Script lu-enum

Script types: portrule
Categories: intrusive, brute
Download: https://svn.nmap.org/nmap/scripts/lu-enum.nse

Script Summary

Attempts to enumerate Logical Units (LU) of TN3270E servers.

When connecting to a TN3270E server you are assigned a Logical Unit (LU) or you can tell the TN3270E server which LU you'd like to use. Typically TN3270E servers are configured to give you an LU from a pool of LUs. They can also have LUs set to take you to a specific application. This script attempts to guess valid LUs that bypass the default LUs you are assigned. For example, if a TN3270E server sends you straight to TPX you could use this script to find LUs that take you to TSO, CICS, etc.

Script Arguments

lu-enum.path

Folder used to store valid logical unit 'screenshots' Defaults to None and doesn't store anything. This stores all valid logical units.

lulist

Path to list of Logical Units to test. Defaults the initial Logical Unit TN3270E provides, replacing the last two characters with 00-99.

brute.credfile, brute.delay, brute.emptypass, brute.firstonly, brute.guesses, brute.mode, brute.passonly, brute.retries, brute.start, brute.threads, brute.unique, brute.useraspass

See the documentation for the brute library.

creds.[service], creds.global

See the documentation for the creds library.

passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb

See the documentation for the unpwdb library.

Example Usage

  • nmap --script lu-enum -p 23 <targets>
    
  • nmap --script lu-enum --script-args lulist=lus.txt,
    lu-enum.path="/home/dade/screenshots/" -p 23 -sV <targets>
    

Script Output

PORT     STATE SERVICE REASON  VERSION
23/tcp   open  tn3270  syn-ack IBM Telnet TN3270 (TN3270E)
| lu-enum: 
|   Logical Units: 
|     LU:BSLVLU69 - Valid credentials
|_  Statistics: Performed 7 guesses in 7 seconds, average tps: 1.0

Requires


Author:

  • Philip Young aka Soldier of Fortran

License: Same as Nmap--See https://nmap.org/book/man-legal.html