Script lu-enum

Script types: portrule
Categories: intrusive, brute

Script Summary

Attempts to enumerate Logical Units (LU) of TN3270E servers.

When connecting to a TN3270E server you are assigned a Logical Unit (LU) or you can tell the TN3270E server which LU you'd like to use. Typically TN3270E servers are configured to give you an LU from a pool of LUs. They can also have LUs set to take you to a specific application. This script attempts to guess valid LUs that bypass the default LUs you are assigned. For example, if a TN3270E server sends you straight to TPX you could use this script to find LUs that take you to TSO, CICS, etc.

Script Arguments


Folder used to store valid logical unit 'screenshots' Defaults to None and doesn't store anything. This stores all valid logical units.


Path to list of Logical Units to test. Defaults the initial Logical Unit TN3270E provides, replacing the last two characters with 00-99.

brute.credfile, brute.delay, brute.emptypass, brute.firstonly, brute.guesses, brute.mode, brute.passonly, brute.retries, brute.start, brute.threads, brute.unique, brute.useraspass

See the documentation for the brute library.


See the documentation for the creds library.

passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb

See the documentation for the unpwdb library.

Example Usage

  • nmap --script lu-enum -p 23 <targets>
  • nmap --script lu-enum --script-args lulist=lus.txt,
    lu-enum.path="/home/dade/screenshots/" -p 23 -sV <targets>

Script Output

23/tcp   open  tn3270  syn-ack IBM Telnet TN3270 (TN3270E)
| lu-enum: 
|   Logical Units: 
|     LU:BSLVLU69 - Valid credentials
|_  Statistics: Performed 7 guesses in 7 seconds, average tps: 1.0



  • Philip Young aka Soldier of Fortran

License: Same as Nmap--See