Script cics-enum

Script types: portrule
Categories: intrusive, brute
Download: https://svn.nmap.org/nmap/scripts/cics-enum.nse

Script Summary

CICS transaction ID enumerator for IBM mainframes. This script is based on mainframe_brute by Dominic White (https://github.com/sensepost/mainframe_brute). However, this script doesn't rely on any third party libraries or tools and instead uses the NSE TN3270 library which emulates a TN3270 screen in lua.

CICS only allows for 4 byte transaction IDs, that is the only specific rule found for CICS transaction IDs.

Script Arguments

cics-enum.commands

Commands in a semi-colon separated list needed to access CICS. Defaults to CICS.

cics-enum.path

Folder used to store valid transaction id 'screenshots' Defaults to None and doesn't store anything.

idlist

Path to list of transaction IDs. Defaults to the list of CICS transactions from IBM.

cics-enum.pass

Password to use for authenticated enumeration

cics-enum.user

Username to use for authenticated enumeration

brute.credfile, brute.delay, brute.emptypass, brute.firstonly, brute.guesses, brute.mode, brute.passonly, brute.retries, brute.start, brute.threads, brute.unique, brute.useraspass

See the documentation for the brute library.

creds.[service], creds.global

See the documentation for the creds library.

passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb

See the documentation for the unpwdb library.

Example Usage

nmap --script=cics-enum -p 23 <targets>

nmap --script=cics-enum --script-args=idlist=default_cics.txt,
cics-enum.command="exit;logon applid(cics42)",
cics-enum.path="/home/dade/screenshots/",cics-enum.noSSL=true -p 23 <targets>

Script Output

PORT   STATE SERVICE
23/tcp open  tn3270
| cics-enum:
|   Accounts:
|     CBAM: Valid - CICS Transaction ID
|     CETR: Valid - CICS Transaction ID
|     CEST: Valid - CICS Transaction ID
|     CMSG: Valid - CICS Transaction ID
|     CEDA: Valid - CICS Transaction ID
|     CEDF: Potentially Valid - CICS Transaction ID
|     DSNC: Valid - CICS Transaction ID
|_  Statistics: Performed 31 guesses in 114 seconds, average tps: 0

Requires

• nmap
• stdnse
• shortport
• tn3270
• brute
• creds
• unpwdb
• io
• table
• string
• stringaux

---

Author:

• Philip Young

License: Same as Nmap--See https://nmap.org/book/man-legal.html