[NSE] nrpe-enum running on 22/tcp

[Daniel Miller <bonsaiviking () gmail com>]

Hey all,

When running nmap with --script '*', I saw that what I expected to be
an SSH server was being detected as "nrpe" with bogus results for the
script, similar to this:

22/tcp    open     nrpe                 Nagios Remote Plugin Executor
4.7p1 (protocol 1.99)
| nrpe-enum:
| Command             State  Response
| check_hda1          nil    penSSH_4.7p1
|
| check_load          nil    penSSH_4.7p1
|
| check_total_procs   nil    penSSH_4.7p1
|
| check_users         nil    penSSH_4.7p1
|
|_check_zombie_procs  nil    penSSH_4.7p1

Obviously, this is actually an SSH server, as evidenced by the OpenSSH
banner. nrpe-enum.nse has this portrule:

portrule = function(host, port)
        return shortport.port_or_service(5666, "nrpe")
end

which I do not think should have triggered. I've confirmed this
behavior with a separate SSH server as well (-v9 -d9 --script-trace
attached)

Dan

P.S. Separate issue that doesn't merit its own message: in
ndiff.HostDiff.print_text, the author sets host_b = self.host_b, but
later uses self.host_b directly. Not a bug, not significant, but this
patch will make it match the rest of the code in the function:
--- ndiff/ndiff 2011-01-31 09:50:26.939540874 -0600
+++ ../ndiff.py    2011-01-31 09:14:11.075062496 -0600
@@ -525,7 +525,7 @@
         if self.id_changed:
             if host_a.state is not None:
                 print >> f, u"-%s:" % host_a.format_name()
-            if self.host_b.state is not None:
+            if host_b.state is not None:
                 print >> f, u"+%s:" % host_b.format_name()
         else:
             print >> f, u" %s:" % host_a.format_name()

Attachment: nrpe-trace.txt
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/