Re: [NSE] Mainframe (z/OS & z/VM) Network Job Entry (NJE) Service Detection

[Main Framed <mainframed767 () gmail com>]

Yeah, after sending the previous email, I actually re-wrote it as a service
probe and sent it in an email on September 10th:
http://seclists.org/nmap-dev/2015/q3/291 as a diff (see below)

Is there a problem using match vs. softmatch?

(here's what I sent with your edits incorporated)

##############################NEXT PROBE##############################
# Queries z/OS Network Job Entry
# Sends an NJE Probe with the following information (text is converted
to EBCDIC):
# TYPE        = OPEN
# OHOST       = FAKE
# RHOST       = FAKE
# RIP and OIP = 0.0.0.0
# R           = 0
# Based on http://www-01.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com.ibm.zos.v2r1.hasa600/init.htm
Probe TCP nje 
q|\xd6\xd7\xc5\xd5\x40\x40\x40\x40\xc6\xc1\xd2\xc5\x40\x40\x40\x40\x00\x00\x00\x00\xc6\xc1\xd2\xc5\x40\x40\x40\x40\x00\x00\x00\x00\x00|
rarity 9
ports 175
sslports 2252
# If the port supports NJE it will respond with either a 'NAK' or
'ACK' in EBCDIC
softmatch nje m|^\xd5\xc1\xd2| p/IBM Network Job Entry (JES)/
softmatch nje m|^\xc1\xc3\xd2| p/IBM Network Job Entry (JES)/


On Sun, Nov 1, 2015 at 9:12 PM, Daniel Miller <bonsaiviking () gmail com>
wrote:

> SoF,
>
> This looks like another one that could be implemented as a service probe.
> Try this out and see if it's a good match. If you have a better idea for a
> probe that gets detailed information from the service like a banner or
> other info, that'd be great, too:
>
> ##############################NEXT PROBE##############################
> # Network Job Entry
> #
> http://www-01.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com.ibm.zos.v2r1.hasa600/intro.htm
> Probe TCP NJE q|\xd6\xd7\xc5\xd5@@@@\xc6\xc1\xd2\xc5@
> @@@\0\0\0\0\xc6\xc1\xd2\xc5@@@@\0\0\0\0\0|
> rarity 9
> ports 175
> sslports 2252
>
> softmatch nje m|^\xd5\xc1\xd2| p|z/OS Network Job Entry|
> softmatch nje m|^\xc1\xc3\xd2| p|z/OS Network Job Entry|
>
> Dan
>
> On Fri, Sep 4, 2015 at 6:17 PM, Main Framed <mainframed767 () gmail com>
> wrote:
>
> > This is a new script which identifies open ports on a mainframe that
> > support Network Job Entry (or NJE).
> >
> > You can read more about Network Job Entry here:
> > http://www-01.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com.ibm.zos.v2r1.hasa600/intro.htm
> >
> > The protocol is described here:
> > http://www-05.ibm.com/e-business/linkweb/publications/servlet/pbi.wss?CTY=US&FNC=SRX&PBL=SA22-7539-02
> >
> > A script is required because upon connection the port doesn't send any
> > information and waits for the 'client' to initiate the connection. This
> > script performs that initial connection to determine if it is NJE.
> >
> >
> >
> > --
> > Soldier of Fortran
> > @mainframed767
> >
> > _______________________________________________
> > Sent through the dev mailing list
> > https://nmap.org/mailman/listinfo/dev
> > Archived at http://seclists.org/nmap-dev/


-- 
Soldier of Fortran
@mainframed767

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/