Re: [NSE] Script to enhance mainframe TN3270 detection

[Daniel Miller <bonsaiviking () gmail com>]

Phil,

I'm confused because these match lines seem mutually exclusive. Here's the
match line you say matches with the current version:

match telnet m|^\xff\xfd\x18$| p/Cisco or Edge-core switch telnetd/
d/switch/

That's an exact string match, so nothing but IAC DO TTYPE immediately upon
connecting. But in order to match the tn3270 service with your dummy probes
file, it would have to send IAC DO TN3270E (0x24) or a response including
IAC DO Telnet 3270 regime (0x19). I'm expanding the existing tn3270 match
line to include any telnet banner including IAC DO for either of those 3270
types, but I'd need to know that the tn3270 Probe is successful in getting
a response from services which do *not* include that in their banner before
I can add that probe and match.

So does the probe work in those cases (which previously only responded
positively to your script)?

Dan

On Mon, Nov 2, 2015 at 2:17 PM, Main Framed <mainframed767 () gmail com> wrote:

> Hi Daniel,
>
> So glad to hear back! You can call me Phil.
>
> This is a great idea and I wish I had thought of it earlier!
>
> This is what I put in a dummy nmap-service-probes:
>
> Probe TCP NULL q||
>
> totalwaitms 1000
>
> match tn3270 m|^\xff\xfd\($| p/IBM Telnet TN3270/
>
> # General-purpose telnet softmatch
>
> softmatch telnet m=^(?:\xff(?:[\xfb-\xfe].|\xf0|\xfa..))+[\0-\x7f]=
>
>
>
> Probe TCP tn3270 q|\xff\xfb\x18\xff\xfa\x18\x00IBM-3279-4-E\xff\xf0|
>
> match tn3270 m|\xff\xfd\x19| p/IBM Telnet TN3270/
>
> which results in:
>
> Nmap scan report for fake.fake (10.32.70.11)
> Host is up (0.090s latency).
> PORT     STATE SERVICE VERSION
> 2323/tcp open  tn3270  IBM Telnet TN3270
>
>
> Compared to the current SVN nmap-service-probes:
>
> Nmap scan report for fake.fake (10.32.70.11)
> Host is up (0.094s latency).
> PORT     STATE SERVICE VERSION
> 2323/tcp open  telnet  Cisco or Edge-core switch telnetd
> Service Info: Device: switch
>
>
>
>
>
>
> On Sun, Nov 1, 2015 at 8:50 PM, Daniel Miller <bonsaiviking () gmail com>
> wrote:
>
> > SoF,
> >
> > Sorry it's taken me so long to get to your scripts! I hope to have them
> > put through this week. I just had one final question on this one: Does the
> > protocol require the back-and-forth of WILL TERMINAL TYPE/SEND TERMINAL
> > TYPE/TERMINAL TYPE, or will it respond directly if we send the 3270
> > terminal type immediately? I ask because if so, then we can turn this into
> > a service probe. Example:
> >
> > Probe NULL
> > softmatch tn3270 m|^\xff\xfd\($| p/IBM Telnet TN3270/
> > # General-purpose telnet softmatch
> > softmatch telnet m=^(?:\xff(?:[\xfb-\xfe].|\xf0|\xfa..))+[\0-\x7f]=
> >
> > Probe TCP tn3270 q|\xff\xfb\x18\xff\xfa\x18\x00IBM-3279-4-E\xff\xf0|
> >
> > match tn3270 m|something that matches here|
> >
> > Then we can start gathering specific match info from various versions,
> > instead of simply identifying the service via this script. What do you
> > think?
> >
> > Dan
> >
> > P.S. What's the best name to address you by?
> >
> > On Fri, Sep 4, 2015 at 6:09 PM, Main Framed <mainframed767 () gmail com>
> > wrote:
> >
> > > Based on the change to nmap-service-probes (previously submitted) this
> > > script will further help identify mainframes that only show up as
> > > telnet/telnets (due to IAC DO TTYPE).
> > >
> > > --
> > > Soldier of Fortran
> > > @mainframed767
> > >
> > > _______________________________________________
> > > Sent through the dev mailing list
> > > https://nmap.org/mailman/listinfo/dev
> > > Archived at http://seclists.org/nmap-dev/
>
>
> --
> Soldier of Fortran
> @mainframed767
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/