Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: Service probe for Hazelcast
From: David Fifield <david () bamsoftware com>
Date: Tue, 9 Apr 2013 14:56:32 -0700

On Wed, Apr 03, 2013 at 10:16:43PM +0200, Pavel Kankovsky wrote:
I have had a close encounter with Hazelcast
(http://www.hazelcast.com/) recently. It is a very interesting piece
of software and a gaping security hole: as far as I can tell, the
default configuration allows anyone to connect to the network
service and do all sorts of nasty things. The "enterprise edition"
implements some security mechanisms that might restrict access but
the open-source "community edition" lacks them.

Nmap detects it as "memcached" because of its chameleon-like nature
(any version >= 1.9-RC supports memcache and HTTP REST interface
besides its native protocol) but I think its true identity deserves
to be revealed.

I have found two methods to detect Hazelcast: The first method relies on
a feature of its HTTP REST interface that returns the current list
of cluster nodes:

# Hazelcast In-Memory Data Grid >= 1.9-RC http://www.hazelcast.com/
Probe TCP hazelcast q|GET /hazelcast/rest/cluster HTTP/1.0\r\n\r\n\r\n|
rarity 9
ports 5701-5709
match hazelcast m|^HTTP/.*\nCluster \[[0-9]*\] {\n\tMember (.*)}|s p/Hazelcast/ i/nodes $SUBST(1,"\n\tMember",",")/

The other method is to probe its native protocol. This is quite easy
and reliable (when the server receives three bytes reading "HZC", it
sends the same three bytes back), but it does not extract any
information about the service:

# Hazelcast In-Memory Data Grid >= 1.9-RC http://www.hazelcast.com/
Probe TCP hazelcast q|HZC|
rarity 9
ports 5701-5709
match hazelcast m|^HZC| p/Hazelcast/

Thanks for this. Can you get us a service fingerprint as well? The way
to do this is to add your new Probes (but not their match lines) to
nmap-service-probes, and comment out the memcached match lines that are
already matching. You can find out the line numbers of the memcached
lines using -sV --version-trace --version-full.

You are looking for the block that starts with

I am curious to see what the responses look like, because I might write
the match lines differently.

What's the reason for three \r\n in the first probe, rather than two?

David Fifield
Sent through the dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]