Nmap Development mailing list archives
Re: Inconsistent results from nmap --script=ssh-hostkey.nse
From: Daniel Miller <bonsaiviking () gmail com>
Date: Thu, 16 Apr 2015 15:14:38 -0500
On Wed, Apr 15, 2015 at 1:46 PM, Terrance Roddy <Terrance.Roddy () walmart com> wrote:
I am using your excellent nmap tool for internal penetration testing of (segments of) our enormous internal network. I recently encountered a situation where the identical nmap command returns different results, and even the results that return are sometimes malformed. Platform information: I am running my tests from Kali Linux 1.0.9 nmap –V Nmap version 6.47 ( *http://nmap.org* <http://nmap.org> ) Platform: i686-pc-linux-gnu Compiled with: nmap-liblua-5.2.3 openssl-1.0.13 libpcre-8.30 libpcap-1.3.0 namp-libdnet-1.12 ipvx Compiled without: Available nsock engines: epoll poll select I am running this against an entire list of IP addresses, but have simplified it down to a single address: sudo nmap –script=ssh-hostkey.nse –sS –sV --open \ -p T:22,T:1026,T:1027,T:1028,T:1029,T:1030,T:1033,T:1035,T:2000,T:5060 \ 29.161.17.1 Two consecutive runs produced the following (URL-Obfuscated) outputs: *Starting Nmap 6.47 ( **http://nmap.org* <http://nmap.org>* ) at 2015-04-15 09:18 CDT* *Nmap scan report for Obfuscated.URL.com <http://Obfuscated.URL.com> (29.161.17.1)* *Host is up (0.15s latency).* *Not shown: 8 closed ports* *PORT STATE SERVICE VERSION* *22/tcp open ssh Cisco SSH 1.25 (protocol 2.0)* *| ssh-hostkey:* *| 1024 c2:e5:67:b5:4a:cc:2c:eb:7c:98:c6:7d:16:21:d5:df (RSA)* *5060/tcp open sip-proxy Cisco SIP Gateway (IOS 12.x)* *Service Info: OS: IOS; Device: router; CPE: cpe:/o:cisco:ios* *Service detection performed. Please report any incorrect results at * *http://nmap.org/submit* <http://nmap.org/submit> *Nmap done: 1 IP address (1 host up) scanned in 28.86 seconds* *Starting Nmap 6.47 ( **http://nmap.org* <http://nmap.org>* ) at 2015-04-15 09:19 CDT* *Nmap scan report for Obfuscated.URL.com <http://Obfuscated.URL.com> (29.161.17.1)* *Host is up (0.15s latency).* *Not shown: 8 closed ports* *PORT STATE SERVICE VERSION* *22/tcp open ssh Cisco SSH 1.25 (protocol 2.0)* *| ssh-hostkey:* *5060/tcp open sip-proxy Cisco SIP Gateway (IOS 12.x)* *Service Info: OS: IOS; Device: router; CPE: cpe:/o:cisco:ios* *Service detection performed. Please report any incorrect results at * *http://nmap.org/submit* <http://nmap.org/submit> *Nmap done: 1 IP address (1 host up) scanned in 28.59 seconds* Whether or not the RSA (and for that matter, the DSA) key-signature is returned seems to be entirely random. Very rarely, the script fails at that point with an error (which appears in some of the bug-feedback threads): |_ssh-hostkey: ERROR: Script execution failed (use –d to debug) However, none of the commentary about the ssh-hostkey.nse ERROR includes any information about random failure to display one or both hostkey signatures. I have tried running without the –-open (same result, more noise in output), and with the –d flag (much output that I do not understand, but essentially the same key result: sometimes the key is displayed, sometimes not). Since I am performing these tests on a restricted-access secure environment, I have difficulty copying the debug output into this email (all samples above were hand-typed from visible screen displays), but could probably find a way to do that if it would honestly be helpful.
Terrance, Thanks for the bug report. There have been a few changes made to the ssh-hostkey script and the ssh1.lua and ssh2.lua libraries it uses since the 6.47 release. Unfortunately, I can't really distill them into a patch that does not also depend on several unrelated changes in NSE. I'll put a summary of changes at the end. For debugging your current situation, it would be helpful to have the output of a problematic run with the -d and --script-trace options. Dan P.S. Here's the summary of changes since 6.47: * Support diffie-hellman-group14-sha1 in ssh2.lua. The lack of support caused the script to crash when scanning OpenSSH 6.7 or any SSH server that didn't support diffie-hellman-group1-sha1 * Fixed a couple bugs causing crashes and corrupted output when SSH1 was in use: http://seclists.org/nmap-dev/2014/q4/332 * Fixed a check for number of host keys that resulted in empty output (like you saw). When no keys are found, the script produces no output. * We now do a banner check to determine that the service is indeed SSH before trying to enumerate the host key types. This saves some work when tcpwrappers is denying access.
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Inconsistent results from nmap --script=ssh-hostkey.nse Terrance Roddy (Apr 15)
- Re: Inconsistent results from nmap --script=ssh-hostkey.nse Daniel Miller (Apr 16)