Service probe for Hazelcast

[Pavel Kankovsky <kan () dcit cz>]

Dear Nmap developers,

I have had a close encounter with Hazelcast (http://www.hazelcast.com/) 
recently. It is a very interesting piece of software and a gaping security 
hole: as far as I can tell, the default configuration allows anyone to 
connect to the network service and do all sorts of nasty things. The 
"enterprise edition" implements some security mechanisms that might 
restrict access but the open-source "community edition" lacks them.

Nmap detects it as "memcached" because of its chameleon-like nature (any 
version >= 1.9-RC supports memcache and HTTP REST interface besides its 
native protocol) but I think its true identity deserves to be revealed.

I have found two methods to detect Hazelcast: The first method relies on
a feature of its HTTP REST interface that returns the current list of 
cluster nodes:

---snip---
# Hazelcast In-Memory Data Grid >= 1.9-RC http://www.hazelcast.com/
Probe TCP hazelcast q|GET /hazelcast/rest/cluster HTTP/1.0\r\n\r\n\r\n|
rarity 9
ports 5701-5709
match hazelcast m|^HTTP/.*\nCluster \[[0-9]*\] {\n\tMember (.*)}|s p/Hazelcast/ i/nodes $SUBST(1,"\n\tMember",",")/
---snip---

The other method is to probe its native protocol. This is quite easy and 
reliable (when the server receives three bytes reading "HZC", it sends the 
same three bytes back), but it does not extract any information about the 
service:

---snip---
# Hazelcast In-Memory Data Grid >= 1.9-RC http://www.hazelcast.com/
Probe TCP hazelcast q|HZC|
rarity 9
ports 5701-5709
match hazelcast m|^HZC| p/Hazelcast/
---snip---


--
Pavel Kankovsky

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/