Nmap Development mailing list archives
[NSE] hadoop-* / hbase-* - false positives
From: Tom Sellers <nmap () fadedcode net>
Date: Sat, 02 Mar 2013 10:50:52 -0600
All, The hadoop-* and hbase-* family of scripts will generate false positives against any HTTP service that returns status code 200 when any page is requested. There are quite a few "broken" web services that will return 200 to any request. The following scrips have been verified to be affected: hadoop-datanode-info.nse hadoop-jobtracker-info.nse hadoop-namenode-info.nse hadoop-tasktracker-info.nse hbase-master-info.nse hbase-region-info.nse In the case of these scripts the issue is somewhat more problematic as they overwrite any fingerprint that has already been applied to the port. These scripts should probably be reworked to positively match content that is known to always been on pages. Alternately, the version detection logic should be moved further down in the logic after a more solid match is made. For example, in hbase-master-info.nse, on lines 70 and 71 the port name and version are overwritten. This should probably be moved down into body:match sections below. Unfortunately I can't lab this software in order to provide specific recommendations. Thoughts? Thanks much, Tom _______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] hadoop-* / hbase-* - false positives Tom Sellers (Mar 02)
- Re: [NSE] hadoop-* / hbase-* - false positives Tom Sellers (Mar 02)
- Re: [NSE] hadoop-* / hbase-* - false positives John Bond (Mar 02)
- Re: [NSE] hadoop-* / hbase-* - false positives David Fifield (Mar 04)
- Re: [NSE] hadoop-* / hbase-* - false positives John Bond (Mar 05)
- Re: [NSE] hadoop-* / hbase-* - false positives David Fifield (Mar 05)
- Re: [NSE] hadoop-* / hbase-* - false positives Tom Sellers (Mar 05)
- Re: [NSE] hadoop-* / hbase-* - false positives David Fifield (Mar 04)