Nmap Development mailing list archives

Re: [NSE script] SSH1 Hostkey

From: Sven Klemm <sven () c3d2 de>
Date: Tue, 05 Aug 2008 19:41:20 +0200

I've attached a new version that only shows the fingerprint of the keyunless verbosity is at least 2 like I did for SSH2 version.


sample output:

./nmap --script SSH1-hostkey -p 22 localhost

Starting Nmap 4.68 ( http://nmap.org ) at 2008-08-05 19:38 CEST
Interesting ports on localhost (127.0.0.1):
PORT   STATE SERVICE
22/tcp open  ssh
|_ SSH1-Hostkey: rsa1 1024 89:7c:8b:2e:ee:5c:3d:ab:20:bd:d7:b3:a4:5a:a8:80

Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds

sample output with verbosity 2:

./nmap --script SSH1-hostkey -p 22 localhost -vv

Starting Nmap 4.68 ( http://nmap.org ) at 2008-08-05 19:39 CEST
Initiating Ping Scan at 19:39
Scanning 127.0.0.1 [1 port]
Completed Ping Scan at 19:39, 0.00s elapsed (1 total hosts)
Initiating Connect Scan at 19:39
Scanning localhost (127.0.0.1) [1 port]
Discovered open port 22/tcp on 127.0.0.1
Completed Connect Scan at 19:39, 0.00s elapsed (1 total ports)
SCRIPT ENGINE: Initiating script scanning.
Initiating SCRIPT ENGINE at 19:39
Completed SCRIPT ENGINE at 19:39, 0.01s elapsed
Host localhost (127.0.0.1) appears to be up ... good.
Scanned at 2008-08-05 19:39:27 CEST for 0s
Interesting ports on localhost (127.0.0.1):
PORT   STATE SERVICE
22/tcp open  ssh

|_ SSH1-Hostkey: rsa1 102489:7c:8b:2e:ee:5c:3d:ab:20:bd:d7:b3:a4:5a:a8:80 35136733718652991815166319123082773399861431031364908027819249598103199531236955778089644124580769345909378409769440979789009975246338169094312530652170936413484326930201865873192592749922439801838002192462023211783754960445138418861487715801288461579293714008745466811462569934380721110045927571803154589942049


Read data files from: .
Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds

Cheers,
Sven

--
Sven Klemm
http://cthulhu.c3d2.de/~sven/


id = "SSH1-Hostkey"
author = "Sven Klemm <sven () c3d2 de>"
description = "Show SSH1 Hostkey"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html";
categories = {"safe"}

require("stdnse")
require("shortport")
require("openssl")
require("bin")

portrule = shortport.port_or_service(22, "ssh")

local format_fingerprint = function( fp )
  local s = fp:sub( 1, 2 )
  for i = 3, #fp, 2 do
    s = s .. ':' .. fp:sub( i, i + 1 )
  end
  return s
end

action = function(host, port)
  local socket = nmap.new_socket()
  local catch = function() socket:close() end
  local try = nmap.new_try(catch)

  try(socket:connect(host.ip, port.number))
  -- fetch banner
  try(socket:receive_lines(1))
  -- send our banner
  try(socket:send("SSH-1.5-Nmap-SSH1-Hostkey\r\n"))

  local data, packet_length, padding, offset
  data = try(socket:receive())
  socket:close()
  offset, packet_length = bin.unpack( ">i", data )
  padding = 8 - packet_length % 8
  offset = offset + padding

  if padding + packet_length + 4 == data:len() then
    -- seems to be a proper SSH1 packet
    local msg_code,host_key_bits,host_key_exponent,host_key_modulus,length
    offset, msg_code = bin.unpack( ">c", data, offset )
    if msg_code == 2 then -- 2 => SSH_SMSG_PUBLIC_KEY
      -- ignore cookie and server key bits
      offset, _, _ = bin.unpack( ">A8i", data, offset )
      -- skip server key exponent and modulus
      offset, length = bin.unpack( ">S", data, offset )
      offset = offset + math.ceil( length / 8 )
      offset, length = bin.unpack( ">S", data, offset )
      offset = offset + math.ceil( length / 8 )

      offset, host_key_bits = bin.unpack( ">i", data, offset )
      offset, length = bin.unpack( ">S", data, offset )
      offset, host_key_exponent = bin.unpack( ">A" .. math.ceil( length / 8 ), data, offset )
      host_key_exponent = openssl.bignum_bin2bn( host_key_exponent )
      offset, length = bin.unpack( ">S", data, offset )
      offset, host_key_modulus = bin.unpack( ">A" .. math.ceil( length / 8 ), data, offset )
      host_key_modulus = openssl.bignum_bin2bn( host_key_modulus )

      local output = 'rsa1 ' .. host_key_bits .. ' ' .. format_fingerprint( hash.md5( host_key_modulus:to_bin() .. 
host_key_exponent:to_bin() ) )
      if nmap.verbosity() > 1 then
        output = output .. ' ' .. host_key_exponent:to_dec() .. ' ' .. host_key_modulus:to_dec()
      end
      return output
    end
  end

end


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Current thread:

[NSE script] SSH1 Hostkey Sven Klemm (Aug 03)
- Re: [NSE script] SSH1 Hostkey Sven Klemm (Aug 05)
  - Re: [NSE script] SSH1 Hostkey Sven Klemm (Aug 05)
    - Re: [NSE script] SSH1 Hostkey Brandon Enright (Aug 05)
    - Re: [NSE script] SSH1 Hostkey doug (Aug 05)
    - Re: [NSE script] SSH1 Hostkey Sven Klemm (Sep 01)
    - Re: [NSE script] SSH1 Hostkey Sven Klemm (Aug 05)
    - Re: [NSE script] SSH1 Hostkey Brandon Enright (Aug 05)