Re: [NSE] Mainframe (z/OS & z/VM) Network Job Entry (NJE) Service Detection

[Daniel Miller <bonsaiviking () gmail com>]

Great, we can add this. Softmatch is helpful when a later probe can extract
more information, or when it would be helpful to get service fingerprint
submissions from users. If this service only ever responds with the NAK or
ACK and no further data, then it's probably fine to make these "match"
lines instead.

Added in r35373.

Dan
On Nov 2, 2015 2:25 PM, "Main Framed" <mainframed767 () gmail com> wrote:

> Yeah, after sending the previous email, I actually re-wrote it as a
> service probe and sent it in an email on September 10th:
> http://seclists.org/nmap-dev/2015/q3/291 as a diff (see below)
>
> Is there a problem using match vs. softmatch?
>
> (here's what I sent with your edits incorporated)
>
> ##############################NEXT PROBE##############################
> # Queries z/OS Network Job Entry
> # Sends an NJE Probe with the following information (text is converted to EBCDIC):
> # TYPE        = OPEN
> # OHOST       = FAKE
> # RHOST       = FAKE
> # RIP and OIP = 0.0.0.0
> # R           = 0
> # Based on http://www-01.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com.ibm.zos.v2r1.hasa600/init.htm
> Probe TCP nje 
> q|\xd6\xd7\xc5\xd5\x40\x40\x40\x40\xc6\xc1\xd2\xc5\x40\x40\x40\x40\x00\x00\x00\x00\xc6\xc1\xd2\xc5\x40\x40\x40\x40\x00\x00\x00\x00\x00|
> rarity 9
> ports 175
> sslports 2252
> # If the port supports NJE it will respond with either a 'NAK' or 'ACK' in EBCDIC
> softmatch nje m|^\xd5\xc1\xd2| p/IBM Network Job Entry (JES)/
> softmatch nje m|^\xc1\xc3\xd2| p/IBM Network Job Entry (JES)/
>
>
> On Sun, Nov 1, 2015 at 9:12 PM, Daniel Miller <bonsaiviking () gmail com>
> wrote:
>
> > SoF,
> >
> > This looks like another one that could be implemented as a service probe.
> > Try this out and see if it's a good match. If you have a better idea for a
> > probe that gets detailed information from the service like a banner or
> > other info, that'd be great, too:
> >
> > ##############################NEXT PROBE##############################
> > # Network Job Entry
> > #
> > http://www-01.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com.ibm.zos.v2r1.hasa600/intro.htm
> > Probe TCP NJE q|\xd6\xd7\xc5\xd5@@@@\xc6\xc1\xd2\xc5@
> > @@@\0\0\0\0\xc6\xc1\xd2\xc5@@@@\0\0\0\0\0|
> > rarity 9
> > ports 175
> > sslports 2252
> >
> > softmatch nje m|^\xd5\xc1\xd2| p|z/OS Network Job Entry|
> > softmatch nje m|^\xc1\xc3\xd2| p|z/OS Network Job Entry|
> >
> > Dan
> >
> > On Fri, Sep 4, 2015 at 6:17 PM, Main Framed <mainframed767 () gmail com>
> > wrote:
> >
> > > This is a new script which identifies open ports on a mainframe that
> > > support Network Job Entry (or NJE).
> > >
> > > You can read more about Network Job Entry here:
> > > http://www-01.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com.ibm.zos.v2r1.hasa600/intro.htm
> > >
> > > The protocol is described here:
> > > http://www-05.ibm.com/e-business/linkweb/publications/servlet/pbi.wss?CTY=US&FNC=SRX&PBL=SA22-7539-02
> > >
> > > A script is required because upon connection the port doesn't send any
> > > information and waits for the 'client' to initiate the connection. This
> > > script performs that initial connection to determine if it is NJE.
> > >
> > >
> > >
> > > --
> > > Soldier of Fortran
> > > @mainframed767
> > >
> > > _______________________________________________
> > > Sent through the dev mailing list
> > > https://nmap.org/mailman/listinfo/dev
> > > Archived at http://seclists.org/nmap-dev/
>
>
> --
> Soldier of Fortran
> @mainframed767
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/