Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [NSE] Mainframe (z/OS & z/VM) Network Job Entry (NJE) Service Detection

From: Main Framed <mainframed767 () gmail com>
Date: Tue, 03 Nov 2015 00:30:47 +0000
Yeah. Those are the only two possible answers for nje.

Thanks for your help.

On Mon, Nov 2, 2015, 4:29 PM Daniel Miller <bonsaiviking () gmail com> wrote:


Great, we can add this. Softmatch is helpful when a later probe can
extract more information, or when it would be helpful to get service
fingerprint submissions from users. If this service only ever responds with
the NAK or ACK and no further data, then it's probably fine to make these
"match" lines instead.

Added in r35373.

Dan
On Nov 2, 2015 2:25 PM, "Main Framed" <mainframed767 () gmail com> wrote:


Yeah, after sending the previous email, I actually re-wrote it as a
service probe and sent it in an email on September 10th:
http://seclists.org/nmap-dev/2015/q3/291 as a diff (see below)

Is there a problem using match vs. softmatch?

(here's what I sent with your edits incorporated)

##############################NEXT PROBE##############################
# Queries z/OS Network Job Entry
# Sends an NJE Probe with the following information (text is converted to EBCDIC):
# TYPE        = OPEN
# OHOST       = FAKE
# RHOST       = FAKE
# RIP and OIP = 0.0.0.0
# R           = 0
# Based on http://www-01.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com.ibm.zos.v2r1.hasa600/init.htm
Probe TCP nje 
q|\xd6\xd7\xc5\xd5\x40\x40\x40\x40\xc6\xc1\xd2\xc5\x40\x40\x40\x40\x00\x00\x00\x00\xc6\xc1\xd2\xc5\x40\x40\x40\x40\x00\x00\x00\x00\x00|
rarity 9
ports 175
sslports 2252
# If the port supports NJE it will respond with either a 'NAK' or 'ACK' in EBCDIC
softmatch nje m|^\xd5\xc1\xd2| p/IBM Network Job Entry (JES)/
softmatch nje m|^\xc1\xc3\xd2| p/IBM Network Job Entry (JES)/


On Sun, Nov 1, 2015 at 9:12 PM, Daniel Miller <bonsaiviking () gmail com>
wrote:


SoF,

This looks like another one that could be implemented as a service
probe. Try this out and see if it's a good match. If you have a better idea
for a probe that gets detailed information from the service like a banner
or other info, that'd be great, too:

##############################NEXT PROBE##############################
# Network Job Entry
#
http://www-01.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com.ibm.zos.v2r1.hasa600/intro.htm
Probe TCP NJE q|\xd6\xd7\xc5\xd5@@@@\xc6\xc1\xd2\xc5@
@@@\0\0\0\0\xc6\xc1\xd2\xc5@@@@\0\0\0\0\0|
rarity 9
ports 175
sslports 2252

softmatch nje m|^\xd5\xc1\xd2| p|z/OS Network Job Entry|
softmatch nje m|^\xc1\xc3\xd2| p|z/OS Network Job Entry|

Dan

On Fri, Sep 4, 2015 at 6:17 PM, Main Framed <mainframed767 () gmail com>
wrote:


This is a new script which identifies open ports on a mainframe that
support Network Job Entry (or NJE).

You can read more about Network Job Entry here:
http://www-01.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com.ibm.zos.v2r1.hasa600/intro.htm

The protocol is described here:
http://www-05.ibm.com/e-business/linkweb/publications/servlet/pbi.wss?CTY=US&FNC=SRX&PBL=SA22-7539-02

A script is required because upon connection the port doesn't send any
information and waits for the 'client' to initiate the connection. This
script performs that initial connection to determine if it is NJE.



--
Soldier of Fortran
@mainframed767

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/







--
Soldier of Fortran
@mainframed767




_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: