Script tso-enum

Script types: portrule
Categories: intrusive, brute

Script Summary

TSO User ID enumerator for IBM mainframes (z/OS). The TSO logon panel tells you when a user ID is valid or invalid with the message: IKJ56420I Userid <user ID> not authorized to use TSO.

The TSO logon process can work in two ways: 1) You get prompted with IKJ56700A ENTER USERID - to which you reply with the user you want to use. If the user ID is valid it will give you a normal TSO logon screen. Otherwise it will give you the screen logon error above. 2) You're given the TSO logon panel and enter your user ID at the Userid ===> prompt. If you give it an invalid user ID you receive the error message above.

This script relies on the NSE TN3270 library which emulates a TN3270 screen for NMAP.

TSO user IDs have the following rules: - it cannot begin with a number - only contains alpha-numeric characters and @, #, $. - it cannot be longer than 7 chars

Script Arguments


Commands in a semi-colon separated list needed to access TSO. Defaults to tso.

brute.credfile, brute.delay, brute.emptypass, brute.firstonly, brute.guesses, brute.mode, brute.passonly, brute.retries, brute.start, brute.threads, brute.unique, brute.useraspass

See the documentation for the brute library.


See the documentation for the creds library.

passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb

See the documentation for the unpwdb library.

Example Usage

  • nmap --script=tso-enum -p 23 <targets>
  • nmap -sV -p 9923 --script tso-enum --script-args userdb=tso_users.txt,tso-enum.commands="logon applid(tso)"

Script Output

23/tcp open  tn3270  IBM Telnet TN3270
| tso-enum:
|   TSO User ID:
|     TSO User:RAZOR -  Valid User ID
|     TSO User:BLADE -  Valid User ID
|     TSO User:PLAGUE -  Valid User ID
|_  Statistics: Performed 6 guesses in 3 seconds, average tps: 2



  • Philip Young aka Soldier of Fortran

License: Same as Nmap--See