Script lu-enum
Script types:
portrule
Categories:
intrusive, brute
Download: https://svn.nmap.org/nmap/scripts/lu-enum.nse
Script Summary
Attempts to enumerate Logical Units (LU) of TN3270E servers.
When connecting to a TN3270E server you are assigned a Logical Unit (LU) or you can tell the TN3270E server which LU you'd like to use. Typically TN3270E servers are configured to give you an LU from a pool of LUs. They can also have LUs set to take you to a specific application. This script attempts to guess valid LUs that bypass the default LUs you are assigned. For example, if a TN3270E server sends you straight to TPX you could use this script to find LUs that take you to TSO, CICS, etc.
Script Arguments
- lu-enum.path
Folder used to store valid logical unit 'screenshots' Defaults to
None
and doesn't store anything. This stores all valid logical units.- lulist
Path to list of Logical Units to test. Defaults the initial Logical Unit TN3270E provides, replacing the last two characters with
00-99
.- brute.credfile, brute.delay, brute.emptypass, brute.firstonly, brute.guesses, brute.mode, brute.passonly, brute.retries, brute.start, brute.threads, brute.unique, brute.useraspass
See the documentation for the brute library.
- creds.[service], creds.global
See the documentation for the creds library.
- passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb
See the documentation for the unpwdb library.
Example Usage
nmap --script lu-enum -p 23 <targets>
nmap --script lu-enum --script-args lulist=lus.txt, lu-enum.path="/home/dade/screenshots/" -p 23 -sV <targets>
Script Output
PORT STATE SERVICE REASON VERSION 23/tcp open tn3270 syn-ack IBM Telnet TN3270 (TN3270E) | lu-enum: | Logical Units: | LU:BSLVLU69 - Valid credentials |_ Statistics: Performed 7 guesses in 7 seconds, average tps: 1.0
Requires
Author:
License: Same as Nmap--See https://nmap.org/book/man-legal.html