Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [NSE] nrpe-enum running on 22/tcp

From: Patrick Donnelly <batrick () batbytes com>
Date: Mon, 31 Jan 2011 13:04:05 -0500
On Mon, Jan 31, 2011 at 11:16 AM, Daniel Miller <bonsaiviking () gmail com> wrote:

Hey all,

When running nmap with --script '*', I saw that what I expected to be
an SSH server was being detected as "nrpe" with bogus results for the
script, similar to this:

22/tcp    open     nrpe                 Nagios Remote Plugin Executor
4.7p1 (protocol 1.99)
| nrpe-enum:
| Command             State  Response
| check_hda1          nil    penSSH_4.7p1
|
| check_load          nil    penSSH_4.7p1
|
| check_total_procs   nil    penSSH_4.7p1
|
| check_users         nil    penSSH_4.7p1
|
|_check_zombie_procs  nil    penSSH_4.7p1

Obviously, this is actually an SSH server, as evidenced by the OpenSSH
banner. nrpe-enum.nse has this portrule:

portrule = function(host, port)
       return shortport.port_or_service(5666, "nrpe")
end


This is a bug. It should be:

portrule = shortport.port_or_service(5666, "nrpe")

See: http://nmap.org/nsedoc/lib/shortport.html#port_or_service

-- 
- Patrick Donnelly
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: