Nmap Development mailing list archives
Re: [NSE script] t3 protocol
From: Daniel Miller <bonsaiviking () gmail com>
Date: Fri, 25 Oct 2013 11:48:21 -0500
On 10/25/2013 09:21 AM, alessandro.zanni () bt com wrote:
Hi guys, This script try to find if the t3 protocol is used with weblogic. This script send a generic message to the server "t3 1" and retrieve the response. 2 responses are well-known: - "HELO:" - "LGIN:Invalid parameter." If one of them is retrieved, it means that the t3 protocol is used. If not, we don't know. It is important to understand that this script is based on the banner contained on the server response. If it is removed, we can't be sure it is used, it doesn't mean that the t3 protocol is not implemented on the server. The script checks all open port because the port used by the weblogic console could be used for the t3 as well. It helps me for many pentest. Hope it will help you too ! Alessandro ZANNI _______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Alessandro,This script looks like a great start! At first, I thought that it could be implemented as a service probe, as Alek suggested, but it turns out T3 is multiplexed with HTTP on Weblogic boxes, and we already detect the Weblogic httpd.
A few more things might make this into a great script. First, the return value could be distinguished based on the response. Does a "HELO" response mean that no authentication is needed? Does "LGIN" mean something different, such as a different protocol in use?
Second, what other info does the service disclose? What's the rest of the HELO line? We can probably gather that information and report it.
Thirdly, the version information can be returned to Nmap via the nmap.set_port_version() function. This could get tricky if it was already set to "Weblogic application server", but it could be returned in the extra_info field.
Thanks! Dan _______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE script] t3 protocol alessandro.zanni (Oct 25)
- Re: [NSE script] t3 protocol Daniel Miller (Oct 25)
- RE : [NSE script] t3 protocol alessandro.zanni (Oct 28)
- Re: [NSE script] t3 protocol Daniel Miller (Oct 29)
- RE : [NSE script] t3 protocol alessandro.zanni (Oct 30)
- Re: RE : [NSE script] t3 protocol Daniel Miller (Oct 30)
- RE : [NSE script] t3 protocol alessandro.zanni (Oct 28)
- Re: [NSE script] t3 protocol Daniel Miller (Oct 25)