Re: Fwd: hadoop and hbase information gathering

[David Fifield <david () bamsoftware com>]

On Sun, Oct 30, 2011 at 10:46:33AM +0100, John Bond wrote:
> On 14 October 2011 00:14, John Bond <john.r.bond () gmail com> wrote:
> > can you send me the output of the script with nmap -ddd (this will
> > produce a lot of output, some of which you may want to scrub)
> >
> > @david it is no a simple task to set up hadoop, not sure if you can
> > even run everything on the same box.  ill try to build a vm or some
> > guidlines this weekend. in the mean time the cloudera docs are good
> > https://ccp.cloudera.com/display/DOC/Documentation
> After some feedback from patrick i have updated the port rule to
> trigger on shorport.http.

Okay. I can see the reason for this. All these different scripts run
against different ports, but they are all HTTP. Patrick found that his
university's Hadoop ran on different ports than the default.

Using shortport.http should take these scripts out of default, I think,
because they will only get a response from a minority of web servers. I
might even modify the rule to be "got a service match for HTTP, but it
is *not* running on a common HTTP port." Then it could be default again.

I'm curious, what does a plain -sV scan output for these ports?
http://hadoop.apache.org/hdfs/docs/r0.21.0/hdfs_user_guide.html says
"The NameNode and Datanodes have built in web servers..." but we don't
have anything matching "Hadoop" in nmap-service-probes. If we could do a
quick check retrieval of /index.html (which would be cached) and use
that to control whether the other scripts run, then they could be
default too.

> However these changes have introduced another issue.  When using
> newtargets the port rule is not triggered, and therefore scripts dont
> run for the newtargets.  Haven't looked at this yet but wondered if it
> is a known issue?

Why doesn't the portrule trigger? Are the new targets running the same
services on the same ports?

> There is also an issue which occurs when the script, thinks it
> discovers a new target which is actually the target been scanned.
> e.g. im scanning test.example.com which tells me that the another
> service is running on test.example.com.  the script calls
> target.add("tes.example.com") which causes tes.example.com to get
> scanned for a second time.

It's a known issue. Let's not worry about it too much now. The target
may be scanned twice but not three times, as newtargets checks for
duplicate targets that it adds itself.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/