Nmap Development mailing list archives
[NSE script] SSH2 hostkey
From: Sven Klemm <sven () c3d2 de>
Date: Tue, 05 Aug 2008 16:35:48 +0200
Hiattached to this mail you can find a script that shows the rsa and das host keys of ssh2 ssh daemons.
The script requires the nse openssl bindings, the nse pack/unpack library and the base64 library.
Sample output: ./nmap --script SSH2-hostkey -p 22 localhost Starting Nmap 4.68 ( http://nmap.org ) at 2008-08-05 16:34 CEST Interesting ports on localhost (127.0.0.1): PORT STATE SERVICE 22/tcp open ssh| SSH2-Hostkey: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAwVuv2gcr0maaKQ69VVIEv2ob4OxnuI64fkeOnCXD1lUx5tTA+vefXUWEMxgMuA7iX4irJHy2zer0NQ3Z3yJvr5scPgTYIaEOp5Uo/eGFG9Agpk5wE8CoF0e47iCAPHqzlmP2V7aNURLMODb3jVZuI07A2ZRrMGrD8d888E2ORVORv1rYeTYCqcMMoVFmX9l3gWEdk4yx3w5sD8v501Iuyd1v19mPfyhrI5E1E1nl/Xjp5N0/xP2GUBrdkDMxKaxqTPMie/f0dXBUPQQN697a5q+5lBRPhKYOtn6yQKCd9s1Q22nxn72Jmi1RzbMyYJ52FosDT755Qmb46GLrDMaZMQ== |_ ssh-dss AAAAB3NzaC1kc3MAAACBAJD6ApUbSAGL/jKRaxE0QQLGB3eH7sEPxAFYhWz1nEiwOIh50ONd0Nr2UAFsQlYvnk7Bchx7tElWP57eHpyr9BWZwFOTQQAEM77dKNbUzqQhoSppRqnbFjErTp/PnvwY95M05Kdm98MnxA6ngE4Nz8C0eL69sm/oFRQ6ahGmWcSLAAAAFQCW+NG4KsuIgk/9LuuKmUy/9MMQ1wAAAIA8vwBaH5evPRJi1rmo/QGhJiC8iQCnwbXqwnJGVIWFvYuofQCERs0xzfcrMOi8J3AMd1qhOjUC0YTg6xXtxPlW3Un7cmLcia3IVPUewjsNfLUIQ6TVXqAP8yU9elSE39zrBNrC0o30K2fMDB/ngn+ml/G9gd0/W0XStfx8svglsQAAAIEAgXXWoZej/rbTwTd61Gz+XpLwwqJkPT9EHgPVSVRD399BN3zxP9ghib+K9c6snavFvhWxrTgU/ZZZmiyOwOMcltp08REErOj5U54dzM/hYbYio0Ke83y1/llnFwoOimCHdJ0NSr/a69ZudNN3j8651ufIp13kDETBmEMMCGy8OqY=
Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds Cheers, Sven -- Sven Klemm http://cthulhu.c3d2.de/~sven/
id = "SSH2-Hostkey" author = "Sven Klemm <sven () c3d2 de>" description = "Show SSH2 Hostkey" license = "Same as Nmap--See http://nmap.org/book/man-legal.html"; categories = {"safe"} require("stdnse") require("shortport") require("openssl") require("bin") require("base64") portrule = shortport.port_or_service(22, "ssh") local ssh2 ssh2 = { transport = { build = function( payload ) local packet_length, padding_length padding_length = 8 - ( (payload:len() + 1 + 4 ) % 8 ) packet_length = payload:len() + padding_length + 1 return bin.pack( ">IcAA", packet_length, padding_length, payload, openssl.rand_pseudo_bytes( padding_length ) ) end, payload = function( packet ) local packet_length, padding_length, payload_length, payload, offset offset, packet_length, padding_length = bin.unpack( ">Ic", packet ) payload_length = packet_length - padding_length - 1 offset, payload = bin.unpack( ">A" .. payload_length, packet, offset ) return payload end, dh_gex_request = function( min, opt, max ) return bin.pack( ">cIII", 34, min, opt, max ) end, kexdh_init = function( e ) return bin.pack( ">cIA", 30, e:num_bytes(), e:to_bin() ) end, kex_init = function( cookie, options ) options = options or {} kex_algorithms = "diffie-hellman-group1-sha1" host_key_algorithms = options['host_key_algorithms'] or "ssh-dss,ssh-rsa" encryption_algorithms = "aes128-cbc,3des-cbc,blowfish-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr" mac_algorithms = "hmac-md5,hmac-sha1,hmac-ripemd160" compression_algorithms = "none" languages = "" local payload = bin.pack( ">cAaa", 20, cookie, kex_algorithms, host_key_algorithms ) payload = payload .. bin.pack( ">aa", encryption_algorithms, encryption_algorithms ) payload = payload .. bin.pack( ">aa", mac_algorithms, mac_algorithms ) payload = payload .. bin.pack( ">aa", compression_algorithms, compression_algorithms ) payload = payload .. bin.pack( ">aa", languages, languages ) payload = payload .. bin.pack( ">cI", 0, 0 ) return payload end }, fetch_host_key = function( host, port, key_type ) local socket = nmap.new_socket() local catch = function() socket:close() end local try = nmap.new_try(catch) -- oakley group 2 prime taken from rfc 2409 local prime = "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE65381FFFFFFFFFFFFFFFF" try(socket:connect(host.ip, port.number)) -- fetch banner try(socket:receive_lines(1)) -- send our banner try(socket:send("SSH-2.0-Nmap-SSH2-Hostkey\r\n")) local cookie = openssl.rand_bytes( 16 ) local packet = ssh2.transport.build( ssh2.transport.kex_init( cookie, {host_key_algorithms=key_type} ) ) try(socket:send( packet )) local kex_init = try(socket:receive()) kex_init = ssh2.transport.payload( kex_init ) -- check for proper msg code if kex_init:byte(1) ~= 20 then return end local e, g, x, p -- e = g^x mod p g = openssl.bignum_dec2bn( "2" ) p = openssl.bignum_hex2bn( prime ) x = openssl.bignum_pseudo_rand( 1024 ) e = openssl.bignum_mod_exp( g, p, x ) packet = ssh2.transport.build( ssh2.transport.kexdh_init( e ) ) try(socket:send( packet )) local kexdh_reply = try(socket:receive()) kexdh_reply = ssh2.transport.payload( kexdh_reply ) -- check for proper msg code if kexdh_reply:byte(1) ~= 31 then return end local public_host_key _, _, public_host_key = bin.unpack( ">ca", kexdh_reply ) return public_host_key end } action = function(host, port) local output = "" local rsa_key = ssh2.fetch_host_key( host, port, "ssh-rsa" ) if rsa_key then output = "ssh-rsa " .. base64.enc( rsa_key ) .. '\n' end local dsa_key = ssh2.fetch_host_key( host, port, "ssh-dss" ) if dsa_key then output = output .. "ssh-dss " .. base64.enc( dsa_key ) end return output end
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- [NSE script] SSH2 hostkey Sven Klemm (Aug 05)
- Re: [NSE script] SSH2 hostkey Brandon Enright (Aug 05)
- Re: [NSE script] SSH2 hostkey Sven Klemm (Aug 05)
- Re: [NSE script] SSH2 hostkey Brandon Enright (Aug 05)