Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [NSE script] SSH1 Hostkey

From: Sven Klemm <sven () c3d2 de>
Date: Tue, 05 Aug 2008 15:58:21 +0200
I've updated the script according to changes to the nse openssl bindings. The new version is attached to this mail. 

Here is a sample output:

> ./nmap --script SSH1-hostkey -p 22 localhost

Starting Nmap 4.68 ( http://nmap.org ) at 2008-08-05 15:56 CEST
Interesting ports on localhost (127.0.0.1):
PORT   STATE SERVICE
22/tcp open  ssh
|_ SSH1-Hostkey: 1024 35 136733718652991815166319123082773399861431031364908027819249598103199531236955778089644124580769345909378409769440979789009975246338169094312530652170936413484326930201865873192592749922439801838002192462023211783754960445138418861487715801288461579293714008745466811462569934380721110045927571803154589942049 

Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds




------------------------------------------------------------------------


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org



--
Sven Klemm
http://cthulhu.c3d2.de/~sven/



id = "SSH1-Hostkey"
author = "Sven Klemm <sven () c3d2 de>"
description = "Show SSH1 Hostkey"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html";
categories = {"safe"}

require("stdnse")
require("shortport")
require("openssl")
require("bin")

portrule = shortport.port_or_service(22, "ssh")

action = function(host, port)
  local socket = nmap.new_socket()
  local catch = function() socket:close() end
  local try = nmap.new_try(catch)

  try(socket:connect(host.ip, port.number))
  -- fetch banner
  try(socket:receive_lines(1))
  -- send our banner
  try(socket:send("SSH-1.5-Nmap-SSH1-Hostkey\r\n"))

  local data, packet_length, padding, offset
  data = try(socket:receive())
  socket:close()
  offset, packet_length = bin.unpack( ">i", data )
  padding = 8 - packet_length % 8
  offset = offset + padding

  if padding + packet_length + 4 == data:len() then
    -- seems to be a proper SSH1 packet
    local msg_code,host_key_bits,host_key_exponent,host_key_modulus,length
    offset, msg_code = bin.unpack( ">c", data, offset )
    if msg_code == 2 then -- 2 => SSH_SMSG_PUBLIC_KEY
      -- ignore cookie and server key bits
      offset, _, _ = bin.unpack( ">A8i", data, offset )
      -- skip server key exponent and modulus
      offset, length = bin.unpack( ">S", data, offset )
      offset = offset + math.ceil( length / 8 )
      offset, length = bin.unpack( ">S", data, offset )
      offset = offset + math.ceil( length / 8 )

      offset, host_key_bits = bin.unpack( ">i", data, offset )
      offset, length = bin.unpack( ">S", data, offset )
      offset, host_key_exponent = bin.unpack( ">A" .. math.ceil( length / 8 ), data, offset )
      host_key_exponent = openssl.bignum_bin2bn( host_key_exponent ):to_dec()
      offset, length = bin.unpack( ">S", data, offset )
      offset, host_key_modulus = bin.unpack( ">A" .. math.ceil( length / 8 ), data, offset )
      host_key_modulus = openssl.bignum_bin2bn( host_key_modulus ):to_dec()

      return host_key_bits .. ' ' .. host_key_exponent .. ' ' .. host_key_modulus
    end
  end

end



_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Previous By Date Next
Previous By Thread Next

Current thread: