Script cics-enum

Script types: portrule
Categories: intrusive, brute

Script Summary

CICS transaction ID enumerator for IBM mainframes. This script is based on mainframe_brute by Dominic White ( However, this script doesn't rely on any third party libraries or tools and instead uses the NSE TN3270 library which emulates a TN3270 screen in lua.

CICS only allows for 4 byte transaction IDs, that is the only specific rule found for CICS transaction IDs.

Script Arguments


Commands in a semi-colon separated list needed to access CICS. Defaults to CICS.


Folder used to store valid transaction id 'screenshots' Defaults to None and doesn't store anything.


Path to list of transaction IDs. Defaults to the list of CICS transactions from IBM.


Password to use for authenticated enumeration


Username to use for authenticated enumeration

brute.credfile, brute.delay, brute.emptypass, brute.firstonly, brute.guesses, brute.mode, brute.passonly, brute.retries, brute.start, brute.threads, brute.unique, brute.useraspass

See the documentation for the brute library.


See the documentation for the creds library.

passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb

See the documentation for the unpwdb library.

Example Usage

nmap --script=cics-enum -p 23 <targets>

nmap --script=cics-enum --script-args=idlist=default_cics.txt,
cics-enum.command="exit;logon applid(cics42)",
cics-enum.path="/home/dade/screenshots/",cics-enum.noSSL=true -p 23 <targets>

Script Output

23/tcp open  tn3270
| cics-enum:
|   Accounts:
|     CBAM: Valid - CICS Transaction ID
|     CETR: Valid - CICS Transaction ID
|     CEST: Valid - CICS Transaction ID
|     CMSG: Valid - CICS Transaction ID
|     CEDA: Valid - CICS Transaction ID
|     CEDF: Potentially Valid - CICS Transaction ID
|     DSNC: Valid - CICS Transaction ID
|_  Statistics: Performed 31 guesses in 114 seconds, average tps: 0



  • Philip Young

License: Same as Nmap--See