Nmap Development mailing list archives
[NSE] nrpe-enum running on 22/tcp
From: Daniel Miller <bonsaiviking () gmail com>
Date: Mon, 31 Jan 2011 10:16:05 -0600
Hey all, When running nmap with --script '*', I saw that what I expected to be an SSH server was being detected as "nrpe" with bogus results for the script, similar to this: 22/tcp open nrpe Nagios Remote Plugin Executor 4.7p1 (protocol 1.99) | nrpe-enum: | Command State Response | check_hda1 nil penSSH_4.7p1 | | check_load nil penSSH_4.7p1 | | check_total_procs nil penSSH_4.7p1 | | check_users nil penSSH_4.7p1 | |_check_zombie_procs nil penSSH_4.7p1 Obviously, this is actually an SSH server, as evidenced by the OpenSSH banner. nrpe-enum.nse has this portrule: portrule = function(host, port) return shortport.port_or_service(5666, "nrpe") end which I do not think should have triggered. I've confirmed this behavior with a separate SSH server as well (-v9 -d9 --script-trace attached) Dan P.S. Separate issue that doesn't merit its own message: in ndiff.HostDiff.print_text, the author sets host_b = self.host_b, but later uses self.host_b directly. Not a bug, not significant, but this patch will make it match the rest of the code in the function: --- ndiff/ndiff 2011-01-31 09:50:26.939540874 -0600 +++ ../ndiff.py 2011-01-31 09:14:11.075062496 -0600 @@ -525,7 +525,7 @@ if self.id_changed: if host_a.state is not None: print >> f, u"-%s:" % host_a.format_name() - if self.host_b.state is not None: + if host_b.state is not None: print >> f, u"+%s:" % host_b.format_name() else: print >> f, u" %s:" % host_a.format_name()
Attachment:
nrpe-trace.txt
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] nrpe-enum running on 22/tcp Daniel Miller (Jan 31)
- Re: [NSE] nrpe-enum running on 22/tcp Patrick Donnelly (Jan 31)
- Re: [NSE] nrpe-enum running on 22/tcp David Fifield (Feb 01)
- Re: [NSE] nrpe-enum running on 22/tcp Patrick Donnelly (Jan 31)