Nmap Development mailing list archives
Re: [NSE] Script to enhance mainframe TN3270 detection
From: Main Framed <mainframed767 () gmail com>
Date: Mon, 2 Nov 2015 12:17:59 -0800
Hi Daniel, So glad to hear back! You can call me Phil. This is a great idea and I wish I had thought of it earlier! This is what I put in a dummy nmap-service-probes: Probe TCP NULL q|| totalwaitms 1000 match tn3270 m|^\xff\xfd\($| p/IBM Telnet TN3270/ # General-purpose telnet softmatch softmatch telnet m=^(?:\xff(?:[\xfb-\xfe].|\xf0|\xfa..))+[\0-\x7f]= Probe TCP tn3270 q|\xff\xfb\x18\xff\xfa\x18\x00IBM-3279-4-E\xff\xf0| match tn3270 m|\xff\xfd\x19| p/IBM Telnet TN3270/ which results in: Nmap scan report for fake.fake (10.32.70.11) Host is up (0.090s latency). PORT STATE SERVICE VERSION 2323/tcp open tn3270 IBM Telnet TN3270 Compared to the current SVN nmap-service-probes: Nmap scan report for fake.fake (10.32.70.11) Host is up (0.094s latency). PORT STATE SERVICE VERSION 2323/tcp open telnet Cisco or Edge-core switch telnetd Service Info: Device: switch On Sun, Nov 1, 2015 at 8:50 PM, Daniel Miller <bonsaiviking () gmail com> wrote:
SoF, Sorry it's taken me so long to get to your scripts! I hope to have them put through this week. I just had one final question on this one: Does the protocol require the back-and-forth of WILL TERMINAL TYPE/SEND TERMINAL TYPE/TERMINAL TYPE, or will it respond directly if we send the 3270 terminal type immediately? I ask because if so, then we can turn this into a service probe. Example: Probe NULL softmatch tn3270 m|^\xff\xfd\($| p/IBM Telnet TN3270/ # General-purpose telnet softmatch softmatch telnet m=^(?:\xff(?:[\xfb-\xfe].|\xf0|\xfa..))+[\0-\x7f]= Probe TCP tn3270 q|\xff\xfb\x18\xff\xfa\x18\x00IBM-3279-4-E\xff\xf0| match tn3270 m|something that matches here| Then we can start gathering specific match info from various versions, instead of simply identifying the service via this script. What do you think? Dan P.S. What's the best name to address you by? On Fri, Sep 4, 2015 at 6:09 PM, Main Framed <mainframed767 () gmail com> wrote:Based on the change to nmap-service-probes (previously submitted) this script will further help identify mainframes that only show up as telnet/telnets (due to IAC DO TTYPE). -- Soldier of Fortran @mainframed767 _______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
-- Soldier of Fortran @mainframed767
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: [NSE] Script to enhance mainframe TN3270 detection Daniel Miller (Nov 01)
- Re: [NSE] Script to enhance mainframe TN3270 detection Main Framed (Nov 02)
- Re: [NSE] Script to enhance mainframe TN3270 detection Daniel Miller (Nov 02)
- Re: [NSE] Script to enhance mainframe TN3270 detection Main Framed (Nov 03)
- Re: [NSE] Script to enhance mainframe TN3270 detection Main Framed (Nov 03)
- Re: [NSE] Script to enhance mainframe TN3270 detection Daniel Miller (Nov 07)
- Re: [NSE] Script to enhance mainframe TN3270 detection Phil (Nov 07)
- Re: [NSE] Script to enhance mainframe TN3270 detection Daniel Miller (Nov 08)
- Re: [NSE] Script to enhance mainframe TN3270 detection Phil (Nov 08)
- Re: [NSE] Script to enhance mainframe TN3270 detection Daniel Miller (Nov 02)
- Re: [NSE] Script to enhance mainframe TN3270 detection Main Framed (Nov 02)