Nmap Development mailing list archives
Inconsistent results from nmap --script=ssh-hostkey.nse
From: Terrance Roddy <Terrance.Roddy () walmart com>
Date: Wed, 15 Apr 2015 18:46:48 +0000
I am using your excellent nmap tool for internal penetration testing of (segments of) our enormous internal network. I recently encountered a situation where the identical nmap command returns different results, and even the results that return are sometimes malformed. Platform information: I am running my tests from Kali Linux 1.0.9 nmap -V Nmap version 6.47 ( http://nmap.org ) Platform: i686-pc-linux-gnu Compiled with: nmap-liblua-5.2.3 openssl-1.0.13 libpcre-8.30 libpcap-1.3.0 namp-libdnet-1.12 ipvx Compiled without: Available nsock engines: epoll poll select I am running this against an entire list of IP addresses, but have simplified it down to a single address: sudo nmap -script=ssh-hostkey.nse -sS -sV --open \ -p T:22,T:1026,T:1027,T:1028,T:1029,T:1030,T:1033,T:1035,T:2000,T:5060 \ 29.161.17.1 Two consecutive runs produced the following (URL-Obfuscated) outputs: Starting Nmap 6.47 ( http://nmap.org ) at 2015-04-15 09:18 CDT Nmap scan report for Obfuscated.URL.com (29.161.17.1) Host is up (0.15s latency). Not shown: 8 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh Cisco SSH 1.25 (protocol 2.0) | ssh-hostkey: | 1024 c2:e5:67:b5:4a:cc:2c:eb:7c:98:c6:7d:16:21:d5:df (RSA) 5060/tcp open sip-proxy Cisco SIP Gateway (IOS 12.x) Service Info: OS: IOS; Device: router; CPE: cpe:/o:cisco:ios Service detection performed. Please report any incorrect results at http://nmap.org/submit Nmap done: 1 IP address (1 host up) scanned in 28.86 seconds Starting Nmap 6.47 ( http://nmap.org ) at 2015-04-15 09:19 CDT Nmap scan report for Obfuscated.URL.com (29.161.17.1) Host is up (0.15s latency). Not shown: 8 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh Cisco SSH 1.25 (protocol 2.0) | ssh-hostkey: 5060/tcp open sip-proxy Cisco SIP Gateway (IOS 12.x) Service Info: OS: IOS; Device: router; CPE: cpe:/o:cisco:ios Service detection performed. Please report any incorrect results at http://nmap.org/submit Nmap done: 1 IP address (1 host up) scanned in 28.59 seconds Whether or not the RSA (and for that matter, the DSA) key-signature is returned seems to be entirely random. Very rarely, the script fails at that point with an error (which appears in some of the bug-feedback threads): |_ssh-hostkey: ERROR: Script execution failed (use -d to debug) However, none of the commentary about the ssh-hostkey.nse ERROR includes any information about random failure to display one or both hostkey signatures. I have tried running without the --open (same result, more noise in output), and with the -d flag (much output that I do not understand, but essentially the same key result: sometimes the key is displayed, sometimes not). Since I am performing these tests on a restricted-access secure environment, I have difficulty copying the debug output into this email (all samples above were hand-typed from visible screen displays), but could probably find a way to do that if it would honestly be helpful. This email and any files transmitted with it are confidential and intended solely for the individual or entity to whom they are addressed. If you have received this email in error destroy it immediately. *** Walmart Confidential ***
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Inconsistent results from nmap --script=ssh-hostkey.nse Terrance Roddy (Apr 15)
- Re: Inconsistent results from nmap --script=ssh-hostkey.nse Daniel Miller (Apr 16)