Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

RE : [NSE script] t3 protocol

From: <alessandro.zanni () bt com>
Date: Mon, 28 Oct 2013 13:52:12 +0000

I tried to improve my script following Daniel's advices. 

After some tests, I found that both server responses (HELO.. and LGIN..) don't depend if an authentication has been 
implemented or not. I send many times the same command ("t3 1") on the same server without changing any configuration 
and I saw most of time "LGIN:Invalid parameter" response and sometime the "HELO" response. I am not able to explain why 
this different. 

However the HELO response disclose some technical information. My weblogic server response was as following: 
HELO:12.1.1.0.false
AS:2048
HL:19

With "12.1.1.0" the weblogic version (my new script print the version of the weblogic server if an HELO response is 
received). I couldn't determine at what correspond the "false" value. The "AS" and "HL" are quite generic (tests were 
done with old weblogic version and these parameters never changed).

I might be wrong but I think it couldn't be possible to know if the t3 protocole uses an authentication method by 
parsing the response received, because the authentication process is implemented on the JNDI objects. 

Thanks, 

Alessandro ZANNI


________________________________________
De : Daniel Miller [bonsaiviking () gmail com]
Date d'envoi : vendredi 25 octobre 2013 18:48
À : Zanni,A,Alessandro,JBP15 R; dev () nmap org
Objet : Re: [NSE script] t3 protocol

On 10/25/2013 09:21 AM, alessandro.zanni () bt com<mailto:alessandro.zanni () bt com> wrote:

Hi guys,

This script try to find if the t3 protocol is used with weblogic. This script send a generic message to the server "t3 
1" and retrieve the response.
2 responses are well-known:
        - "HELO:"
        - "LGIN:Invalid parameter."
If one of them is retrieved, it means that the t3 protocol is used. If not, we don't know.

It is important to understand that this script is based on the banner contained on the server response. If it is 
removed, we can't be sure it is used, it doesn't mean that the t3 protocol is not implemented on the server.
The script checks all open port because the port used by the weblogic console could be used for the t3 as well.

It helps me for many pentest. Hope it will help you too !

Alessandro ZANNI




_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

Alessandro,

This script looks like a great start! At first, I thought that it could be implemented as a service probe, as Alek 
suggested, but it turns out T3 is multiplexed with HTTP on Weblogic boxes, and we already detect the Weblogic httpd.

A few more things might make this into a great script. First, the return value could be distinguished based on the 
response. Does a "HELO" response mean that no authentication is needed? Does "LGIN" mean something different, such as a 
different protocol in use?

Second, what other info does the service disclose? What's the rest of the HELO line? We can probably gather that 
information and report it.

Thirdly, the version information can be returned to Nmap via the nmap.set_port_version() function. This could get 
tricky if it was already set to "Weblogic application server", but it could be returned in the extra_info field.

Thanks!
Dan

Attachment: t3-connection.nse
Description: t3-connection.nse

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: