1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
|
local stdnse = require "stdnse"
local shortport = require "shortport"
local tn3270 = require "tn3270"
local brute = require "brute"
local creds = require "creds"
local unpwdb = require "unpwdb"
local nmap = require "nmap"
local string = require "string"
local stringaux = require "stringaux"
description = [[
TSO account brute forcer.
This script relies on the NSE TN3270 library which emulates a
TN3270 screen for NMAP.
TSO user IDs have the following rules:
- it cannot begin with a number
- only contains alpha-numeric characters and @, #, $.
- it cannot be longer than 7 chars
]]
---
-- @usage
-- nmap -p 2401 --script tso-brute <host>
--
-- @output
-- 23/tcp open tn3270 syn-ack IBM Telnet TN3270
-- | tso-brute:
-- | Node Name:
-- | IBMUSER:<skipped> - User logged on. Skipped.
-- | ZERO:<skipped> - User logged on. Skipped.
-- | COOL:secret - Valid credentials
-- |_ Statistics: Performed 6 guesses in 6 seconds, average tps: 1
-- Final times for host: srtt: 96305 rttvar: 72303 to: 385517
--
-- @args tso-brute.commands Commands in a semi-colon separated list needed
-- to access TSO. Defaults to <code>TSO</code>.
--
-- @args tso-brute.always_logon TSO logon can kick a user off if it guesses
-- the correct password. always_logon, when set to <code>true</code>, will logon, even if
-- the user is logged in (kicking that user off). The default, <code>false</code> will
-- skip that account.
--
-- @changelog
-- 2015-10-29 - v0.1 - created by Soldier of Fortran
--
-- @author Philip Young
-- @copyright Same as Nmap--See https://nmap.org/book/man-legal.html
--
author = "Soldier of Fortran"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"intrusive"}
portrule = shortport.port_or_service({23,992,623}, {"tn3270"})
--- Registers User IDs that no longer need to be tested
--
-- @param username to stop checking
local function register_invalid( username )
if nmap.registry.tsoinvalid == nil then
nmap.registry.tsoinvalid = {}
end
stdnse.debug(2,"Registering %s", username)
nmap.registry.tsoinvalid[username] = true
end
Driver = {
new = function(self, host, port, options)
local o = {}
setmetatable(o, self)
self.__index = self
o.host = host
o.port = port
o.options = options
o.tn3270 = tn3270.Telnet:new(brute.new_socket())
o.tn3270:disable_tn3270e()
return o
end,
connect = function( self )
local status, err = self.tn3270:initiate(self.host,self.port)
self.tn3270:get_screen_debug(2)
if not status then
stdnse.debug("Could not initiate TN3270: %s", err )
return false
end
return true
end,
disconnect = function( self )
self.tn3270:disconnect()
self.tn3270 = nil
return true
end,
login = function (self, user, pass)
local commands = self.options['key1']
local always_logon = self.options['key2']
local skip = self.options['skip']
stdnse.debug(2,"Getting to TSO")
local run = stringaux.strsplit(";%s*", commands)
stdnse.verbose(2,"Trying User ID/Password: %s/%s", user, pass)
for i = 1, #run do
stdnse.debug(2,"Issuing Command (#%s of %s): %s", i, #run ,run[i])
if i == #run and run[i]:upper():find("LOGON APPLID") and skip then
stdnse.debug(2,"Trying User ID: %s", user)
self.tn3270:send_cursor(run[i] .. " DATA(" .. user .. ")")
elseif i == #run and skip then
stdnse.debug(2,"Trying User ID: %s", user)
self.tn3270:send_cursor(run[i] .. " " .. user)
else
self.tn3270:send_cursor(run[i])
end
self.tn3270:get_all_data()
end
if self.tn3270:find("%*%*%*") then -- For ACF2/TopSecret if required
self.tn3270:send_enter()
self.tn3270:get_all_data()
end
if not self.tn3270:find("ENTER USERID")
and not self.tn3270:find("TSO/E LOGON")
and not self.tn3270:find("IKJ56710I INVALID USERID") then
local err = brute.Error:new( "TSO Unavailable" )
-- This error occurs on too many concurrent application requests it
-- should be temporary. We use the new setReduce function.
err:setReduce(true)
stdnse.debug(1,"TSO Unavailable for UserID %s", pass )
return false, err
end
if not skip then
stdnse.debug(2,"Trying User ID: %s", user)
self.tn3270:send_cursor(user)
self.tn3270:get_all_data()
end
stdnse.debug(2,"Screen Received for User ID: %s", user)
self.tn3270:get_screen_debug(2)
if not self.tn3270:find('Enter LOGON parameters below') then
stdnse.debug(2,"Screen Received for User ID: %s", user)
self.tn3270:get_screen_debug(2)
-- This error occurs on too many concurrent application requests it
-- should be temporary. We use the new setReduce function.
local err = brute.Error:new( "Not at TSO" )
err:setReduce(true)
stdnse.debug(1,"TSO Unavailable for UserID %s", pass )
return false, err
end
if self.tn3270:find('not authorized to use TSO') then -- invalid user ID
stdnse.debug(2,"Got Message: IKJ56420I Userid %s not authorized to use TSO.", user)
-- Store the invalid ID in the registry so we don't keep trying it with subsequent passwords
-- when using the brute library.
register_invalid(user)
return false, brute.Error:new( "User ID not authorized to use TSO" )
else
-- It's a valid account so lets try a password
stdnse.debug(2,"%s is a valid TSO User ID. Trying Password: %s", string.upper(user), pass)
if always_logon then
local writeable = self.tn3270:writeable()
-- This turns on the 'reconnect' which may boot users off
self.tn3270:send_locations({{writeable[1][1],pass},{writeable[11][1],"S"}})
else
self.tn3270:send_cursor(pass)
end
self.tn3270:get_all_data()
while self.tn3270:isClear() do
-- the screen is blank for a few while it loads TSO
self.tn3270:get_all_data()
end
stdnse.debug(2,"Screen Received for User/Pass: %s/%s", user, pass)
self.tn3270:get_screen_debug(2)
if not always_logon and self.tn3270:find("already logged on") then
-- IKJ56425I LOGON rejected User already logged on to system
register_invalid(user)
return true, creds.Account:new(user, "<skipped>", "User logged on. Skipped.")
elseif (self.tn3270:find("IKJ56425I") and self.tn3270:find("IKJ56418I")) then
-- IKJ56425I LOGON REJECTED, RACF® TEMPORARILY REVOKING USER ACCESS
-- IKJ56418I CONTACT YOUR TSO ADMINISTRATOR
-- The first message (5I) is always followed by the second if the account it revoked
-- But not followed by the second message if its just logged on already
register_invalid(user) -- We dont want to keep generating errors
stdnse.verbose(3,"User: " .. user .. " LOCKED OUT")
return false, brute.Error:new("Account Locked out")
elseif not (self.tn3270:find("IKJ56421I") or
self.tn3270:find("IKJ56443I") or
self.tn3270:find("TSS7101E") or
self.tn3270:find("TSS714[0-3]E") or
self.tn3270:find("TSS7099E") or
self.tn3270:find("TSS7120E")) then
-- RACF:
-- IKJ56421I PASSWORD NOT AUTHORIZED FOR USERID
-- IKJ56443I TSOLOGON RECONNECT REJECTED - USER ACCESS REVOKED BY RACF
-- Top Secret:
-- TSS7101E Password is Incorrect
-- TSS7140E Accessor ID Has Expired: No Longer Valid
-- TSS7141E Use of Accessor ID Suspended
-- TSS7142E Accessor ID Not Yet Available for Use - Still Inactive
-- TSS7143E Accessor ID Has Been Inactive Too Long
-- TSS7120E PASSWORD VIOLATION THRESHOLD EXCEEDED
-- TSS7099E Signon credentials invalid
-- The 'MSG allows testers to discern any relevant messages they may get for the account'
stdnse.verbose(2,"Valid User/Pass: " .. user .. "/" .. pass)
stdnse.verbose(3,"Valid MSG for " .. user .. "/" .. pass .. ": " .. self.tn3270:get_screen():sub(1,80))
return true, creds.Account:new(user, pass, creds.State.VALID)
else
return false, brute.Error:new( "Incorrect password" )
end
end
end
}
--- Tests the target to see if we can even get to TSO
--
-- @param host host NSE object
-- @param port port NSE object
-- @param commands script-args of commands to use to get to TSO
-- @return status true on success, false on failure
-- @return name of security product installed
local function tso_test( host, port, commands )
stdnse.debug("Checking for TSO")
local tn = tn3270.Telnet:new()
tn:disable_tn3270e()
local status, err = tn:initiate(host,port)
local tso = false -- initially we're not at TSO logon panel
local secprod = "RACF"
tn:get_screen_debug(2) -- prints TN3270 screen to debug
if not status then
stdnse.debug("Could not initiate TN3270: %s", err )
return tso, "Could not Initiate TN3270"
end
local run = stringaux.strsplit(";%s*", commands)
for i = 1, #run do
stdnse.debug(2,"Issuing Command (#%s of %s): %s", i, #run ,run[i])
tn:send_cursor(run[i])
tn:get_all_data()
end
tn:get_screen_debug(2)
if tn:find("***") then
secprod = "TopSecret/ACF2"
end
if tn:find("ENTER USERID") or tn:find("TSO/E LOGON") then
tso = true
-- Patch OA44855 removed the ability to enumerate users
tn:send_cursor("notreal")
tn:get_all_data()
if tn:find("IKJ56476I ENTER PASSWORD") then
return false, secprod, "Enumeration is not possible. PASSWORDPREPROMPT is set to ON."
end
end
tn:send_pf(3)
tn:disconnect()
return tso, secprod, "Could not get to TSO. Try --script-args=tso-brute.commands='logon applid(tso)'. Aborting."
end
--- Tests the target to see if we can speed up brute forcing
-- VTAM/USSTable will sometimes allow you to put the userid
-- in the command area either through data() or just adding
-- the userid. This function will test for both
--
-- @param host host NSE object
-- @param port port NSE object
-- @param commands script-args of commands to use to get to TSO
-- @return status true on success, false on failure
local function tso_skip( host, port, commands )
stdnse.debug("Checking for IKJ56700A message skip")
local tn = tn3270.Telnet:new()
tn:disable_tn3270e()
stdnse.debug2("Connecting TN3270 to %s:%s", host.targetname or host.ip, port.number)
local status, err = tn:initiate(host,port)
stdnse.debug2("Displaying initial TN3270 Screen:")
tn:get_screen_debug(2) -- prints TN3270 screen to debug
if not status then
stdnse.debug("Could not initiate TN3270: %s", err )
return false
end
-- We're connected now to test.
local data = false
if commands:upper():find('LOGON APPLID') then
stdnse.debug(2,"Using LOGON command (%s) trying DATA() command", commands )
data = true
else
stdnse.debug(2,"Not using LOGON command, testing adding userid to command" )
end
local run = stringaux.strsplit(";%s*", commands)
for i = 1, #run do
stdnse.debug(2,"Issuing Command (#%s of %s): %s", i, #run ,run[i])
if i == #run then
if data then
stdnse.debug(2,"Sending "..run[i].." DATA(FAKEUSER)")
tn:send_cursor(run[i].." DATA(FAKEUSER)")
else
stdnse.debug(2,"Sending "..run[i].." FAKEUSER")
tn:send_cursor(run[i].." FAKEUSER")
end
else
tn:send_cursor(run[i])
end
tn:get_all_data()
end
tn:get_screen_debug(2)
if tn:find("IKJ56710I INVALID USERID") or
tn:find("Enter LOGON parameters below") then
stdnse.debug('IKJ56700A message skip supported')
return true
else
return false
end
end
-- Filter iterator for unpwdb usernames
-- TSO is limited to 7 alpha numeric and @, #, $ and can't start with a number
-- If this user ID has been confirmed to not be a valid TSO account
-- it will stop being passed to the brute engine
-- pattern:
-- ^%D = The first char must NOT be a digit
-- [%w@#%$] = All letters including the special chars @, #, and $.
local valid_name = function(x)
if nmap.registry.tsoinvalid and nmap.registry.tsoinvalid[x] then
return false
else
return (string.len(x) <= 7 and string.match(x,"^%D+[%w@#%$]"))
end
end
-- Checks string to see if it follows valid password limitations
local valid_pass = function(x)
local patt = "[%w@#%$]"
return (string.len(x) <= 8 and string.match(x,patt))
end
action = function( host, port )
local status, result
local commands = stdnse.get_script_args(SCRIPT_NAME .. '.commands') or "tso"
-- if a user is logged on this script will not try to logon as that user
-- because a user is only allowed to logon from one location. If you turn always_logon on
-- it will logon if it finds a valid username/password, kicking that user off
local always_logon = stdnse.get_script_args(SCRIPT_NAME .. '.always_logon') or false
local tsotst, secprod, err = tso_test(host, port, commands)
if tsotst then
stdnse.debug("Starting TSO Brute Force")
local options = { key1 = commands, key2 = always_logon, skip = tso_skip(host, port, commands) }
local engine = brute.Engine:new(Driver, host, port, options)
-- TSO has username/password restrictions.
-- This sets the iterators to use only valid TSO userids/passwords
engine:setUsernameIterator(unpwdb.filter_iterator(brute.usernames_iterator(),valid_name))
engine:setPasswordIterator(unpwdb.filter_iterator(brute.passwords_iterator(),valid_pass))
engine.options.script_name = SCRIPT_NAME
engine.options:setTitle("TSO Accounts")
status, result = engine:start()
return result
else
return err
end
end
|
