Lucene search

Frank SpieringsNMAP:HTTP-MCMP.NSE

HistoryJun 25, 2016 - 7:23 p.m.

http-mcmp NSE Script

2016-06-2519:23:26

Frank Spierings

nmap.org

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.973 High

EPSS

Percentile

99.8%

JSON

Checks if the webserver allows mod_cluster management protocol (MCMP) methods.

The script sends a MCMP PING message to determine protocol support, then issues the DUMP command to dump the current configuration seen by mod_cluster_manager.

References:

<https://developer.jboss.org/wiki/Mod-ClusterManagementProtocol>

Script Arguments

slaxml.debug

See the documentation for the slaxml library.

http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent

See the documentation for the http library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

Example Usage

nmap -sV --script=http-mcmp &lt;target&gt;

Script Output

| http-mcmp:
|   status: Mod_cluster Management Protocol enabled
|   version: 1.2.0.Final
|   dump:
| balancer: [1] Name: mycluster Sticky: 1 [JSESSIONID]/[jsessionid] remove: 0 force: 0 Timeout: 0 maxAttempts: 1
| node: [1:1],Balancer: mycluster,JVMRoute: 2ca5eb39-053e-336f-8708-85f753a3adf2,LBGroup: [],Host: 155.250.130.22,Port: 11000,Type: http,flushpackets: 0,flushwait: 10,ping: 10,smax: 1,ttl: 60,timeout: 0
| node: [2:2],Balancer: mycluster,JVMRoute: 3fef9557-32f8-309f-9b9a-af1e6951ee17,LBGroup: [],Host: 155.250.130.21,Port: 11000,Type: http,flushpackets: 0,flushwait: 10,ping: 10,smax: 1,ttl: 60,timeout: 0
| host: 1 [localhost] vhost: 1 node: 1
| host: 2 [localhost] vhost: 1 node: 2
| context: 1 [/stisvc] vhost: 1 node: 1 status: 1
|_context: 2 [/stisvc] vhost: 1 node: 2 status: 1


&lt;elem key="status"&gt;Mod_cluster Management Protocol enabled&lt;/elem&gt;
&lt;elem key="version"&gt;1.3.1.Final&lt;/elem&gt;
&lt;elem key="dump"&gt;&#xa;balancer: [1] Name: seta-cluster-jboss Sticky: 1 [JSESSIONID]/[jsessionid] remove: 0 force: 0 Timeout: 0 maxAttempts: 1&#xa;node: [1:1],Balancer: seta-cluster-jboss,JVMRoute: sv-seta-sas-jb1,LBGroup: [],Host: 10.20.98.38,Port: 8009,Type: ajp,flushpackets: 0,flushwait: 10,ping: 10,smax: 2,ttl: 60,timeout: 0&#xa;node: [2:2],Balancer: seta-cluster-jboss,JVMRoute: sv-seta-sas-jb2,LBGroup: [],Host: 10.20.98.39,Port: 8009,Type: ajp,flushpackets: 0,flushwait: 10,ping: 10,smax: 2,ttl: 60,timeout: 0&#xa;host: 1 [example.com] vhost: 1 node: 1&#xa;host: 2 [localhost] vhost: 1 node: 1&#xa;host: 3 [default-host] vhost: 1 node: 1&#xa;host: 4 [example.com] vhost: 1 node: 2&#xa;host: 5 [localhost] vhost: 1 node: 2&#xa;host: 6 [default-host] vhost: 1 node: 2&#xa;context: 1 [/cgs] vhost: 1 node: 1 status: 1&#xa;context: 2 [/RequisicaoSeta] vhost: 1 node: 1 status: 1&#xa;context: 3 [/prodex-ensaio] vhost: 1 node: 1 status: 1&#xa;context: 4 [/gestordeacessos] vhost: 1 node: 1 status: 1&#xa;&lt;/elem&gt;

Requires

description = [[
Checks if the webserver allows mod_cluster management protocol (MCMP) methods.

The script sends a MCMP PING message to determine protocol support, then issues
the DUMP command to dump the current configuration seen by mod_cluster_manager.

References:

* https://developer.jboss.org/wiki/Mod-ClusterManagementProtocol
]]

---
-- @output
-- | http-mcmp:
-- |   status: Mod_cluster Management Protocol enabled
-- |   version: 1.2.0.Final
-- |   dump:
-- | balancer: [1] Name: mycluster Sticky: 1 [JSESSIONID]/[jsessionid] remove: 0 force: 0 Timeout: 0 maxAttempts: 1
-- | node: [1:1],Balancer: mycluster,JVMRoute: 2ca5eb39-053e-336f-8708-85f753a3adf2,LBGroup: [],Host: 155.250.130.22,Port: 11000,Type: http,flushpackets: 0,flushwait: 10,ping: 10,smax: 1,ttl: 60,timeout: 0
-- | node: [2:2],Balancer: mycluster,JVMRoute: 3fef9557-32f8-309f-9b9a-af1e6951ee17,LBGroup: [],Host: 155.250.130.21,Port: 11000,Type: http,flushpackets: 0,flushwait: 10,ping: 10,smax: 1,ttl: 60,timeout: 0
-- | host: 1 [localhost] vhost: 1 node: 1
-- | host: 2 [localhost] vhost: 1 node: 2
-- | context: 1 [/stisvc] vhost: 1 node: 1 status: 1
-- |_context: 2 [/stisvc] vhost: 1 node: 2 status: 1
--
--
--<elem key="status">Mod_cluster Management Protocol enabled</elem>
--<elem key="version">1.3.1.Final</elem>
--<elem key="dump">&#xa;balancer: [1] Name: seta-cluster-jboss Sticky: 1 [JSESSIONID]/[jsessionid] remove: 0 force: 0 Timeout: 0 maxAttempts: 1&#xa;node: [1:1],Balancer: seta-cluster-jboss,JVMRoute: sv-seta-sas-jb1,LBGroup: [],Host: 10.20.98.38,Port: 8009,Type: ajp,flushpackets: 0,flushwait: 10,ping: 10,smax: 2,ttl: 60,timeout: 0&#xa;node: [2:2],Balancer: seta-cluster-jboss,JVMRoute: sv-seta-sas-jb2,LBGroup: [],Host: 10.20.98.39,Port: 8009,Type: ajp,flushpackets: 0,flushwait: 10,ping: 10,smax: 2,ttl: 60,timeout: 0&#xa;host: 1 [example.com] vhost: 1 node: 1&#xa;host: 2 [localhost] vhost: 1 node: 1&#xa;host: 3 [default-host] vhost: 1 node: 1&#xa;host: 4 [example.com] vhost: 1 node: 2&#xa;host: 5 [localhost] vhost: 1 node: 2&#xa;host: 6 [default-host] vhost: 1 node: 2&#xa;context: 1 [/cgs] vhost: 1 node: 1 status: 1&#xa;context: 2 [/RequisicaoSeta] vhost: 1 node: 1 status: 1&#xa;context: 3 [/prodex-ensaio] vhost: 1 node: 1 status: 1&#xa;context: 4 [/gestordeacessos] vhost: 1 node: 1 status: 1&#xa;</elem>

author = "Frank Spierings"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"safe", "discovery"}

local stdnse = require "stdnse"
local shortport = require "shortport"
local http = require "http"
local nmap = require "nmap"
local table = require "table"

portrule = shortport.http

action = function(host, port)
  local output = stdnse.output_table()
  local response = http.generic_request(host, port, 'PING', '/')
  if (response.status == 200 and http.response_contains(response, "Type=PING%-RSP")) then
    output.status = 'Mod_cluster Management Protocol enabled'
    if response.header.server then
      local version = response.header.server:match('mod_cluster/(%d[%w%._%-]*)')
      if version then
        output.version = version
        local cpe_found = false
        port.version.cpe = port.version.cpe or {}
        for _, cpe in ipairs(port.version.cpe) do
          cpe_found = cpe:match('mod_cluster')
          if cpe_found then break end
        end
        if not cpe_found then
          table.insert(port.version.cpe, ("cpe:/a:redhat:mod_cluster:%s"):format(version))
          nmap.set_port_version(host, port, "hardmatched")
        end
      end
    end
    response = http.generic_request(host, port, 'DUMP', '/')
    if (response.status == 200) then
      output.dump = "\n" .. response.body
    end
    return output
  end
end

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.973 High

EPSS

Percentile

99.8%

JSON

Related for NMAP:HTTP-MCMP.NSE

nmap199