Nmap Development mailing list archives
Re: [NSE] find-ssh-hostkey script
From: Nick Nikolaou <nikolasnikolaou1 () gmail com>
Date: Fri, 11 Mar 2011 18:02:57 +0000
Note that it is still possible to have the same functionality. The script just needs to be selected explicitly from the command line.
Thanks for the reminder. That's what I get for reading and replying to emails at 2AM. I'll probably modify the script during the weekend to work like that, adding the host with the key specified into newtargets. A question that comes to mind though is which hosts will nmap go through during the prescan phase to look for the sshtarget key? I hope I'm not missing something really obvious here. On 11 March 2011 02:23, Toni Ruottu <toni.ruottu () iki fi> wrote:
Note that it is still possible to have the same functionality. The script just needs to be selected explicitly from the command line. On Fri, Mar 11, 2011 at 4:01 AM, Nick Nikolaou <nikolasnikolaou1 () gmail com> wrote:Now, if we add prescript.nse to the default category. Nmap will no longer produce a listing of command line parameters, when it is run without parameters. This is undesired, and thus no prescripts could ever be added to the default category. I am not sure if this is good or bad, but it certainly is how it works at the moment.That makes sense, thanks. Dion's alternative idea of using the script to verify host-hostkeypairingsseems like a good way to go. Maybe using an argument to read hosts and keys from a list and print a warning if something has changed. On 10 March 2011 15:44, Toni Ruottu <toni.ruottu () iki fi> wrote:I could have been a bit more accurate. To this email I have attached a dummy prerule script prescript.nse that does nothing. When I run nmap without any parameters. It prints a listing of command line options to the screen. On the other hand, if I run the attached script, nmap will produce a scan result as follows... cyberix@eval:~/opt/nmap/bin$ ./nmap --script prescript Starting Nmap 5.51SVN ( http://nmap.org ) at 2011-03-10 17:41 EET WARNING: No targets were specified, so 0 hosts scanned. Nmap done: 0 IP addresses (0 hosts up) scanned in 0.05 seconds Now, if we add prescript.nse to the default category. Nmap will no longer produce a listing of command line parameters, when it is run without parameters. This is undesired, and thus no prescripts could ever be added to the default category. I am not sure if this is good or bad, but it certainly is how it works at the moment. On Thu, Mar 10, 2011 at 2:30 PM, Nick Nikolaou <nikolasnikolaou1 () gmail com> wrote:Pre scripts can probably not be in the default category, as with pre scripts you do not need to specify targets on the command line, but normally we would want to give an error, if the user does not specify one.My understanding of the prerule is a bit hazy. Couldn't we make itthatif the user doesn't specify an argument the script doesn't do anythingandjust prints a debug message saying that the script is skipped because no argument was given? Is there a way to use a prerule script only to identify a specifichost(from a large block) and perform a scan specified by the user?(-sC,-sV)On 9 March 2011 17:59, Dion Stempfley <dion.stempfley () gmail com>wrote:Another thought is if I know a pairing of host,ssh-host-key then Icanvalidate that the ssh-host-key hasn't been modified or that thepairingis still valid. Could possibly establish that nobody switched hosts for some reason.By host you mean IP address? On 9 March 2011 17:59, Dion Stempfley <dion.stempfley () gmail com>wrote:Another thought is if I know a pairing of host,ssh-host-key then Icanvalidate that the ssh-host-key hasn't been modified or that thepairingis still valid. Could possibly establish that nobody switched hosts for some reason. On Wed, Mar 9, 2011 at 10:20 AM, Nick Nikolaou <nikolasnikolaou1 () gmail com>wrote:nmap -sC --script-argsnewtargets,sshtarget=AB:CD:EF:AB:CD:EF:AB:CD:EF:AB:CD:EF:AB:CD:AB:CD(The script could be in default category, and just do nothingunlessthereis an sshtarget specification in the argument list.)That's a good idea. I didn't think of that but it's a good exampleofhow the script can be used.Is this the type of usage you had in mindMy original idea was to have a way to uniquely identify a host regardless of IP address. For example it could be useful to a pen-tester workingona specific machine in a dynamic IP address environment. I understand that the same thing can be achieved by getting all the machines' SSH keys, saving them in an output file and using grep to getthespecific machine's IP address, but there may be cases that thescriptwouldsimplify this process. (For example scanning using Zenmap?) Another way of going about this could be adding another parametertothe existing ssh-hostkey script. Since the script already gets the keys and adds them to the nmap registry, it could search for the specific key if that parameter is passed. NickOn 9 March 2011 14:41, Toni Ruottu <toni.ruottu () iki fi> wrote:Seems useful, yet I am not sure I fully understand the use case behind this, and if it would be better to have one script for this, ortohave multiple scripts that can be combined to do the job. The most obvious use case I can come up for this type of scriptisone where I would want to perform a port scan on a host that has a certain ssh key. I could be the admin of a company that has lots of laptops, and a dhcp server that assigns IP addresses to those laptops dynamically. All laptops have an ssh daemon in place for remote administration. Now the CEO calls me and says there is something wrong with his laptop. Instead of asking him to figure out the IPaddressof his computer, I simply look up a database of ssh keys, and define the scan target by the ssh key. nmap -sC --script-argsnewtargets,sshtarget=AB:CD:EF:AB:CD:EF:AB:CD:EF:AB:CD:EF:AB:CD:AB:CD(The script could be in default category, and just do nothing unless there is an sshtarget specification in the argument list.) Running the command would use the pre script to locate themachine,and add it to scan targets. Nmap would then scan the host, andtellme the ip address of the host and services running on it. Maybe some script could identify a virus on that machine. If one does notwantto perform full port scan on the host one could set the scan type to ping scan. Is this the type of usage you had in mind. This is just thepictureI got. Maybe I misunderstood something. On Tue, Mar 8, 2011 at 6:45 PM, Nick Nikolaou <nikolasnikolaou1 () gmail com> wrote:Hey everyone, Attached is a script I wrote that attempts to identify a host givenitsSSHhostkey as an argument. I got the idea from Fyodor'spresentation--@usage -- nmap --script=find-ssh-hostkey --script-args fingerprint=AB:CD:EF:AB:CD:EF:AB:CD:EF:AB:CD:EF:AB:CD:AB:CD -- --@output -- 22/tcp open ssh -- |_find-ssh-hostkey: Key found. After (limited) testing it seems to work. I don't have accesstomany machines running SSH so I can't test it thoroughly. The script name can be confusing seems it's very similar tootherscriptsthat show the host's SSH key so feel free to change it to somethingmoremeaningful. I hope you find it useful. Any comments are more than welcome. Nick _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] find-ssh-hostkey script Nick Nikolaou (Mar 08)
- Re: [NSE] find-ssh-hostkey script Toni Ruottu (Mar 09)
- Re: [NSE] find-ssh-hostkey script Nick Nikolaou (Mar 09)
- Re: [NSE] find-ssh-hostkey script Toni Ruottu (Mar 09)
- Re: [NSE] find-ssh-hostkey script Dion Stempfley (Mar 09)
- Re: [NSE] find-ssh-hostkey script Nick Nikolaou (Mar 10)
- Re: [NSE] find-ssh-hostkey script Toni Ruottu (Mar 10)
- Re: [NSE] find-ssh-hostkey script Nick Nikolaou (Mar 10)
- Re: [NSE] find-ssh-hostkey script Toni Ruottu (Mar 10)
- Re: [NSE] find-ssh-hostkey script Nick Nikolaou (Mar 11)
- Re: [NSE] find-ssh-hostkey script Toni Ruottu (Mar 12)
- Re: [NSE] find-ssh-hostkey script Patrik Karlsson (Mar 12)
- Re: [NSE] find-ssh-hostkey script Nick Nikolaou (Mar 09)
- Re: [NSE] find-ssh-hostkey script Toni Ruottu (Mar 09)