Nmap Development mailing list archives

Re: [NSE script] t3 protocol

From: Daniel Miller <bonsaiviking () gmail com>
Date: Tue, 29 Oct 2013 13:49:09 -0500

On 10/28/2013 08:52 AM, alessandro.zanni () bt com wrote:

I tried to improve my script following Daniel's advices.

After some tests, I found that both server responses (HELO.. and LGIN..) don't depend if an authentication has been implemented or not. I send many 
times the same command ("t3 1") on the same server without changing any configuration and I saw most of time "LGIN:Invalid parameter" 
response and sometime the "HELO" response. I am not able to explain why this different.

However the HELO response disclose some technical information. My weblogic server response was as following:
HELO:12.1.1.0.false
AS:2048
HL:19

With "12.1.1.0" the weblogic version (my new script print the version of the weblogic server if an HELO response is received). I couldn't determine 
at what correspond the "false" value. The "AS" and "HL" are quite generic (tests were done with old weblogic version and these 
parameters never changed).

I might be wrong but I think it couldn't be possible to know if the t3 protocole uses an authentication method by 
parsing the response received, because the authentication process is implemented on the JNDI objects.

Thanks,

Alessandro ZANNI

Alessandro,

I did some decompiling of the free development WebLogic server, andfound that the LGIN response is being sent because our T3 header ismalformed. It needs the AS (Abbreviation Size) and HL (Header Length)fields, too. The "false" is a boolean: hasTemporaryPatch.

I think you are right about authentication being implemented per-object.I'll probably continue to research this, but I think the script is aboutas far as it needs to be. I've attached an update with my contributions:

1. Tightened the portrule to match likely ports (TCP 7001-7003 or httpservice or product contains "WebLogic")

2. Renamed the script to weblogic-t3-info

3. Made the script a version-detection script so it will run with -sVand update the service information

4. Match the other possible return values to a T3 probe

Please test this and let us know if it works for you. I think we couldget this committed this week with a little testing.

Dan

Attachment: weblogic-t3-info.nse
Description:

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

Current thread:

[NSE script] t3 protocol alessandro.zanni (Oct 25)
- Re: [NSE script] t3 protocol Daniel Miller (Oct 25)
  - RE : [NSE script] t3 protocol alessandro.zanni (Oct 28)
    - Re: [NSE script] t3 protocol Daniel Miller (Oct 29)
    - RE : [NSE script] t3 protocol alessandro.zanni (Oct 30)
    - Re: RE : [NSE script] t3 protocol Daniel Miller (Oct 30)