Script tso-enum

Script types: portrule
Categories: intrusive, brute
Download: https://svn.nmap.org/nmap/scripts/tso-enum.nse

Script Summary

TSO User ID enumerator for IBM mainframes (z/OS). The TSO logon panel tells you when a user ID is valid or invalid with the message: IKJ56420I Userid <user ID> not authorized to use TSO.

The TSO logon process can work in two ways: 1) You get prompted with IKJ56700A ENTER USERID - to which you reply with the user you want to use. If the user ID is valid it will give you a normal TSO logon screen. Otherwise it will give you the screen logon error above. 2) You're given the TSO logon panel and enter your user ID at the Userid ===> prompt. If you give it an invalid user ID you receive the error message above.

This script relies on the NSE TN3270 library which emulates a TN3270 screen for NMAP.

TSO user IDs have the following rules: - it cannot begin with a number - only contains alpha-numeric characters and @, #, $. - it cannot be longer than 7 chars

Script Arguments

tso-enum.commands

Commands in a semi-colon separated list needed to access TSO. Defaults to tso.

brute.credfile, brute.delay, brute.emptypass, brute.firstonly, brute.guesses, brute.mode, brute.passonly, brute.retries, brute.start, brute.threads, brute.unique, brute.useraspass

See the documentation for the brute library.

creds.[service], creds.global

See the documentation for the creds library.

passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb

See the documentation for the unpwdb library.

Example Usage

• nmap --script=tso-enum -p 23 <targets>
  

• nmap -sV -p 9923 10.32.70.10 --script tso-enum --script-args userdb=tso_users.txt,tso-enum.commands="logon applid(tso)"
  

Script Output

PORT   STATE SERVICE VERSION
23/tcp open  tn3270  IBM Telnet TN3270
| tso-enum:
|   TSO User ID:
|     TSO User:RAZOR -  Valid User ID
|     TSO User:BLADE -  Valid User ID
|     TSO User:PLAGUE -  Valid User ID
|_  Statistics: Performed 6 guesses in 3 seconds, average tps: 2

Requires

• stdnse
• shortport
• tn3270
• brute
• creds
• unpwdb
• nmap
• string
• stringaux

---

Author:

• Philip Young aka Soldier of Fortran

License: Same as Nmap--See https://nmap.org/book/man-legal.html