Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Nmap Service probe for Erlang distribution node

From: Michael Schierl <schierlm () gmx de>
Date: Sun, 17 Mar 2013 21:57:24 +0100
[Please cc: me on any reply since I am not subscribed to the list]

Hello,

it is very useful that nmap can scan the Erlang port mapper and print
mapped ports. However, sometimes, the Erlang portmapper is blocked by a
firewall, but it is forgotten to block the ports of the individual
Erlang nodes. Then you get a lot of "unknown" ports in your portscan.

Therefore, I wrote a service probe for Erlang distribution nodes:


##############################NEXT PROBE##############################
# Sends a distribution handshake to an Erlang Distribution Node.
# http://erlang.org/doc/apps/erts/erl_dist_protocol.html#id90729
Probe TCP erlang-node q|\0\x0bn\0\0\0\0\x01\x04nm@p|
match erlang-node m|^\0\x03sok\0.n\0\0.{8}(.*)| p/Erlang Distribution Node/ i/Node name: $1/
match erlang-node m|^\0[^\x03]s(.*)| p/Erlang Distribution Node/ i/Status: $1/


The probe uses a send_name request of protocol version 0 (which is still
supported by current nodes, to get responses from as many nodes as
possible), with only capability flags DFLAG_EXTENDED_REFERENCES and
DFLAG_EXTENDED_PIDS_PORTS (those are required by current version), and
with a node name of "nm@p" (node name needs to contain an @ sign to get
a response at all, so I thought this name would be appropriate). The
first match matches a successful response (in fact two packets, a status
packet with content "ok" and a challenge packet that contains the
challenge and node name), the second match matches an error response (a
status packet with a different content). The second match filters status
code of length 2, since otherwise, due to the delay before the second
packet is sent, nmap would always use the second probe also for success
messages (all other defined status codes are longer than "ok").

No port assigned since by default, Erlang nodes will bind to an
ephemeral port (which makes it hard to block them individually by the
firewall).

For testing, it should be sufficient to start up the Erlang shell with
"erl -sname foo" after creating ~/.erlang.cookie file with a random
token in there. Response will look like this:


PORT     STATE SERVICE     VERSION
1079/tcp open  erlang-node Erlang Distribution Node (Node name: foo@yourhostname)



Thanks for adding,


Michael
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: