Re: Service probe for Hazelcast

[David Fifield <david () bamsoftware com>]

On Wed, Apr 03, 2013 at 10:16:43PM +0200, Pavel Kankovsky wrote:
> I have had a close encounter with Hazelcast
> (http://www.hazelcast.com/) recently. It is a very interesting piece
> of software and a gaping security hole: as far as I can tell, the
> default configuration allows anyone to connect to the network
> service and do all sorts of nasty things. The "enterprise edition"
> implements some security mechanisms that might restrict access but
> the open-source "community edition" lacks them.
>
> Nmap detects it as "memcached" because of its chameleon-like nature
> (any version >= 1.9-RC supports memcache and HTTP REST interface
> besides its native protocol) but I think its true identity deserves
> to be revealed.
>
> I have found two methods to detect Hazelcast: The first method relies on
> a feature of its HTTP REST interface that returns the current list
> of cluster nodes:
>
> ---snip---
> # Hazelcast In-Memory Data Grid >= 1.9-RC http://www.hazelcast.com/
> Probe TCP hazelcast q|GET /hazelcast/rest/cluster HTTP/1.0\r\n\r\n\r\n|
> rarity 9
> ports 5701-5709
> match hazelcast m|^HTTP/.*\nCluster \[[0-9]*\] {\n\tMember (.*)}|s p/Hazelcast/ i/nodes $SUBST(1,"\n\tMember",",")/
> ---snip---
>
> The other method is to probe its native protocol. This is quite easy
> and reliable (when the server receives three bytes reading "HZC", it
> sends the same three bytes back), but it does not extract any
> information about the service:
>
> ---snip---
> # Hazelcast In-Memory Data Grid >= 1.9-RC http://www.hazelcast.com/
> Probe TCP hazelcast q|HZC|
> rarity 9
> ports 5701-5709
> match hazelcast m|^HZC| p/Hazelcast/
> ---snip---

Thanks for this. Can you get us a service fingerprint as well? The way
to do this is to add your new Probes (but not their match lines) to
nmap-service-probes, and comment out the memcached match lines that are
already matching. You can find out the line numbers of the memcached
lines using -sV --version-trace --version-full.

You are looking for the block that starts with
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============

I am curious to see what the responses look like, because I might write
the match lines differently.

What's the reason for three \r\n in the first probe, rather than two?

David Fifield
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/