Nmap Development mailing list archives
Nmap Service probe for Erlang distribution node
From: Michael Schierl <schierlm () gmx de>
Date: Sun, 17 Mar 2013 21:57:24 +0100
[Please cc: me on any reply since I am not subscribed to the list] Hello, it is very useful that nmap can scan the Erlang port mapper and print mapped ports. However, sometimes, the Erlang portmapper is blocked by a firewall, but it is forgotten to block the ports of the individual Erlang nodes. Then you get a lot of "unknown" ports in your portscan. Therefore, I wrote a service probe for Erlang distribution nodes:
##############################NEXT PROBE############################## # Sends a distribution handshake to an Erlang Distribution Node. # http://erlang.org/doc/apps/erts/erl_dist_protocol.html#id90729 Probe TCP erlang-node q|\0\x0bn\0\0\0\0\x01\x04nm@p| match erlang-node m|^\0\x03sok\0.n\0\0.{8}(.*)| p/Erlang Distribution Node/ i/Node name: $1/ match erlang-node m|^\0[^\x03]s(.*)| p/Erlang Distribution Node/ i/Status: $1/
The probe uses a send_name request of protocol version 0 (which is still supported by current nodes, to get responses from as many nodes as possible), with only capability flags DFLAG_EXTENDED_REFERENCES and DFLAG_EXTENDED_PIDS_PORTS (those are required by current version), and with a node name of "nm@p" (node name needs to contain an @ sign to get a response at all, so I thought this name would be appropriate). The first match matches a successful response (in fact two packets, a status packet with content "ok" and a challenge packet that contains the challenge and node name), the second match matches an error response (a status packet with a different content). The second match filters status code of length 2, since otherwise, due to the delay before the second packet is sent, nmap would always use the second probe also for success messages (all other defined status codes are longer than "ok"). No port assigned since by default, Erlang nodes will bind to an ephemeral port (which makes it hard to block them individually by the firewall). For testing, it should be sufficient to start up the Erlang shell with "erl -sname foo" after creating ~/.erlang.cookie file with a random token in there. Response will look like this:
PORT STATE SERVICE VERSION 1079/tcp open erlang-node Erlang Distribution Node (Node name: foo@yourhostname)
Thanks for adding, Michael _______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Nmap Service probe for Erlang distribution node Michael Schierl (Mar 17)