Nmap cics-enum NSE Script
This page contains detailed information about how to use the cics-enum NSE script. For list of all NSE scripts, visit the Nmap NSE Library.
Select: |
---|
Script Overview
Script source code: https://github.com/nmap/nmap/tree/master/scripts/cics-enum.nse
Script categories: intrusive, brute
Target service / protocol: tn3270
Target network port(s): 23, 992
List of CVEs: -
Script Description
CICS transaction ID enumerator for IBM mainframes. This script is based on mainframe_brute by Dominic White (https://github.com/sensepost/mainframe_brute). However, this script doesn't rely on any third party libraries or tools and instead uses the NSE TN3270 library which emulates a TN3270 screen in lua.
CICS only allows for 4 byte transaction IDs, that is the only specific rule found for CICS transaction IDs.
Cics-enum NSE Script Arguments
This is a full list of arguments supported by the cics-enum.nse script:
cics-enum.commands
Commands in a semi-colon separated list needed to access CICS. Defaults to CICS
.
Password to use for authenticated enumeration
cics-enum.path
Folder used to store valid transaction id 'screenshots' Defaults to None
and doesn't store anything.
Username to use for authenticated enumeration
idlistPath to list of transaction IDs. Defaults to the list of CICS transactions from IBM.
creds.globalCredentials to be returned by Credentials.getCredentials regardless of the service.
creds.[service]Credentials to be returned by Credentials.getCredentials for [service]. E.g. creds.http=admin:password
passdbThe filename of an alternate password database. Default: nselib/data/passwords.lst
unpwdb.passlimit
The maximum number of passwords passwords
will return (default unlimited).
The maximum amount of time that any iterator will run before stopping. The value is in seconds by default and you can follow it with ms
, s
, m
, or h
for milliseconds, seconds, minutes, or hours. For example, unpwdb.timelimit=30m
or unpwdb.timelimit=.5h
for 30 minutes. The default depends on the timing template level (see the module description). Use the value 0
to disable the time limit.
The maximum number of usernames usernames
will return (default unlimited).
The filename of an alternate username database. Default: nselib/data/usernames.lst
brute.credfileA file containing username and password pairs delimited by '/'
brute.delayThe number of seconds to wait between guesses (default: 0)
brute.emptypassGuess an empty password for each user (default: false)
brute.firstonlyStop guessing after first password is found (default: false)
brute.guessesThe number of guesses to perform against each account. (default: 0 (unlimited)). The argument can be used to prevent account lockouts.
brute.modeCan be user, pass or creds and determines what mode to run the engine in.
- user - the unpwdb library is used to guess passwords, every password Password is tried for each user. (The user iterator is in the outer loop)
- pass - the unpwdb library is used to guess passwords, each password Is tried for every user. (The password iterator is in the outer loop)
- creds - a set of credentials (username and password pairs) are Guessed against the service. This allows for lists of known or common username and password combinations to be tested. If no mode is specified and the script has not added any custom iterator the pass mode will be enabled.
Iterate over passwords only for services that provide only a password for authentication. (default: false)
brute.retriesThe number of times to retry if recoverable failures occur. (default: 2)
brute.startThe number of threads the engine will start with. (default: 5).
brute.threadsThe number of initial worker threads, the number of active threads will be automatically adjusted.
brute.uniqueMake sure that each password is only guessed once (default: true)
brute.useraspassGuess the username as password for each user (default: true)
creds.[service]Credentials to be returned by Credentials.getCredentials for [service]. E.g. creds.http=admin:password
- - -
To use these script arguments, add them to the Nmap command line using the --script-args arg1=value,[arg2=value,..]
syntax. For example:
nmap --script=cics-enum --script-args cics-enum.commands=value,cics-enum.pass=value <target>
Cics-enum NSE Script Example Usage
Here's an example of how to use the cics-enum.nse script:
nmap --script=cics-enum -p 23 <targets>
nmap --script=cics-enum --script-args=idlist=default_cics.txt,
cics-enum.command="exit;logon applid(cics42)",
cics-enum.path="/home/dade/screenshots/",cics-enum.noSSL=true -p 23 <targets>
Cics-enum NSE Script Example Output
Here's a sample output from the cics-enum.nse script:
PORT STATE SERVICE
23/tcp open tn3270
| cics-enum:
| Accounts:
| CBAM: Valid - CICS Transaction ID
| CETR: Valid - CICS Transaction ID
| CEST: Valid - CICS Transaction ID
| CMSG: Valid - CICS Transaction ID
| CEDA: Valid - CICS Transaction ID
| CEDF: Potentially Valid - CICS Transaction ID
| DSNC: Valid - CICS Transaction ID
|_ Statistics: Performed 31 guesses in 114 seconds, average tps: 0
Cics-enum NSE Script Example XML Output
There is no sample XML output for this module. However, by providing the -oX <file>
option, Nmap will produce a XML output and save it in the file.xml
file.
Author
- Philip Young aka Soldier of Fortran
References
- https://nmap.org/nsedoc/scripts/cics-enum.html
- https://github.com/nmap/nmap/tree/master/scripts/cics-enum.nse
- https://github.com/sensepost/mainframe_brute
- https://www-01.ibm.com/support/knowledgecenter/SSGMCP_5.2.0/com.ibm.cics.ts.systemprogramming.doc/topics/dfha726.html
See Also
Related NSE scripts to the cics-enum.nse script:
Visit Nmap NSE Library for more scripts.
The cics-enum.nse script may fail with the following error messages. Check for the possible causes by using the code snippets highlighted below found in the script source code. This can often times help in identifying the root cause of the problem.
Failed to open file (%s)
Here is a relevant code snippet related to the "Failed to open file (%s)" error message:
74: -- @param data contains the data
75: -- @return status true on success, false on failure
76: -- @return err string containing error message if status is false
77: local function save_screens( filename, data )
78: local f = io.open( filename, "w")
79: if not f then return false, ("Failed to open file (%s)"):format(filename) end
80: if not(f:write(data)) then return false, ("Failed to write file (%s)"):format(filename) end
81: f:close()
82: return true
83: end
84:
Failed to write file (%s)
Here is a relevant code snippet related to the "Failed to write file (%s)" error message:
75: -- @return status true on success, false on failure
76: -- @return err string containing error message if status is false
77: local function save_screens( filename, data )
78: local f = io.open( filename, "w")
79: if not f then return false, ("Failed to open file (%s)"):format(filename) end
80: if not(f:write(data)) then return false, ("Failed to write file (%s)"):format(filename) end
81: f:close()
82: return true
83: end
84:
85: Driver = {
Could not initiate TN3270: %s
Here is a relevant code snippet related to the "Could not initiate TN3270: %s" error message:
96: end,
97: connect = function( self )
98: local status, err = self.tn3270:initiate(self.host,self.port)
99: self.tn3270:get_screen_debug(2)
100: if not status then
101: stdnse.debug("Could not initiate TN3270: %s", err )
102: return false
103: end
104: return true
105: end,
106: disconnect = function( self )
Error. Failed to get to a blank screen under CICS (sending F3 followed by CLEAR). Try lowering maxthreads to fix.
Here is a relevant code snippet related to the "Error. Failed to get to a blank screen under CICS (sending F3 followed by CLEAR). Try lowering maxthreads to fix." error message:
147: loop = loop + 1
148: end
149:
150: if loop == 10 then
151: -- something is wrong but we can still try transactions. Print error to debug.
152: stdnse.debug('Error. Failed to get to a blank screen under CICS (sending F3 followed by CLEAR). Try lowering maxthreads to fix.')
153: end
154: -- If username/password provided try to authenticate first
155: if not (cics_user == nil and cics_pass == nil) then -- We're doing authenticated CICS testing now baby!
156: stdnse.debug(2,'Logging in with %s / %s for auth testing', cics_user, cics_pass)
157: self.tn3270:send_cursor('CESN')
not recognized') or self.tn3270:find('DFHAC2002
Here is a relevant code snippet related to the "not recognized') or self.tn3270:find('DFHAC2002" error message:
187: max_blank = max_blank + 1
188: end
189:
190: stdnse.debug(2,"Screen Received for Transaction ID: %s", pass)
191: self.tn3270:get_screen_debug(2)
192: if self.tn3270:find('not recognized') or self.tn3270:find('DFHAC2002') then -- known invalid command
193: stdnse.debug("Invalid CICS Transaction ID: %s", string.upper(pass))
194: return false, brute.Error:new( "Incorrect CICS Transaction ID" )
195: elseif self.tn3270:isClear() then
196: stdnse.debug(2,"Empty Screen when we expect an error.")
197: -- this can mean that the transaction ID was valid
Invalid CICS Transaction ID: %s
Here is a relevant code snippet related to the "Invalid CICS Transaction ID: %s" error message:
188: end
189:
190: stdnse.debug(2,"Screen Received for Transaction ID: %s", pass)
191: self.tn3270:get_screen_debug(2)
192: if self.tn3270:find('not recognized') or self.tn3270:find('DFHAC2002') then -- known invalid command
193: stdnse.debug("Invalid CICS Transaction ID: %s", string.upper(pass))
194: return false, brute.Error:new( "Incorrect CICS Transaction ID" )
195: elseif self.tn3270:isClear() then
196: stdnse.debug(2,"Empty Screen when we expect an error.")
197: -- this can mean that the transaction ID was valid
198: -- but it didn't send a screen update so you should check by hand.
Incorrect CICS Transaction ID
Here is a relevant code snippet related to the "Incorrect CICS Transaction ID" error message:
189:
190: stdnse.debug(2,"Screen Received for Transaction ID: %s", pass)
191: self.tn3270:get_screen_debug(2)
192: if self.tn3270:find('not recognized') or self.tn3270:find('DFHAC2002') then -- known invalid command
193: stdnse.debug("Invalid CICS Transaction ID: %s", string.upper(pass))
194: return false, brute.Error:new( "Incorrect CICS Transaction ID" )
195: elseif self.tn3270:isClear() then
196: stdnse.debug(2,"Empty Screen when we expect an error.")
197: -- this can mean that the transaction ID was valid
198: -- but it didn't send a screen update so you should check by hand.
199: -- We're not dumping this screen to disk because it's blank.
Empty Screen when we expect an error.
Here is a relevant code snippet related to the "Empty Screen when we expect an error." error message:
191: self.tn3270:get_screen_debug(2)
192: if self.tn3270:find('not recognized') or self.tn3270:find('DFHAC2002') then -- known invalid command
193: stdnse.debug("Invalid CICS Transaction ID: %s", string.upper(pass))
194: return false, brute.Error:new( "Incorrect CICS Transaction ID" )
195: elseif self.tn3270:isClear() then
196: stdnse.debug(2,"Empty Screen when we expect an error.")
197: -- this can mean that the transaction ID was valid
198: -- but it didn't send a screen update so you should check by hand.
199: -- We're not dumping this screen to disk because it's blank.
200: return true, creds.Account:new("CICS ID [blank screen]", string.upper(pass), creds.State.VALID)
201: elseif self.tn3270:find('Unauthorized') or self.tn3270:find('DFHAC2002') then
Failed writting screen to: %s
Here is a relevant code snippet related to the "Failed writting screen to: %s" error message:
218: if nmap.verbosity() > 3 then
219: if path ~= nil then
220: stdnse.verbose(2,"Writting screen to: %s", path..string.upper(pass)..".txt")
221: status, err = save_screens(path..string.upper(pass)..".txt",self.tn3270:get_screen())
222: if not status then
223: stdnse.verbose(2,"Failed writting screen to: %s", path..string.upper(pass)..".txt")
224: end
225: end
226: return true, creds.Account:new("CICS ID [Abbend]", string.upper(pass), creds.State.VALID)
227: else
228: return false, brute.Error:new( "Correct Transaction ID - Access Denied" )
Correct Transaction ID - Access Denied
Here is a relevant code snippet related to the "Correct Transaction ID - Access Denied" error message:
223: stdnse.verbose(2,"Failed writting screen to: %s", path..string.upper(pass)..".txt")
224: end
225: end
226: return true, creds.Account:new("CICS ID [Abbend]", string.upper(pass), creds.State.VALID)
227: else
228: return false, brute.Error:new( "Correct Transaction ID - Access Denied" )
229: end
230: elseif not (cics_user == nil and cics_pass == nil) and
231: (self.tn3270:find('TSS7251E') or self.tn3270:find('DFHAC2033')) then
232: -- We've logged on but we don't have access to this transaction
233: -- TSS7251E : Access Denied to PROGRAM <X>
Correct Transaction ID - Access Denied
Here is a relevant code snippet related to the "Correct Transaction ID - Access Denied" error message:
234: -- DFHAC2033 : You are not authorized to use transaction <X>
235: stdnse.verbose("Valid CICS Transaction ID [Access Denied]: %s", string.upper(pass))
236: if nmap.verbosity() > 3 then
237: return true, creds.Account:new("CICS ID [Access Denied]", string.upper(pass), creds.State.VALID)
238: else
239: return false, brute.Error:new( "Correct Transaction ID - Access Denied" )
240: end
241: else
242: stdnse.verbose("Valid CICS Transaction ID: %s", string.upper(pass))
243: if path ~= nil then
244: stdnse.verbose(2,"Writting screen to: %s", path..string.upper(pass)..".txt")
Failed writting screen to: %s
Here is a relevant code snippet related to the "Failed writting screen to: %s" error message:
242: stdnse.verbose("Valid CICS Transaction ID: %s", string.upper(pass))
243: if path ~= nil then
244: stdnse.verbose(2,"Writting screen to: %s", path..string.upper(pass)..".txt")
245: status, err = save_screens(path..string.upper(pass)..".txt",self.tn3270:get_screen())
246: if not status then
247: stdnse.verbose(2,"Failed writting screen to: %s", path..string.upper(pass)..".txt")
248: end
249: end
250: return true, creds.Account:new("CICS ID", string.upper(pass), creds.State.VALID)
251: end
252: return false, brute.Error:new("Something went wrong, we didn't get a proper response")
Something went wrong, we didn't get a proper response
Here is a relevant code snippet related to the "Something went wrong, we didn't get a proper response" error message:
247: stdnse.verbose(2,"Failed writting screen to: %s", path..string.upper(pass)..".txt")
248: end
249: end
250: return true, creds.Account:new("CICS ID", string.upper(pass), creds.State.VALID)
251: end
252: return false, brute.Error:new("Something went wrong, we didn't get a proper response")
253: end
254: }
255:
256: --- Tests the target to see if we can even get to CICS
257: --
Unable to get to CICS
Here is a relevant code snippet related to the "Unable to get to CICS" error message:
265: local function cics_test( host, port, commands, user, pass )
266: stdnse.debug("Checking for CICS")
267: local tn = tn3270.Telnet:new()
268: tn:disable_tn3270e()
269: local status, err = tn:initiate(host,port)
270: local msg = 'Unable to get to CICS'
271: local cics = false -- initially we're not at CICS
272: if not status then
273: stdnse.debug("Could not initiate TN3270: %s", err )
274: return cics
275: end
Could not initiate TN3270: %s
Here is a relevant code snippet related to the "Could not initiate TN3270: %s" error message:
268: tn:disable_tn3270e()
269: local status, err = tn:initiate(host,port)
270: local msg = 'Unable to get to CICS'
271: local cics = false -- initially we're not at CICS
272: if not status then
273: stdnse.debug("Could not initiate TN3270: %s", err )
274: return cics
275: end
276: tn:get_screen_debug(2) -- prints TN3270 screen to debug
277: stdnse.debug("Getting to CICS")
278: local run = stringaux.strsplit(";%s*", commands)
Unable to access CICS with User: '..user..' / Pass:
Here is a relevant code snippet related to the "Unable to access CICS with User: '..user..' / Pass: " error message:
346: tn:get_screen_debug(2)
347: count = count + 1
348: end
349: if not tn:find('DFHCE3549') then
350: cics = false
351: msg = 'Unable to access CICS with User: '..user..' / Pass: '..pass
352: else
353: tn:send_cursor('CESF')
354: tn:get_all_data()
355: end
356: end
Version
This page has been created based on Nmap version 7.92.
Go back to menu.