Script tso-brute

Script types: portrule
Categories: intrusive

Script Summary

TSO account brute forcer.

This script relies on the NSE TN3270 library which emulates a TN3270 screen for NMAP.

TSO user IDs have the following rules: - it cannot begin with a number - only contains alpha-numeric characters and @, #, $. - it cannot be longer than 7 chars

Script Arguments


Commands in a semi-colon separated list needed to access TSO. Defaults to TSO.


TSO logon can kick a user off if it guesses the correct password. always_logon, when set to true, will logon, even if the user is logged in (kicking that user off). The default, false will skip that account.

brute.credfile, brute.delay, brute.emptypass, brute.firstonly, brute.guesses, brute.mode, brute.passonly, brute.retries, brute.start, brute.threads, brute.unique, brute.useraspass

See the documentation for the brute library.


See the documentation for the creds library.

passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb

See the documentation for the unpwdb library.

Example Usage

nmap -p 2401 --script tso-brute <host>

Script Output

23/tcp open  tn3270  syn-ack IBM Telnet TN3270
| tso-brute:
|   Node Name:
|     IBMUSER:<skipped> - User logged on. Skipped.
|     ZERO:<skipped> - User logged on. Skipped.
|     COOL:secret - Valid credentials
|_  Statistics: Performed 6 guesses in 6 seconds, average tps: 1
Final times for host: srtt: 96305 rttvar: 72303  to: 385517



  • Philip Young

License: Same as Nmap--See