Script nje-node-brute

Script types: portrule
Categories: intrusive, brute
Download: https://svn.nmap.org/nmap/scripts/nje-node-brute.nse

Script Summary

z/OS JES Network Job Entry (NJE) target node name brute force.

NJE node communication is made up of an OHOST and an RHOST. Both fields must be present when conducting the handshake. This script attemtps to determine the target systems NJE node name.

To initiate NJE the client sends a 33 byte record containing the type of record, the hostname (RHOST), IP address (RIP), target (OHOST), target IP (OIP) and a 1 byte response value (R) as outlined below:

0 1 2 3 4 5 6 7 8 9 A B C D E F
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|  TYPE       |     RHOST     |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|  RIP  |  OHOST      | OIP   |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| R |
+-+-+

• TYPE: Can either be 'OPEN', 'ACK', or 'NAK', in EBCDIC, padded by spaces to make 8 bytes. This script always send 'OPEN' type.
• RHOST: Node name of the local machine initiating the connection. Set to 'FAKE'.
• RIP: Hex value of the local systems IP address. Set to '0.0.0.0'
• OHOST: The value being enumerated to determine the targets NJE node name.
• OIP: IP address, in hex, of the target system. Set to '0.0.0.0'.
• R: The response. NJE will send an 'R' of 0x01 if the OHOST is wrong or 0x04 if the OHOST is correct.

By default this script will attempt the brute force a mainframes OHOST. If supplied with the argument nje-node-brute.ohost this script will attempt the bruteforce the RHOST, setting OHOST to the value supplied to the argument.

Since most systems will only have one OHOST name, it is recommended to use the brute.firstonly script argument.

Script Arguments

nje-node-brute.hostlist

The filename of a list of node names to try. Defaults to "nselib/data/vhosts-default.lst"

nje-node-brute.ohost

The target mainframe OHOST. Used to bruteforce RHOST.

passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb

See the documentation for the unpwdb library.

creds.[service], creds.global

See the documentation for the creds library.

brute.credfile, brute.delay, brute.emptypass, brute.firstonly, brute.guesses, brute.mode, brute.passonly, brute.retries, brute.start, brute.threads, brute.unique, brute.useraspass

See the documentation for the brute library.

Example Usage

nmap -sV --script=nje-node-brute <target>
nmap --script=nje-node-brute --script-args=hostlist=nje_names.txt -p 175 <target>

Script Output

PORT    STATE SERVICE REASON
175/tcp open  nje     syn-ack
| nje-node-brute:
|   Node Name:
|     POTATO:CACTUS - Valid credentials
|_  Statistics: Performed 6 guesses in 14 seconds, average tps: 0

Requires

• io
• string
• stringaux
• table
• nmap
• stdnse
• shortport
• brute
• creds
• unpwdb
• drda
• comm

---

Author:

• Soldier of Fortran

License: Same as Nmap--See https://nmap.org/book/man-legal.html