Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: [NSE] nrpe-enum running on 22/tcp
From: David Fifield <david () bamsoftware com>
Date: Tue, 1 Feb 2011 13:27:06 -0800

On Mon, Jan 31, 2011 at 01:04:05PM -0500, Patrick Donnelly wrote:
On Mon, Jan 31, 2011 at 11:16 AM, Daniel Miller <bonsaiviking () gmail com> wrote:
Hey all,

When running nmap with --script '*', I saw that what I expected to be
an SSH server was being detected as "nrpe" with bogus results for the
script, similar to this:

22/tcp    open     nrpe                 Nagios Remote Plugin Executor
4.7p1 (protocol 1.99)
| nrpe-enum:
| Command             State  Response
| check_hda1          nil    penSSH_4.7p1
|
| check_load          nil    penSSH_4.7p1
|
| check_total_procs   nil    penSSH_4.7p1
|
| check_users         nil    penSSH_4.7p1
|
|_check_zombie_procs  nil    penSSH_4.7p1

Obviously, this is actually an SSH server, as evidenced by the OpenSSH
banner. nrpe-enum.nse has this portrule:

portrule = function(host, port)
       return shortport.port_or_service(5666, "nrpe")
end

This is a bug. It should be:

portrule = shortport.port_or_service(5666, "nrpe")

Good eye. I just fixed it.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]