Inconsistent results from nmap --script=ssh-hostkey.nse

[Terrance Roddy <Terrance.Roddy () walmart com>]

I am using your excellent nmap tool for internal penetration testing of (segments of) our enormous internal network.

I recently encountered a situation where the identical nmap command returns different results, and even the results 
that return are sometimes malformed.

Platform information:

      I am running my tests from Kali Linux 1.0.9
      nmap -V
      Nmap version 6.47 ( http://nmap.org )
      Platform: i686-pc-linux-gnu
      Compiled with: nmap-liblua-5.2.3 openssl-1.0.13 libpcre-8.30 libpcap-1.3.0 namp-libdnet-1.12 ipvx
      Compiled without:
      Available nsock engines: epoll poll select


I am running this against an entire list of IP addresses, but have simplified it down to a single address:

sudo nmap -script=ssh-hostkey.nse -sS -sV --open \
        -p T:22,T:1026,T:1027,T:1028,T:1029,T:1030,T:1033,T:1035,T:2000,T:5060 \
        29.161.17.1

Two consecutive runs produced the following (URL-Obfuscated) outputs:

      Starting Nmap 6.47 ( http://nmap.org ) at 2015-04-15 09:18 CDT
      Nmap scan report for Obfuscated.URL.com (29.161.17.1)
      Host is up (0.15s latency).
      Not shown: 8 closed ports
      PORT     STATE  SERVICE   VERSION
      22/tcp   open   ssh       Cisco SSH 1.25 (protocol 2.0)
      | ssh-hostkey:
      |   1024 c2:e5:67:b5:4a:cc:2c:eb:7c:98:c6:7d:16:21:d5:df (RSA)
      5060/tcp open   sip-proxy Cisco SIP Gateway (IOS 12.x)
      Service Info: OS: IOS; Device: router; CPE: cpe:/o:cisco:ios

      Service detection performed. Please report any incorrect results at http://nmap.org/submit
      Nmap done: 1 IP address (1 host up) scanned in 28.86 seconds


      Starting Nmap 6.47 ( http://nmap.org ) at 2015-04-15 09:19 CDT
      Nmap scan report for Obfuscated.URL.com (29.161.17.1)
      Host is up (0.15s latency).
      Not shown: 8 closed ports
      PORT     STATE  SERVICE   VERSION
      22/tcp   open   ssh       Cisco SSH 1.25 (protocol 2.0)
      | ssh-hostkey:
      5060/tcp open   sip-proxy Cisco SIP Gateway (IOS 12.x)
      Service Info: OS: IOS; Device: router; CPE: cpe:/o:cisco:ios

      Service detection performed. Please report any incorrect results at http://nmap.org/submit
      Nmap done: 1 IP address (1 host up) scanned in 28.59 seconds


Whether or not the RSA (and for that matter, the DSA) key-signature is returned seems to be entirely random.

Very rarely, the script fails at that point with an error (which appears in some of the bug-feedback threads):
      |_ssh-hostkey: ERROR: Script execution failed (use -d to debug)

However, none of the commentary about the ssh-hostkey.nse ERROR includes any information about random failure to 
display one or both hostkey signatures.

I have tried running without the --open (same result, more noise in output), and with the -d flag (much output that I 
do not understand, but essentially the same key result: sometimes the key is displayed, sometimes not).
Since I am performing these tests on a restricted-access secure environment, I have difficulty copying the debug output 
into this email (all samples above were hand-typed from visible screen displays), but could probably find a way to do 
that if it would honestly be helpful.



This email and any files transmitted with it are confidential and intended solely for the individual or entity to whom 
they are addressed. If you have received this email in error destroy it immediately. *** Walmart Confidential ***

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/