1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
|
local nmap = require "nmap"
local string = require "string"
local stringaux = require "stringaux"
local stdnse = require "stdnse"
local shortport = require "shortport"
local tn3270 = require "tn3270"
local brute = require "brute"
local creds = require "creds"
local unpwdb = require "unpwdb"
description = [[
CICS User ID brute forcing script for the CESL login screen.
]]
---
-- @args cics-user-brute.commands Commands in a semi-colon separated list needed
-- to access CICS. Defaults to <code>CICS</code>.
--
-- @usage
-- nmap --script=cics-user-brute -p 23 <targets>
--
-- nmap --script=cics-user-brute --script-args userdb=users.txt,
-- cics-user-brute.commands="exit;logon applid(cics42)" -p 23 <targets>
--
-- @output
-- PORT STATE SERVICE
-- 23/tcp open tn3270
-- | cics-user-brute:
-- | Accounts:
-- | PLAGUE: Valid - CICS User ID
-- |_ Statistics: Performed 31 guesses in 114 seconds, average tps: 0
-- @changelog
-- 2016-08-29 - v0.1 - created by Soldier of Fortran
-- 2016-10-26 - v0.2 - Added RACF support
-- 2017-01-23 - v0.3 - Rewrote script to use fields and skip enumeration to speed up testing
-- 2019-02-01 - v0.4 - Disabled new TN3270E support
author = "Philip Young aka Soldier of Fortran"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"intrusive", "brute"}
portrule = shortport.port_or_service({23,992}, "tn3270")
--- Registers User IDs that no longer need to be tested
--
-- @param username to stop checking
local function register_invalid( username )
if nmap.registry.cicsinvalid == nil then
nmap.registry.cicsinvalid = {}
end
stdnse.debug(2,"Registering %s", username)
nmap.registry.cicsinvalid[username] = true
end
Driver = {
new = function(self, host, port, options)
local o = {}
setmetatable(o, self)
self.__index = self
o.host = host
o.port = port
o.options = options
o.tn3270 = tn3270.Telnet:new(brute.new_socket())
o.tn3270:disable_tn3270e()
return o
end,
connect = function( self )
local status, err = self.tn3270:initiate(self.host,self.port)
self.tn3270:get_screen_debug(2)
if not status then
stdnse.debug("Could not initiate TN3270: %s", err )
return false
end
stdnse.debug(2,"Connect Successful")
return true
end,
disconnect = function( self )
self.tn3270:disconnect()
self.tn3270 = nil
return true
end,
login = function (self, user, pass)
local commands = self.options['key1']
local timeout = 300
local max_blank = 1
local loop = 1
local err
stdnse.debug(2,"Getting to CICS")
local run = stringaux.strsplit(";%s*", commands)
for i = 1, #run do
stdnse.debug(2,"Issuing Command (#%s of %s): %s", i, #run ,run[i])
self.tn3270:send_cursor(run[i])
self.tn3270:get_all_data()
self.tn3270:get_screen_debug(2)
end
-- Are we at the logon transaction?
if not (self.tn3270:find('SIGN ON TO CICS') or self.tn3270:find("Signon to CICS")) then
-- We might be at some weird screen, lets try and exit it then clear it out
stdnse.debug(2,"Sending: F3")
self.tn3270:send_pf(3) -- send F3
self.tn3270:get_all_data()
stdnse.debug(2,"Clearing the Screen")
self.tn3270:send_clear()
self.tn3270:get_all_data()
self.tn3270:get_screen_debug(2)
stdnse.debug(2,"Sending 'CESL'")
self.tn3270:send_cursor('CESL')
self.tn3270:get_all_data()
-- Have we encoutered a slow system?
if self.tn3270:isClear() then
self.tn3270:get_all_data(1000)
end
self.tn3270:get_screen_debug(2)
end
-- At this point we MUST be at CESL to try accounts.
-- If we're not then we quit with an error
if not (self.tn3270:find('SIGN ON TO CICS') or self.tn3270:find("Signon to CICS")) then
local err = brute.Error:new( "Can't get to CESL")
err:setRetry( true )
return false, err
end
-- Ok we're good we're at CESL. Send the Userid and Password.
local fields = self.tn3270:writeable() -- Get the writeable field areas
local user_loc = {fields[2][1],user} -- This is the 'UserID:' field
local pass_loc = {fields[4][1],pass} -- This is the 'Password:' field ([2] is a group ID)
stdnse.verbose('[BRUTE] Trying CICS: ' .. user ..' : ' .. pass)
stdnse.debug(3,"[BRUTE] Location:" .. fields[2][1] .. " x " .. fields[4][1])
self.tn3270:send_locations({user_loc,pass_loc})
self.tn3270:get_all_data()
stdnse.debug(2,"Screen Received for User ID: %s/%s", user, pass)
self.tn3270:get_screen_debug(2)
local loop = 1
while loop < 300 and self.tn3270:find('DFHCE3520') do -- still at Enter UserID message?
stdnse.verbose('Trying CICS: ' .. user ..' : ' .. pass)
self.tn3270:send_locations({user_loc,pass_loc})
self.tn3270:get_all_data()
stdnse.debug(2,"Screen Received for User ID: %s/%s", user, pass)
self.tn3270:get_screen_debug(2)
loop = loop + 1 -- We don't want this to loop forever
end
if loop == 300 then
local err = brute.Error:new( "Error with UserID entry")
err:setRetry( true )
return false, err
end
-- Now check what we received if its valid or not
if self.tn3270:find('TSS7101E') or
self.tn3270:find('DFHCE3530') or
self.tn3270:find('DFHCE3532') then
-- Top Secret:
-- TSS7101E Password is Incorrect
-- RACF:
-- DFHCE3530/2 Your userid or password is invalid. Please retype both.
return false, brute.Error:new( "Incorrect password" )
elseif self.tn3270:find('TSS7145E') or
self.tn3270:find("TSS714[0-3]E") or
self.tn3270:find('TSS7160E') or
self.tn3270:find('TSS7120E') then
-- Top Secret:
-- TSS7140E Accessor ID Has Expired: No Longer Valid
-- TSS7141E Use of Accessor ID Suspended
-- TSS7142E Accessor ID Not Yet Available for Use - Still Inactive
-- TSS7143E Accessor ID Has Been Inactive Too Long
-- TSS7120E PASSWORD VIOLATION THRESHOLD EXCEEDED
-- TSS7145E ACCESSOR ID <acid> NOT DEFINED TO SECURITY
-- TSS7160E Facility <X> Not Authorized for Your Use
-- Store the invalid ID in the registry so we don't keep trying it with subsequent passwords
-- when using default brute library.
register_invalid(user)
return false, brute.Error:new( "User ID Not Able to Use CICS" )
elseif self.tn3270:find("DFHCE3549") or
self.tn3270:find('TSS7000I') or
self.tn3270:find('TSS7110E Password Has Expired. New Password Missing') or
self.tn3270:find('TSS7001I') then
stdnse.verbose("Valid CICS UserID / Password: " .. user .. "/" .. pass)
return true, creds.Account:new(user, pass, creds.State.VALID)
else
-- ok whoa, something happened, print the screen but don't store as valid
stdnse.verbose("Valid(?) user/pass with current output " .. user .. "/" .. pass .. "\n" .. self.tn3270:get_screen())
return false, brute.Error:new( "Incorrect password" )
end
return false, brute.Error:new("Something went wrong, we didn't get a proper response")
end
}
--- Tests the target to see if we can even get to CICS
--
-- @param host host NSE object
-- @param port port NSE object
-- @param commands optional script-args of commands to use to get to CICS
-- @return status true on success, false on failure
local function cics_test( host, port, commands )
stdnse.verbose(2,"Checking for CICS Login Page")
local tn = tn3270.Telnet:new()
tn:disable_tn3270e()
local status, err = tn:initiate(host,port)
local cesl = false -- initially we're not at CICS
if not status then
stdnse.debug("Could not initiate TN3270: %s", err )
return false
end
tn:get_screen_debug(2) -- prints TN3270 screen to debug
stdnse.debug(2,"Getting to CICS")
local run = stringaux.strsplit(";%s*", commands)
for i = 1, #run do
stdnse.debug(2,"Issuing Command (#%s of %s): %s", i, #run ,run[i])
tn:send_cursor(run[i])
tn:get_all_data()
tn:get_screen_debug(2)
end
tn:get_all_data()
tn:get_screen_debug(2) -- for debug purposes
-- We should now be at CICS. Check if we're already at the logon screen
if tn:find('SIGN ON TO CICS') and tn:find("Signon to CICS") then
stdnse.verbose(2,"At CICS Login Transaction (CESL)")
tn:disconnect()
return true
end
-- Uh oh. We're not at the logon screen. Now we need to send:
-- * F3 to exit the CICS program
-- * CLEAR (a tn3270 command) to clear the screen.
-- (you need to clear before sending a transaction ID)
-- * a known default CICS transaction ID with predictable outcome
-- (CESF with 'Sign-off is complete.' as the result)
-- to confirm that we were in CICS. If so we return true
-- otherwise we return false
local count = 1
while not tn:isClear() and count < 6 do
-- some systems will just kick you off others are slow in responding
-- this loop continues to try getting out of whatever transaction 5 times. If it can't
-- then we probably weren't in CICS to begin with.
stdnse.debug(2,"Sending: F3")
tn:send_pf(3) -- send F3
tn:get_all_data()
stdnse.debug(2,"Clearing the Screen")
tn:send_clear()
tn:get_all_data()
tn:get_screen_debug(2)
count = count + 1
end
if count == 5 then
return false, 'Could not get to CICS after 5 attempts. Is this even CICS?'
end
stdnse.debug(2,"Sending 'CESL'")
tn:send_cursor('CESL')
tn:get_all_data()
if tn:isClear() then
tn:get_all_data(1000)
end
tn:get_screen_debug(2)
if tn:find("Signon to CICS") then
stdnse.verbose(2,"At CICS Login Transaction (CESL)")
tn:disconnect()
return true
end
tn:disconnect()
return false, 'Could not get to CESL (CICS Logon Screen)'
end
-- Filter iterator for unpwdb
-- IDs are limited to 8 alpha numeric and @, #, $ and can't start with a number
-- pattern:
-- ^%D = The first char must NOT be a digit
-- [%w@#%$] = All letters including the special chars @, #, and $.
local valid_name = function(x)
if nmap.registry.tsoinvalid and nmap.registry.tsoinvalid[x] then
return false
end
return (string.len(x) <= 8 and string.match(x,"^%D+[%w@#%$]"))
end
-- Checks string to see if it follows valid password limitations
local valid_pass = function(x)
return (string.len(x) <= 8 )
end
action = function(host, port)
local commands = stdnse.get_script_args(SCRIPT_NAME .. '.commands') or "cics"
local cicstst, err = cics_test(host, port, commands)
if cicstst then
local options = { key1 = commands }
local engine = brute.Engine:new(Driver, host, port, options)
stdnse.debug(2,"Starting CICS Brute Forcing")
engine:setUsernameIterator(unpwdb.filter_iterator(brute.usernames_iterator(),valid_name))
engine:setPasswordIterator(unpwdb.filter_iterator(brute.passwords_iterator(),valid_pass))
engine.options.script_name = SCRIPT_NAME
engine.options:setTitle("CICS User Accounts")
local status, result = engine:start()
return result
else
return err
end
end
|