transaction ID with predictable outcome
-- (CESF with 'Sign-off is complete.' as the result)
-- to confirm that we were in CICS. If so we return true
-- otherwise we return false
local count = 1
while not tn:isClear() and count < 6 do
-- some systems will just kick you off others are slow in responding
-- this loop continues to try getting out of CESL 6 times. If it can't
-- then we probably weren't in CICS to begin with.
if tn:find("Signon") then
stdnse.debug(2,"Found CESL/CESN 'Signon' sending PF3")
tn:send_pf(3)
tn:get_all_data()
end
tn:get_all_data()
stdnse.debug(2,"Clearing the Screen")
tn:send_clear()
tn:get_all_data()
tn:get_screen_debug(2)
count = count + 1
end
if count == 6 then
return false, msg
end
stdnse.debug(2,"Sending CESF (CICS Default Sign-off)")
tn:send_cursor('CESF')
tn:get_all_data()
if tn:isClear() then
tn:get_all_data(1000)
end
tn:get_screen_debug(2)
if not tn:find('off is complete.') then
return false, 'Unable to get to CICS. Try --script-args cics-info.commands="logon applid(<applid>)"'
end
if user and pass then -- We're doing authenticated CICS testing now baby!
stdnse.verbose(2,'Logging in with %s / %s for auth testing', user, pass)
tn:send_clear()
tn:get_all_data()
tn:get_screen_debug(2)
tn:send_cursor('CESN')
tn:get_all_data()
tn:get_screen_debug(2)
local fields = tn:writeable() -- Get the writeable field areas
local user_loc = {fields[1][1],user} -- This is the 'UserID:' field
local pass_loc = {fields[3][1],pass} -- This is the 'Password:' field ([2] is a group ID)
stdnse.verbose('Trying CICS: %s : %s', user, pass)
tn:send_locations({user_loc,pass_loc})
tn:get_all_data()
stdnse.debug(2,"Screen Received for User ID: %s / %s", user, pass)
tn:get_screen_debug(2)
count = 1
while not tn:find('DFHCE3549') and count < 6 do
tn:get_all_data(1000) -- loop for 6 seconds
tn:get_screen_debug(2)
count = count + 1
end
if not tn:find('DFHCE3549') then
msg = 'Unable to access CICS with User: '..user..' / Pass: '..pass
return false, msg
end
end
-- By now it's time to start trying to gather information
tn:send_clear()
tn:get_all_data()
tn:send_cursor('CESN')
tn:get_all_data()
tn:get_screen_debug(2)
results["Security"] = tn:find('DFHCE3547') and "Enabled" or "Disabled"
stdnse.debug(2,"Sending F3")
tn:send_pf(3)
tn:get_all_data()
tn:get_screen_debug(2)
stdnse.debug(2,"Sending 'Clear Screen'")
tn:send_clear()
tn:get_all_data()
tn:get_screen_debug(2)
stdnse.verbose(2,"Sending 'CEMT INQUIRE SYSTEM'")
tn:send_cursor('CEMT INQUIRE SYSTEM')
tn:get_all_data()
tn:get_screen_debug(2)
if tn:find('DFHAC2002') then
results["Error"] = 'CEMT Access Denied.'
return true, results
elseif tn:find('NOT AUTHORIZED') then
results["System"] = "CEMT 'INQUIRE SYSTEM' Access Denied."
else
local sysresults = stdnse.output_table()
local l1, l2 = tn:find('Oslevel')
local oslevel = tn:get_screen_raw():sub(l2+2,l2+7)
l1, l2 = tn:find('Cicstslevel')
local cicstslevel = tn:get_screen_raw():sub(l2+2,l2+7)
l1, l2 = tn:find('Dfltuser')
local Dfltuser = tn:get_screen_raw():sub(l2+2,l2+10)
local Dfltuser_len = Dfltuser:find(')')
l1, l2 = tn:find('Db2conn')
local Db2conn = tn:get_screen_raw():sub(l2+2,l2+10)
local Db2conn_len = Db2conn:find(')')
l1, l2 = tn:find('Mqconn')
local Mqconn = tn:get_screen_raw():sub(l2+2,l2+10)
local Mqconn_len = Mqconn:find(')')
l1, l2 = tn:find('SYSID')
local SYSID = tn:get_screen_raw():sub(l2+2,l2+10)
local SYSID_len = SYSID:find('\00')
l1, l2 = tn:find('APPLID')
local APPLID = tn:get_screen_raw():sub(l2+2,l2+10)
local APPLID_len = APPLID:find('\00')
sysresults["z/OS Version"] = ("%s.%s.%s"):format( oslevel:sub(1,2),oslevel:sub(3,4),oslevel:sub(5,6) )
sysresults["CICS Version"] = ("%s.%s.%s"):format( cicstslevel:sub(1,2),cicstslevel:sub(3,4),cicstslevel:sub(5,6) )
sysresults["System ID"] = SYSID:sub(1,SYSID_len-1)
sysresults["Application ID"] = APPLID:sub(1,APPLID_len-1)
sysresults["Default User"] = Dfltuser:sub(1,Dfltuser_len-1)
if Db2conn_len > 1 then
sysresults["DB2 Connection"] = Db2conn:sub(1,Db2conn_len-1)
end
if Mqconn_len > 1 then
sysresults["MQ Connection"] = Mqconn:sub(1,Mqconn_len-1)
end
results["System"] = sysresults
end -- Done with INQUIRE SYSTEM
stdnse.debug(2,"Sending F3")
tn:send_pf(3)
tn:get_all_data()
tn:get_screen_debug(2)
stdnse.debug(2,"Sending 'Clear Screen'")
tn:send_clear()
tn:get_all_data()
tn:get_screen_debug(2)
stdnse.verbose(2,"Sending 'CEMT INQUIRE DSNAME'")
tn:send_cursor('CEMT INQUIRE DSNAME')
tn:get_all_data()
tn:get_screen_debug(2)
if tn:find('NOT AUTHORIZED') then
results["Datasets"] = "CEMT 'INQUIRE DSNAME' Access Denied."
else
local datasets = {}
while more do
more = false
for line in tn:get_screen():gmatch("[^\r\n]+") do
if line:find('Dsn') then
table.insert(datasets,line:sub(line:find('%(')+1, line:find(')')-1):match( "(.-)%s*$" ))
if count >= 9 and line:find('+') then
more = true
count = 1
stdnse.debug(2,"Sending F11")
tn:send_pf(11)
tn:get_all_data()
tn:get_screen_debug(2)
else
count = count + 1
end
end
end
end
results["Datasets"] = datasets
end -- Done with DSNAME
stdnse.debug(2,"Sending F3")
tn:send_pf(3)
tn:get_all_data()
tn:get_screen_debug(2)
stdnse.debug(2,"Sending 'Clear Screen'")
tn:send_clear()
tn:get_all_data()
tn:get_screen_debug(2)
stdnse.verbose(2,"Sending 'CEMT INQUIRE LIBRARY'")
tn:send_cursor('CEMT INQUIRE LIBRARY')
tn:get_all_data()
tn:get_screen_debug(2)
if tn:find('NOT AUTHORIZED') then
results["Libraries"] = "CEMT 'INQUIRE LIBRARY' Access Denied."
else
local libraries = {}
for line in tn:get_screen():gmatch("[^\r\n]+") do
if line:find('Dsname') then
table.insert(libraries,line:sub(line:find('%(')+1, line:find(')')-1):match( "(.-)%s*$" ))
end
end
results["Libraries"] = libraries
end -- Done with Library
stdnse.debug(2,"Sending F3")
tn:send_pf(3)
tn:get_all_data()
tn:get_screen_debug(2)
stdnse.debug(2,"Sending 'Clear Screen'")
tn:send_clear()
tn:get_all_data()
tn:get_screen_debug(2)
stdnse.verbose(2,"Sending 'CEMT INQUIRE TASK'")
tn:send_cursor('CEMT INQUIRE TASK')
tn:get_all_data()
tn:get_screen_debug(2)
if tn:find('NOT AUTHORIZED') then
results["Users"] = "CEMT 'INQUIRE TASK' Access Denied."
else
count = 1
more = true
local users = {}
while more do
more = false
for line in tn:get_screen():gmatch("[^\r\n]+") do
if line:find('Use') then
table.insert(users,line:sub(line:find('Use')+4, line:find(')',line:find('Use'))-1):match( "(.-)%s*$" ))
if count >= 9 and line:find('+') then
more = true
count = 1
stdnse.debug(2,"Sending F11")
tn:send_pf(11)
tn:get_all_data()
tn:get_screen_debug(2)
else
count = count + 1
end
end
end
end
results["Users"] = users
end -- End of TASK
stdnse.debug(2,"Sending F3")
tn:send_pf(3)
tn:get_all_data()
tn:get_screen_debug(2)
stdnse.debug(2,"Sending 'Clear Screen'")
tn:send_clear()
tn:get_all_data()
tn:get_screen_debug(2)
stdnse.verbose(2,"Sending 'CEMT INQUIRE TRANSACTION(".. trans ..") en'")
tn:send_cursor('CEMT INQUIRE TRANSACTION('.. trans ..') en')
tn:get_all_data()
tn:get_screen_debug(2)
if tn:find('NOT AUTHORIZED') then
results["Transaction / Program"] = "CEMT 'INQUIRE TRANSACION' Access Denied."
else
local transactions = {}
count = 1
more = true
local tra, pro = ''
while more do
more = false
for line in tn:get_screen():gmatch("[^\r\n]+") do
if line:find('Tra%(') then
tra = line:sub(line:find('%(')+1,line:find(')')-1)
pro = line:sub(line:find('Pro%(')+4,line:find(')',line:find('Pro%('))-1)
table.insert(transactions,tra..' / '..pro)
if count >= 9 and line:find('+') then
more = true
count = 1
stdnse.debug(2,"Sending F11")
tn:send_pf(11)
tn:get_all_data()
tn:get_screen_debug(2)
else
count = count + 1
end
end
end
end
results["Transaction / Program"] = transactions
end -- Done with Transaction IDs
tn:disconnect()
return true, results
end
action = function(host, port)
local commands = stdnse.get_script_args(SCRIPT_NAME .. '.commands') or 'cics'-- VTAM commands/macros to get to CICS
local username = stdnse.get_script_args(SCRIPT_NAME .. '.user') or nil
local password = stdnse.get_script_args(SCRIPT_NAME .. '.pass') or nil
if (username or password) and not (username and password) then
stdnse.verbose1("Both 'user' and 'pass' are required for CICS auth")
end
local CEMT = stdnse.get_script_args(SCRIPT_NAME .. '.cemt') or 'cemt' -- to supply a different transaction ID if they've changed it
local transaction = stdnse.get_script_args(SCRIPT_NAME .. '.trans') or '*'
local status, results = cics_info(host, port, commands, username, password, CEMT, transaction)
-- Report results. Only report an error if
-- script args were set or the service is definitely TN3270
if status or username or password or port.service == "tn3270" then
return results
end
end
|
