Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: [NSE] nrpe-enum running on 22/tcp
From: Patrick Donnelly <batrick () batbytes com>
Date: Mon, 31 Jan 2011 13:04:05 -0500

On Mon, Jan 31, 2011 at 11:16 AM, Daniel Miller <bonsaiviking () gmail com> wrote:
Hey all,

When running nmap with --script '*', I saw that what I expected to be
an SSH server was being detected as "nrpe" with bogus results for the
script, similar to this:

22/tcp    open     nrpe                 Nagios Remote Plugin Executor
4.7p1 (protocol 1.99)
| nrpe-enum:
| Command             State  Response
| check_hda1          nil    penSSH_4.7p1
| check_load          nil    penSSH_4.7p1
| check_total_procs   nil    penSSH_4.7p1
| check_users         nil    penSSH_4.7p1
|_check_zombie_procs  nil    penSSH_4.7p1

Obviously, this is actually an SSH server, as evidenced by the OpenSSH
banner. nrpe-enum.nse has this portrule:

portrule = function(host, port)
       return shortport.port_or_service(5666, "nrpe")

This is a bug. It should be:

portrule = shortport.port_or_service(5666, "nrpe")

See: http://nmap.org/nsedoc/lib/shortport.html#port_or_service

- Patrick Donnelly
Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]