Nmap Development mailing list archives
Re: Service probe for Hazelcast
From: David Fifield <david () bamsoftware com>
Date: Tue, 9 Apr 2013 14:56:32 -0700
On Wed, Apr 03, 2013 at 10:16:43PM +0200, Pavel Kankovsky wrote:
I have had a close encounter with Hazelcast (http://www.hazelcast.com/) recently. It is a very interesting piece of software and a gaping security hole: as far as I can tell, the default configuration allows anyone to connect to the network service and do all sorts of nasty things. The "enterprise edition" implements some security mechanisms that might restrict access but the open-source "community edition" lacks them. Nmap detects it as "memcached" because of its chameleon-like nature (any version >= 1.9-RC supports memcache and HTTP REST interface besides its native protocol) but I think its true identity deserves to be revealed. I have found two methods to detect Hazelcast: The first method relies on a feature of its HTTP REST interface that returns the current list of cluster nodes: ---snip--- # Hazelcast In-Memory Data Grid >= 1.9-RC http://www.hazelcast.com/ Probe TCP hazelcast q|GET /hazelcast/rest/cluster HTTP/1.0\r\n\r\n\r\n| rarity 9 ports 5701-5709 match hazelcast m|^HTTP/.*\nCluster \[[0-9]*\] {\n\tMember (.*)}|s p/Hazelcast/ i/nodes $SUBST(1,"\n\tMember",",")/ ---snip--- The other method is to probe its native protocol. This is quite easy and reliable (when the server receives three bytes reading "HZC", it sends the same three bytes back), but it does not extract any information about the service: ---snip--- # Hazelcast In-Memory Data Grid >= 1.9-RC http://www.hazelcast.com/ Probe TCP hazelcast q|HZC| rarity 9 ports 5701-5709 match hazelcast m|^HZC| p/Hazelcast/ ---snip---
Thanks for this. Can you get us a service fingerprint as well? The way to do this is to add your new Probes (but not their match lines) to nmap-service-probes, and comment out the memcached match lines that are already matching. You can find out the line numbers of the memcached lines using -sV --version-trace --version-full. You are looking for the block that starts with ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== I am curious to see what the responses look like, because I might write the match lines differently. What's the reason for three \r\n in the first probe, rather than two? David Fifield _______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Service probe for Hazelcast Pavel Kankovsky (Apr 03)
- Re: Service probe for Hazelcast David Fifield (Apr 09)
- Re: Service probe for Hazelcast Pavel Kankovsky (Apr 11)
- Re: Service probe for Hazelcast David Fifield (Apr 27)
- Re: Service probe for Hazelcast Pavel Kankovsky (Apr 11)
- Re: Service probe for Hazelcast David Fifield (Apr 09)