Nmap Development mailing list archives
Re: [NSE] Script to enhance mainframe TN3270 detection
From: Daniel Miller <bonsaiviking () gmail com>
Date: Mon, 2 Nov 2015 18:50:40 -0600
Phil, I'm confused because these match lines seem mutually exclusive. Here's the match line you say matches with the current version: match telnet m|^\xff\xfd\x18$| p/Cisco or Edge-core switch telnetd/ d/switch/ That's an exact string match, so nothing but IAC DO TTYPE immediately upon connecting. But in order to match the tn3270 service with your dummy probes file, it would have to send IAC DO TN3270E (0x24) or a response including IAC DO Telnet 3270 regime (0x19). I'm expanding the existing tn3270 match line to include any telnet banner including IAC DO for either of those 3270 types, but I'd need to know that the tn3270 Probe is successful in getting a response from services which do *not* include that in their banner before I can add that probe and match. So does the probe work in those cases (which previously only responded positively to your script)? Dan On Mon, Nov 2, 2015 at 2:17 PM, Main Framed <mainframed767 () gmail com> wrote:
Hi Daniel, So glad to hear back! You can call me Phil. This is a great idea and I wish I had thought of it earlier! This is what I put in a dummy nmap-service-probes: Probe TCP NULL q|| totalwaitms 1000 match tn3270 m|^\xff\xfd\($| p/IBM Telnet TN3270/ # General-purpose telnet softmatch softmatch telnet m=^(?:\xff(?:[\xfb-\xfe].|\xf0|\xfa..))+[\0-\x7f]= Probe TCP tn3270 q|\xff\xfb\x18\xff\xfa\x18\x00IBM-3279-4-E\xff\xf0| match tn3270 m|\xff\xfd\x19| p/IBM Telnet TN3270/ which results in: Nmap scan report for fake.fake (10.32.70.11) Host is up (0.090s latency). PORT STATE SERVICE VERSION 2323/tcp open tn3270 IBM Telnet TN3270 Compared to the current SVN nmap-service-probes: Nmap scan report for fake.fake (10.32.70.11) Host is up (0.094s latency). PORT STATE SERVICE VERSION 2323/tcp open telnet Cisco or Edge-core switch telnetd Service Info: Device: switch On Sun, Nov 1, 2015 at 8:50 PM, Daniel Miller <bonsaiviking () gmail com> wrote:SoF, Sorry it's taken me so long to get to your scripts! I hope to have them put through this week. I just had one final question on this one: Does the protocol require the back-and-forth of WILL TERMINAL TYPE/SEND TERMINAL TYPE/TERMINAL TYPE, or will it respond directly if we send the 3270 terminal type immediately? I ask because if so, then we can turn this into a service probe. Example: Probe NULL softmatch tn3270 m|^\xff\xfd\($| p/IBM Telnet TN3270/ # General-purpose telnet softmatch softmatch telnet m=^(?:\xff(?:[\xfb-\xfe].|\xf0|\xfa..))+[\0-\x7f]= Probe TCP tn3270 q|\xff\xfb\x18\xff\xfa\x18\x00IBM-3279-4-E\xff\xf0| match tn3270 m|something that matches here| Then we can start gathering specific match info from various versions, instead of simply identifying the service via this script. What do you think? Dan P.S. What's the best name to address you by? On Fri, Sep 4, 2015 at 6:09 PM, Main Framed <mainframed767 () gmail com> wrote:Based on the change to nmap-service-probes (previously submitted) this script will further help identify mainframes that only show up as telnet/telnets (due to IAC DO TTYPE). -- Soldier of Fortran @mainframed767 _______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/-- Soldier of Fortran @mainframed767
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: [NSE] Script to enhance mainframe TN3270 detection Daniel Miller (Nov 01)
- Re: [NSE] Script to enhance mainframe TN3270 detection Main Framed (Nov 02)
- Re: [NSE] Script to enhance mainframe TN3270 detection Daniel Miller (Nov 02)
- Re: [NSE] Script to enhance mainframe TN3270 detection Main Framed (Nov 03)
- Re: [NSE] Script to enhance mainframe TN3270 detection Main Framed (Nov 03)
- Re: [NSE] Script to enhance mainframe TN3270 detection Daniel Miller (Nov 07)
- Re: [NSE] Script to enhance mainframe TN3270 detection Phil (Nov 07)
- Re: [NSE] Script to enhance mainframe TN3270 detection Daniel Miller (Nov 08)
- Re: [NSE] Script to enhance mainframe TN3270 detection Phil (Nov 08)
- Re: [NSE] Script to enhance mainframe TN3270 detection Daniel Miller (Nov 02)
- Re: [NSE] Script to enhance mainframe TN3270 detection Main Framed (Nov 02)