Nmap Development mailing list archives

Re: [NSE] TN3270 version script

From: Daniel Miller <bonsaiviking () gmail com>
Date: Fri, 28 Aug 2015 15:04:51 -0500

Phil,

I'm excited to see better mainframe support in NSE! I think we should
carefully consider how this script and others may interact so that we build
a good picture of the target and allow scripts to properly inform each
other.

A quick check through nmap-service-probes shows that we have at least one
probe match for the same TN3270 service:

Probe TCP NULL q||
match telnet m|^\xff\xfd\($| p|IBM OS/390 or SNA telnetd|

So in this case we label it telnet, since it's using the Telnet option
negotiation mechanism. This is used as a signal to other scripts like
telnet-brute and telnet-encryption that the port in question should be
probed further. Do these scripts make sense running against tn3270? Or
should TN3270 be really treated like a different service altogether?

Your script also looks for a response of "\xff\xfd\x18", the Terminal Type
option. This option is obviously used by more telnet daemons than just
TN3270-capable ones, but yours specifically will only match those that send
no other options. Is this always the case, or should the script attempt to
negotiate TN3270 with any telnetd that asks for Terminal Type, even among
other options?

Once we answer these questions, we can move into more
implementation-related issues like what portrule would be best (my guess
would be some invocation of shortport.version_port_or_service [1]), using
comm.tryssl [2] instead of tn_open, and how to best report the script's
findings.

Thanks again for sharing your work with us!

Dan

[1] https://nmap.org/nsedoc/lib/shortport.html#version_port_or_service
[2] https://nmap.org/nsedoc/lib/comm.html#tryssl

On Wed, Aug 26, 2015 at 1:30 PM, Phil <mainframed767 () gmail com> wrote:

Hi,

This script enhances the version detection for mainframes (or others, but
mostly mainframes) running TN3270 and appropriately identifies ports which
support TN3270 (either through IAC DO TN3270E or through the more common
IAC SEND TTYPE).


Output:
PORT    STATE SERVICE    VERSION
23/tcp  open  tn3270     Telnet TN3270
992/tcp open  ssl/tn3270 Telnet TN3270 w/SSL

This is my first NSE script submission so let me know if there’s anything
I’ve missed or need to change.







_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

Current thread:

[NSE] TN3270 version script Phil (Aug 26)
- Re: [NSE] TN3270 version script Andrew Jason Farabee (Aug 28)
- Re: [NSE] TN3270 version script Daniel Miller (Aug 28)
  - Re: [NSE] TN3270 version script Phil (Aug 28)
    - Re: [NSE] TN3270 version script Daniel Miller (Aug 29)
    - Re: [NSE] TN3270 version script Phil (Aug 30)
    - Re: [NSE] TN3270 version script Phil (Aug 31)