Re: [NSE] find-ssh-hostkey script

[Toni Ruottu <toni.ruottu () iki fi>]

On Wed, Mar 9, 2011 at 5:20 PM, Nick Nikolaou
<nikolasnikolaou1 () gmail com> wrote:
> > nmap -sC
> > --script-args newtargets,sshtarget=AB:CD:EF:AB:CD:EF:AB:CD:EF:AB:CD:EF:AB:CD:AB:CD
> >
> >
> >
> > (The script could be in default category, and just do nothing unless there
> > is an sshtarget specification in the argument list.)
>
> That's a good idea. I didn't think of that but it's a good example of how
> the script can be used.

I forgot. Pre scripts can probably not be in the default category, as
with pre scripts you do not need to specify targets on the command
line, but normally we would want to give an error, if the user does
not specify one.

> > Is this the type of usage you had in mind
>
>
> My original idea was to have a way to uniquely identify a host regardless of
> IP address. For example it could be useful to a pen-tester working on a
> specific machine in a dynamic IP address environment.
> I understand that the same thing can be achieved by getting all the
> machines' SSH keys, saving them in an output file and using grep to get the
> specific machine's IP address, but there may be cases that the script would
> simplify this process. (For example scanning using Zenmap?)
> Another way of going about this could be adding another parameter to the
> existing ssh-hostkey script. Since the script already gets the keys and adds
> them to the nmap registry, it could search for the specific key if that
> parameter is passed.

How do you decide which computers to check for matching ID?


> Nick
>
> >
> On 9 March 2011 14:41, Toni Ruottu <toni.ruottu () iki fi> wrote:
> > Seems useful, yet I am not sure I fully understand the use case behind
> > this, and if it would be better to have one script for this, or to
> > have multiple scripts that can be combined to do the job.
> >
> > The most obvious use case I can come up for this type of script is one
> > where I would want to perform a port scan on a host that has a certain
> > ssh key. I could be the admin of a company that has lots of laptops,
> > and a dhcp server that assigns IP addresses to those laptops
> > dynamically. All laptops have an ssh daemon in place for remote
> > administration. Now the CEO calls me and says there is something wrong
> > with his laptop. Instead of asking him to figure out the IP address of
> > his computer, I simply look up a database of ssh keys, and define the
> > scan target by the ssh key.
> >
> > nmap -sC --script-args
> > newtargets,sshtarget=AB:CD:EF:AB:CD:EF:AB:CD:EF:AB:CD:EF:AB:CD:AB:CD
> >
> > (The script could be in default category, and just do nothing unless
> > there is an sshtarget specification in the argument list.)
> >
> > Running the command would use the pre script to locate the machine,
> > and add it to scan targets. Nmap would then scan the host, and tell me
> > the ip address of the host and services running on it. Maybe some
> > script could identify a virus on that machine. If one does not want to
> > perform full port scan on the host one could set the scan type to ping
> > scan.
> >
> > Is this the type of usage you had in mind. This is just the picture I
> > got. Maybe I misunderstood something.
> >
> >
> > On Tue, Mar 8, 2011 at 6:45 PM, Nick Nikolaou
> > <nikolasnikolaou1 () gmail com> wrote:
> > > Hey everyone,
> > >
> > > Attached is a script I wrote that attempts to identify a host given its
> > > SSH
> > > hostkey as an argument. I got the idea from Fyodor's presentation
> > >
> > > --@usage
> > > -- nmap --script=find-ssh-hostkey --script-args
> > > fingerprint=AB:CD:EF:AB:CD:EF:AB:CD:EF:AB:CD:EF:AB:CD:AB:CD
> > > --
> > > --@output
> > > -- 22/tcp  open  ssh
> > > -- |_find-ssh-hostkey: Key found.
> > >
> > >
> > > After (limited) testing it seems to work. I don't have access to many
> > > machines running SSH so I can't test it thoroughly.
> > >
> > > The script name can be confusing seems it's very similar to other
> > > scripts
> > > that show the host's SSH key so feel free to change it to something more
> > > meaningful.
> > >
> > > I hope you find it useful.
> > >
> > > Any comments are more than welcome.
> > >
> > > Nick
> > >
> > > _______________________________________________
> > > Sent through the nmap-dev mailing list
> > > http://cgi.insecure.org/mailman/listinfo/nmap-dev
> > > Archived at http://seclists.org/nmap-dev/
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/