Nmap Development mailing list archives
RE : [NSE script] t3 protocol
From: <alessandro.zanni () bt com>
Date: Mon, 28 Oct 2013 13:52:12 +0000
I tried to improve my script following Daniel's advices. After some tests, I found that both server responses (HELO.. and LGIN..) don't depend if an authentication has been implemented or not. I send many times the same command ("t3 1") on the same server without changing any configuration and I saw most of time "LGIN:Invalid parameter" response and sometime the "HELO" response. I am not able to explain why this different. However the HELO response disclose some technical information. My weblogic server response was as following: HELO:12.1.1.0.false AS:2048 HL:19 With "12.1.1.0" the weblogic version (my new script print the version of the weblogic server if an HELO response is received). I couldn't determine at what correspond the "false" value. The "AS" and "HL" are quite generic (tests were done with old weblogic version and these parameters never changed). I might be wrong but I think it couldn't be possible to know if the t3 protocole uses an authentication method by parsing the response received, because the authentication process is implemented on the JNDI objects. Thanks, Alessandro ZANNI ________________________________________ De : Daniel Miller [bonsaiviking () gmail com] Date d'envoi : vendredi 25 octobre 2013 18:48 À : Zanni,A,Alessandro,JBP15 R; dev () nmap org Objet : Re: [NSE script] t3 protocol On 10/25/2013 09:21 AM, alessandro.zanni () bt com<mailto:alessandro.zanni () bt com> wrote: Hi guys, This script try to find if the t3 protocol is used with weblogic. This script send a generic message to the server "t3 1" and retrieve the response. 2 responses are well-known: - "HELO:" - "LGIN:Invalid parameter." If one of them is retrieved, it means that the t3 protocol is used. If not, we don't know. It is important to understand that this script is based on the banner contained on the server response. If it is removed, we can't be sure it is used, it doesn't mean that the t3 protocol is not implemented on the server. The script checks all open port because the port used by the weblogic console could be used for the t3 as well. It helps me for many pentest. Hope it will help you too ! Alessandro ZANNI _______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/ Alessandro, This script looks like a great start! At first, I thought that it could be implemented as a service probe, as Alek suggested, but it turns out T3 is multiplexed with HTTP on Weblogic boxes, and we already detect the Weblogic httpd. A few more things might make this into a great script. First, the return value could be distinguished based on the response. Does a "HELO" response mean that no authentication is needed? Does "LGIN" mean something different, such as a different protocol in use? Second, what other info does the service disclose? What's the rest of the HELO line? We can probably gather that information and report it. Thirdly, the version information can be returned to Nmap via the nmap.set_port_version() function. This could get tricky if it was already set to "Weblogic application server", but it could be returned in the extra_info field. Thanks! Dan
Attachment:
t3-connection.nse
Description: t3-connection.nse
_______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE script] t3 protocol alessandro.zanni (Oct 25)
- Re: [NSE script] t3 protocol Daniel Miller (Oct 25)
- RE : [NSE script] t3 protocol alessandro.zanni (Oct 28)
- Re: [NSE script] t3 protocol Daniel Miller (Oct 29)
- RE : [NSE script] t3 protocol alessandro.zanni (Oct 30)
- Re: RE : [NSE script] t3 protocol Daniel Miller (Oct 30)
- RE : [NSE script] t3 protocol alessandro.zanni (Oct 28)
- Re: [NSE script] t3 protocol Daniel Miller (Oct 25)