1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
|
local stdnse = require "stdnse"
local shortport = require "shortport"
local tn3270 = require "tn3270"
local brute = require "brute"
local creds = require "creds"
local unpwdb = require "unpwdb"
local string = require "string"
description = [[
CICS User ID enumeration script for the CESL/CESN Login screen.
]]
---
-- @args idlist Path to list of transaction IDs.
-- Defaults to the list of CICS transactions from IBM.
-- @args cics-user-enum.commands Commands in a semi-colon seperated list needed
-- to access CICS. Defaults to <code>CICS</code>.
-- @args cics-user-enum.transaction By default this script uses the <code>CESL</code> transaction.
-- on some systems the transactio ID <code>CESN</code> is needed. Use this argument to change the
-- logon transaction ID.
--
-- @usage
-- nmap --script=cics-user-enum -p 23 <targets>
--
-- nmap --script=cics-user-enum --script-args userdb=users.txt,
-- cics-user-enum.commands="exit;logon applid(cics42)" -p 23 <targets>
--
-- @output
-- PORT STATE SERVICE
-- 23/tcp open tn3270
-- | cics-user-enum:
-- | Accounts:
-- | PLAGUE: Valid - CICS User ID
-- |_ Statistics: Performed 31 guesses in 114 seconds, average tps: 0
--
-- @changelog
-- 2016-08-29 - v0.1 - created by Soldier of Fortran
-- 2016-12-19 - v0.2 - Added RACF support
--
-- @author Philip Young
-- @copyright Same as Nmap--See https://nmap.org/book/man-legal.html
--
author = "Philip Young aka Soldier of Fortran"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"intrusive", "brute"}
portrule = shortport.port_or_service({23,992}, "tn3270")
Driver = {
new = function(self, host, port, options)
local o = {}
setmetatable(o, self)
self.__index = self
o.host = host
o.port = port
o.options = options
o.tn3270 = tn3270.Telnet:new()
return o
end,
connect = function( self )
local status, err = self.tn3270:initiate(self.host,self.port)
self.tn3270:get_screen_debug(2)
if not status then
stdnse.debug("Could not initiate TN3270: %s", err )
return false
end
return true
end,
disconnect = function( self )
self.tn3270:disconnect()
self.tn3270 = nil
return true
end,
login = function (self, user, pass) -- pass is actually the UserID we want to try
local commands = self.options['commands']
local transaction = self.options['trn']
local timeout = 300
local max_blank = 1
local loop = 1
local err
stdnse.debug(2,"Getting to CICS")
local run = stdnse.strsplit(";%s*", commands)
for i = 1, #run do
stdnse.debug(1,"Issuing Command (#%s of %s): %s", i, #run ,run[i])
self.tn3270:send_cursor(run[i])
self.tn3270:get_all_data()
self.tn3270:get_screen_debug(2)
end
-- Are we at the logon transaction?
if not (self.tn3270:find('SIGN ON TO CICS') and self.tn3270:find("Signon to CICS")) then
-- We might be at some weird screen, lets try and exit it then clear it out
stdnse.debug(2,"Sending: F3")
self.tn3270:send_pf(3) -- send F3
self.tn3270:get_all_data()
stdnse.debug(2,"Clearing the Screen")
self.tn3270:send_clear()
self.tn3270:get_all_data()
self.tn3270:get_screen_debug(2)
stdnse.debug(2,"Sending Transaction ID: %s", transaction)
self.tn3270:send_cursor(transaction)
self.tn3270:get_all_data()
-- Have we encoutered a slow system?
if self.tn3270:isClear() then
self.tn3270:get_all_data(1000)
end
self.tn3270:get_screen_debug(2)
end
-- At this point we MUST be at CESL/CESN to try accounts.
-- If we're not then we quit with an error
if not (self.tn3270:find('SIGN ON TO CICS') or self.tn3270:find("Signon to CICS")) then
local err = brute.Error:new( "Can't get to Transaction")
err:setRetry( true )
return false, err
end
-- Ok we're good we're at CESL/CESN. Enter the USERID.
stdnse.verbose("Trying User ID: %s", pass)
self.tn3270:send_cursor(pass)
self.tn3270:get_all_data()
stdnse.debug(2,"Screen Received for User ID: %s", pass)
self.tn3270:get_screen_debug(2)
if self.tn3270:find('TSS7145E') or
self.tn3270:find('ACF01004') or
self.tn3270:find('DFHCE3530') then
-- known invalid userid messages
-- TopSecret: TSS7145E
-- ACF2: ACF01004
-- RACF: DFHCE3530
stdnse.debug("Invalid CICS User ID: %s", string.upper(pass))
return false, brute.Error:new( "Incorrect CICS User ID" )
elseif self.tn3270:find('TSS7102E') or
self.tn3270:find('ACF01012') or
self.tn3270:find('DFHCE3523') then
-- TopSecret: TSS7102E Password Missing
-- ACF2: ACF01012 PASSWORD NOT MATCHED
-- RACF: DFHCE3523 Please type your password.
stdnse.verbose("Valid CICS User ID: %s", string.upper(pass))
return true, creds.Account:new("CICS User", string.upper(pass), creds.State.VALID)
else
stdnse.verbose("Valid(?) CICS User ID: %s", string.upper(pass))
-- The user may be valid for another reason, lets store that reason.
stdnse.verbose(2,"User: " .. user .. " MSG:" .. self.tn3270:get_screen():sub(2,80))
return true, creds.Account:new("CICS User: ".. string.upper(pass),'Reason: ' .. self.tn3270:get_screen():sub(2,80), creds.State.VALID)
end
return false, brute.Error:new("Something went wrong, we didn't get a proper response")
end
}
--- Tests the target to see if we can even get to CICS
--
-- @param host host NSE object
-- @param port port NSE object
-- @param commands optional script-args of commands to use to get to CICS
-- @return status true on success, false on failure
local function cics_test( host, port, commands, transaction )
stdnse.verbose(2,"Checking for CICS Login Page")
local tn = tn3270.Telnet:new()
local status, err = tn:initiate(host,port)
local cesl = false -- initially we're not at CICS
if not status then
stdnse.debug("Could not initiate TN3270: %s", err )
return false
end
tn:get_screen_debug(2) -- prints TN3270 screen to debug
stdnse.debug("Getting to CICS")
local run = stdnse.strsplit(";%s*", commands)
for i = 1, #run do
stdnse.debug(1,"Issuing Command (#%s of %s): %s", i, #run ,run[i])
tn:send_cursor(run[i])
tn:get_all_data()
tn:get_screen_debug(2)
end
tn:get_all_data()
tn:get_screen_debug(2) -- for debug purposes
-- We should now be at CICS. Check if we're already at the logon screen
if tn:find('SIGN ON TO CICS') and tn:find("Signon to CICS") then
stdnse.verbose(2,"At CICS Login Transaction")
tn:disconnect()
return true
end
-- Uh oh. We're not at the logon screen. Now we need to send:
-- * F3 to exit the CICS program
-- * CLEAR (a tn3270 command) to clear the screen.
-- (you need to clear before sending a transaction ID)
-- * a known default CICS transaction ID with predictable outcome
-- (CESF with 'Sign-off is complete.' as the result)
-- to confirm that we were in CICS. If so we return true
-- otherwise we return false
local count = 1
while not tn:isClear() and count < 6 do
-- some systems will just kick you off others are slow in responding
-- this loop continues to try getting out of whatever transaction 5 times. If it can't
-- then we probably weren't in CICS to begin with.
stdnse.debug(2,"Sending: F3")
tn:send_pf(3) -- send F3
tn:get_all_data()
stdnse.debug(2,"Clearing the Screen")
tn:send_clear()
tn:get_all_data()
tn:get_screen_debug(2)
count = count + 1
end
if count == 5 then
return false, 'Could not get to CICS after 5 attempts. Is this even CICS?'
end
stdnse.debug(2,"Sending %s", transaction)
tn:send_cursor(transaction)
tn:get_all_data()
if tn:isClear() then
tn:get_all_data(1000)
end
tn:get_screen_debug(2)
if tn:find('SIGN ON TO CICS') or tn:find("Signon to CICS") then
stdnse.verbose(2,"At CICS Login Transaction (%s)", transaction)
tn:disconnect()
return true
end
tn:disconnect()
return false, 'Could not get to '.. transaction ..' (CICS Logon Screen)'
end
-- Filter iterator for unpwdb
-- IDs are limited to 8 alpha numeric and @, #, $ and can't start with a number
-- pattern:
-- ^%D = The first char must NOT be a digit
-- [%w@#%$] = All letters including the special chars @, #, and $.
local valid_name = function(x)
return (string.len(x) <= 8 and string.match(x,"^%D+[%w@#%$]"))
end
action = function(host, port)
local commands = stdnse.get_script_args(SCRIPT_NAME .. '.commands') or "cics"
local transaction = stdnse.get_script_args(SCRIPT_NAME .. '.transaction') or "CESL"
local cicstst, err = cics_test(host, port, commands, transaction)
if cicstst then
local options = { commands = commands, trn = transaction }
stdnse.debug("Starting CICS User ID Enumeration")
local engine = brute.Engine:new(Driver, host, port, options)
engine.options.script_name = SCRIPT_NAME
engine:setPasswordIterator(unpwdb.filter_iterator(brute.usernames_iterator(),valid_name))
engine.options.passonly = true
engine.options:setTitle("CICS User ID")
local status, result = engine:start()
return result
else
return err
end
end
|
