Nmap Development mailing list archives
Re: [NSE script] SSH1 Hostkey
From: Sven Klemm <sven () c3d2 de>
Date: Tue, 05 Aug 2008 19:41:20 +0200
I've attached a new version that only shows the fingerprint of the key unless verbosity is at least 2 like I did for SSH2 version.
sample output: ./nmap --script SSH1-hostkey -p 22 localhost Starting Nmap 4.68 ( http://nmap.org ) at 2008-08-05 19:38 CEST Interesting ports on localhost (127.0.0.1): PORT STATE SERVICE 22/tcp open ssh |_ SSH1-Hostkey: rsa1 1024 89:7c:8b:2e:ee:5c:3d:ab:20:bd:d7:b3:a4:5a:a8:80 Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds sample output with verbosity 2: ./nmap --script SSH1-hostkey -p 22 localhost -vv Starting Nmap 4.68 ( http://nmap.org ) at 2008-08-05 19:39 CEST Initiating Ping Scan at 19:39 Scanning 127.0.0.1 [1 port] Completed Ping Scan at 19:39, 0.00s elapsed (1 total hosts) Initiating Connect Scan at 19:39 Scanning localhost (127.0.0.1) [1 port] Discovered open port 22/tcp on 127.0.0.1 Completed Connect Scan at 19:39, 0.00s elapsed (1 total ports) SCRIPT ENGINE: Initiating script scanning. Initiating SCRIPT ENGINE at 19:39 Completed SCRIPT ENGINE at 19:39, 0.01s elapsed Host localhost (127.0.0.1) appears to be up ... good. Scanned at 2008-08-05 19:39:27 CEST for 0s Interesting ports on localhost (127.0.0.1): PORT STATE SERVICE 22/tcp open ssh|_ SSH1-Hostkey: rsa1 1024 89:7c:8b:2e:ee:5c:3d:ab:20:bd:d7:b3:a4:5a:a8:80 35 136733718652991815166319123082773399861431031364908027819249598103199531236955778089644124580769345909378409769440979789009975246338169094312530652170936413484326930201865873192592749922439801838002192462023211783754960445138418861487715801288461579293714008745466811462569934380721110045927571803154589942049
Read data files from: . Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds Cheers, Sven -- Sven Klemm http://cthulhu.c3d2.de/~sven/
id = "SSH1-Hostkey" author = "Sven Klemm <sven () c3d2 de>" description = "Show SSH1 Hostkey" license = "Same as Nmap--See http://nmap.org/book/man-legal.html" categories = {"safe"} require("stdnse") require("shortport") require("openssl") require("bin") portrule = shortport.port_or_service(22, "ssh") local format_fingerprint = function( fp ) local s = fp:sub( 1, 2 ) for i = 3, #fp, 2 do s = s .. ':' .. fp:sub( i, i + 1 ) end return s end action = function(host, port) local socket = nmap.new_socket() local catch = function() socket:close() end local try = nmap.new_try(catch) try(socket:connect(host.ip, port.number)) -- fetch banner try(socket:receive_lines(1)) -- send our banner try(socket:send("SSH-1.5-Nmap-SSH1-Hostkey\r\n")) local data, packet_length, padding, offset data = try(socket:receive()) socket:close() offset, packet_length = bin.unpack( ">i", data ) padding = 8 - packet_length % 8 offset = offset + padding if padding + packet_length + 4 == data:len() then -- seems to be a proper SSH1 packet local msg_code,host_key_bits,host_key_exponent,host_key_modulus,length offset, msg_code = bin.unpack( ">c", data, offset ) if msg_code == 2 then -- 2 => SSH_SMSG_PUBLIC_KEY -- ignore cookie and server key bits offset, _, _ = bin.unpack( ">A8i", data, offset ) -- skip server key exponent and modulus offset, length = bin.unpack( ">S", data, offset ) offset = offset + math.ceil( length / 8 ) offset, length = bin.unpack( ">S", data, offset ) offset = offset + math.ceil( length / 8 ) offset, host_key_bits = bin.unpack( ">i", data, offset ) offset, length = bin.unpack( ">S", data, offset ) offset, host_key_exponent = bin.unpack( ">A" .. math.ceil( length / 8 ), data, offset ) host_key_exponent = openssl.bignum_bin2bn( host_key_exponent ) offset, length = bin.unpack( ">S", data, offset ) offset, host_key_modulus = bin.unpack( ">A" .. math.ceil( length / 8 ), data, offset ) host_key_modulus = openssl.bignum_bin2bn( host_key_modulus ) local output = 'rsa1 ' .. host_key_bits .. ' ' .. format_fingerprint( hash.md5( host_key_modulus:to_bin() .. host_key_exponent:to_bin() ) ) if nmap.verbosity() > 1 then output = output .. ' ' .. host_key_exponent:to_dec() .. ' ' .. host_key_modulus:to_dec() end return output end end end
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- [NSE script] SSH1 Hostkey Sven Klemm (Aug 03)
- Re: [NSE script] SSH1 Hostkey Sven Klemm (Aug 05)
- Re: [NSE script] SSH1 Hostkey Sven Klemm (Aug 05)
- Re: [NSE script] SSH1 Hostkey Brandon Enright (Aug 05)
- Re: [NSE script] SSH1 Hostkey doug (Aug 05)
- Re: [NSE script] SSH1 Hostkey Sven Klemm (Sep 01)
- Re: [NSE script] SSH1 Hostkey Sven Klemm (Aug 05)
- Re: [NSE script] SSH1 Hostkey Brandon Enright (Aug 05)
- Re: [NSE script] SSH1 Hostkey Sven Klemm (Aug 05)
- Re: [NSE script] SSH1 Hostkey Sven Klemm (Aug 05)