Nmap Development mailing list archives
Re: [NSE] Mainframe (z/OS & z/VM) Network Job Entry (NJE) Node Name Brute Forcer
From: Main Framed <mainframed767 () gmail com>
Date: Tue, 3 Nov 2015 14:54:51 -0800
Those changes are so elegant and amazing. I just tested your changes and it works great. Scanned at 2015-11-03 12:10:18 PST for 14s PORT STATE SERVICE REASON VERSION 175/tcp open nje syn-ack IBM Network Job Entry (JES) | nje-node-brute: | Node Name: | Node Name:NEWYORK - Valid credentials |_ Statistics: Performed 6 guesses in 7 seconds, average tps: 0 Final times for host: srtt: 48654 rttvar: 54760 to: 267694 In terms of defaults I've seen the domain name matching the node name a bunch of times. Depending on the environment I've seen hostnames like ' sysplex1.lpar4.company.com' where lpar4 is the node name. I've seen places where the hostname resolves to 'lpar4' and others where its lpar4.company.com. I wrote an iterator that takes an array from the hostname and using unpwdb.concat_iterators tries hostname/subdomains first before the list provided. Nmap scan report for NEWYORK.COMPANY.COM (10.10.0.200) Host is up, received conn-refused (0.058s latency). Scanned at 2015-11-03 14:39:38 PST for 13s PORT STATE SERVICE REASON VERSION 175/tcp open nje syn-ack IBM Network Job Entry (JES) | nje-node-brute: | Node Name: | Node Name:NEWYORK - Valid credentials |_ Statistics: Performed 6 guesses in 5 seconds, average tps: 1 Final times for host: srtt: 58082 rttvar: 63952 to: 313890 Feel free to adjust if there's a more elegant way of doing this. On Mon, Nov 2, 2015 at 8:09 PM, Daniel Miller <bonsaiviking () gmail com> wrote:
One other comment/question: instead of using the default username iterator, is there a list of common LPAR names that we can iterate over? Is the LPAR name like a hostname, so that we can we begin with any discovered hostnames? Dan On Fri, Sep 4, 2015 at 6:39 PM, Main Framed <mainframed767 () gmail com> wrote:NJE relies on node names for initial client handshake. This script attempts to brute force the node name of a target mainframe. It will likely be the LPAR name but not always. It relies on nje-info.nse, submitted previously (which identifies the port running NJE). This is my first bruteforce script, I have others so let me know if there's anything wrong with it or if there are things I should change. One question I had, generally a system will only have one node name. Is there a way to get Brute to quit after finding the first valid cred? -- Soldier of Fortran @mainframed767 _______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
-- Soldier of Fortran @mainframed767
Attachment:
nje-node-brute.nse
Description:
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: [NSE] Mainframe (z/OS & z/VM) Network Job Entry (NJE) Node Name Brute Forcer Daniel Miller (Nov 02)
- <Possible follow-ups>
- Re: [NSE] Mainframe (z/OS & z/VM) Network Job Entry (NJE) Node Name Brute Forcer Daniel Miller (Nov 02)
- Re: [NSE] Mainframe (z/OS & z/VM) Network Job Entry (NJE) Node Name Brute Forcer Main Framed (Nov 03)