Re: [NSE] find-ssh-hostkey script

[Nick Nikolaou <nikolasnikolaou1 () gmail com>]

> Note that it is still possible to have the same functionality. The
> script just needs to be selected explicitly from the command line.


Thanks for the reminder. That's what I get for reading and replying to
emails at 2AM.

I'll probably modify the script during the weekend to work like that, adding
the host with the key specified into newtargets. A question that comes to
mind though is which hosts will nmap go through during the prescan phase to
look for the sshtarget key? I hope I'm not missing something really obvious
here.



On 11 March 2011 02:23, Toni Ruottu <toni.ruottu () iki fi> wrote:

> Note that it is still possible to have the same functionality. The
> script just needs to be selected explicitly from the command line.
>
> On Fri, Mar 11, 2011 at 4:01 AM, Nick Nikolaou
> <nikolasnikolaou1 () gmail com> wrote:
> > > Now, if we add prescript.nse to the default category. Nmap will no
> > > longer produce a listing of command line parameters, when it is run
> > > without parameters. This is undesired, and thus no prescripts could
> > > ever be added to the default category. I am not sure if this is good
> > > or bad, but it certainly is how it works at the moment.
> >
> > That makes sense, thanks.
> > Dion's alternative idea of using the script to verify host-hostkey
> pairings
> > seems like a good way to go.
> > Maybe using an argument to read hosts and keys from a list and print a
> > warning if something has changed.
> >
> > On 10 March 2011 15:44, Toni Ruottu <toni.ruottu () iki fi> wrote:
> > > I could have been a bit more accurate. To this email I have attached a
> > > dummy prerule script prescript.nse that does nothing. When I run nmap
> > > without any parameters. It prints a listing of command line options to
> > > the screen. On the other hand, if I run the attached script, nmap will
> > > produce a scan result as follows...
> > >
> > > cyberix@eval:~/opt/nmap/bin$ ./nmap --script prescript
> > >
> > > Starting Nmap 5.51SVN ( http://nmap.org ) at 2011-03-10 17:41 EET
> > > WARNING: No targets were specified, so 0 hosts scanned.
> > > Nmap done: 0 IP addresses (0 hosts up) scanned in 0.05 seconds
> > >
> > > Now, if we add prescript.nse to the default category. Nmap will no
> > > longer produce a listing of command line parameters, when it is run
> > > without parameters. This is undesired, and thus no prescripts could
> > > ever be added to the default category. I am not sure if this is good
> > > or bad, but it certainly is how it works at the moment.
> > >
> > > On Thu, Mar 10, 2011 at 2:30 PM, Nick Nikolaou
> > > <nikolasnikolaou1 () gmail com> wrote:
> > > > > Pre scripts can probably not be in the default category, as
> > > > > with pre scripts you do not need to specify targets on the command
> > > > > line, but normally we would want to give an error, if the user does
> > > > > not specify one.
> > > >
> > > >
> > > > My understanding of the prerule is a bit hazy. Couldn't we make it
> that
> > > > if
> > > > the user doesn't specify an argument the script doesn't do anything
> and
> > > > just
> > > > prints a debug message saying that the script is skipped because no
> > > > argument
> > > > was given?
> > > >
> > > > Is there a way to use a prerule script only to identify a specific
> host
> > > > (from a large block) and perform a scan specified by the user?
> (-sC,-sV)
> > > > On 9 March 2011 17:59, Dion Stempfley <dion.stempfley () gmail com>
> wrote:
> > > > > Another thought is if I know a pairing of host,ssh-host-key then I
> can
> > > > > validate that the ssh-host-key hasn't been modified or that the
> pairing
> > > > > is
> > > > > still valid.  Could possibly establish that nobody switched hosts for
> > > > > some
> > > > > reason.
> > > >
> > > >
> > > >  By host you mean IP address?
> > > >
> > > >
> > > > On 9 March 2011 17:59, Dion Stempfley <dion.stempfley () gmail com>
> wrote:
> > > > > Another thought is if I know a pairing of host,ssh-host-key then I
> can
> > > > > validate that the ssh-host-key hasn't been modified or that the
> pairing
> > > > > is
> > > > > still valid.  Could possibly establish that nobody switched hosts for
> > > > > some
> > > > > reason.
> > > > >
> > > > > On Wed, Mar 9, 2011 at 10:20 AM, Nick Nikolaou
> > > > > <nikolasnikolaou1 () gmail com>wrote:
> > > > >
> > > > > > > nmap -sC --script-args
> newtargets,sshtarget=AB:CD:EF:AB:CD:EF:AB:CD:EF:AB:CD:EF:AB:CD:AB:CD
> > > > > > (The script could be in default category, and just do nothing
> unless
> > > > > there
> > > > > > > is an sshtarget specification in the argument list.)
> > > > > >
> > > > > >
> > > > > > That's a good idea. I didn't think of that but it's a good example
> of
> > > > > > how
> > > > > > the script can be used.
> > > > > >
> > > > > >
> > > > > >
> > > > > > > Is this the type of usage you had in mind
> > > > > >
> > > > > >
> > > > > > My original idea was to have a way to uniquely identify a host
> > > > > > regardless
> > > > > > of
> > > > > > IP address. For example it could be useful to a pen-tester working
> on
> > > > > > a
> > > > > > specific machine in a dynamic IP address environment.
> > > > > >
> > > > > > I understand that the same thing can be achieved by getting all the
> > > > > > machines' SSH keys, saving them in an output file and using grep to
> > > > > > get
> > > > > the
> > > > > > specific machine's IP address, but there may be cases that the
> script
> > > > > would
> > > > > > simplify this process. (For example scanning using Zenmap?)
> > > > > >
> > > > > > Another way of going about this could be adding another parameter
> to
> > > > > > the
> > > > > > existing ssh-hostkey script. Since the script already gets the keys
> > > > > > and
> > > > > > adds
> > > > > > them to the nmap registry, it could search for the specific key if
> > > > > > that
> > > > > > parameter is passed.
> > > > > >
> > > > > > Nick
> > > > > >
> > > > > >
> > > > > >
> > > > > > > On 9 March 2011 14:41, Toni Ruottu <toni.ruottu () iki fi> wrote:
> > > > > >
> > > > > > > Seems useful, yet I am not sure I fully understand the use case
> > > > > > > behind
> > > > > > > this, and if it would be better to have one script for this, or
> to
> > > > > > > have multiple scripts that can be combined to do the job.
> > > > > > >
> > > > > > > The most obvious use case I can come up for this type of script
> is
> > > > > > > one
> > > > > > > where I would want to perform a port scan on a host that has a
> > > > > > > certain
> > > > > > > ssh key. I could be the admin of a company that has lots of
> > > > > > > laptops,
> > > > > > > and a dhcp server that assigns IP addresses to those laptops
> > > > > > > dynamically. All laptops have an ssh daemon in place for remote
> > > > > > > administration. Now the CEO calls me and says there is something
> > > > > > > wrong
> > > > > > > with his laptop. Instead of asking him to figure out the IP
> address
> > > > > > > of
> > > > > > > his computer, I simply look up a database of ssh keys, and define
> > > > > > > the
> > > > > > > scan target by the ssh key.
> > > > > > >
> > > > > > > nmap -sC --script-args
> newtargets,sshtarget=AB:CD:EF:AB:CD:EF:AB:CD:EF:AB:CD:EF:AB:CD:AB:CD
> > > > > > > (The script could be in default category, and just do nothing
> > > > > > > unless
> > > > > > > there is an sshtarget specification in the argument list.)
> > > > > > >
> > > > > > > Running the command would use the pre script to locate the
> machine,
> > > > > > > and add it to scan targets. Nmap would then scan the host, and
> tell
> > > > > > > me
> > > > > > > the ip address of the host and services running on it. Maybe some
> > > > > > > script could identify a virus on that machine. If one does not
> want
> > > > > > > to
> > > > > > > perform full port scan on the host one could set the scan type to
> > > > > > > ping
> > > > > > > scan.
> > > > > > >
> > > > > > > Is this the type of usage you had in mind. This is just the
> picture
> > > > > > > I
> > > > > > > got. Maybe I misunderstood something.
> > > > > > >
> > > > > > >
> > > > > > > On Tue, Mar 8, 2011 at 6:45 PM, Nick Nikolaou
> > > > > > > <nikolasnikolaou1 () gmail com> wrote:
> > > > > > > > Hey everyone,
> > > > > > > >
> > > > > > > > Attached is a script I wrote that attempts to identify a host
> > > > > > > > given
> > > > > its
> > > > > > > SSH
> > > > > > > > hostkey as an argument. I got the idea from Fyodor's
> presentation
> > > > > > > > --@usage
> > > > > > > > -- nmap --script=find-ssh-hostkey --script-args
> > > > > > > > fingerprint=AB:CD:EF:AB:CD:EF:AB:CD:EF:AB:CD:EF:AB:CD:AB:CD
> > > > > > > > --
> > > > > > > > --@output
> > > > > > > > -- 22/tcp  open  ssh
> > > > > > > > -- |_find-ssh-hostkey: Key found.
> > > > > > > >
> > > > > > > >
> > > > > > > > After (limited) testing it seems to work. I don't have access
> to
> > > > > > > > many
> > > > > > > > machines running SSH so I can't test it thoroughly.
> > > > > > > >
> > > > > > > > The script name can be confusing seems it's very similar to
> other
> > > > > > scripts
> > > > > > > > that show the host's SSH key so feel free to change it to
> > > > > > > > something
> > > > > > more
> > > > > > > > meaningful.
> > > > > > > >
> > > > > > > > I hope you find it useful.
> > > > > > > >
> > > > > > > > Any comments are more than welcome.
> > > > > > > >
> > > > > > > > Nick
> > > > > > > >
> > > > > > > > _______________________________________________
> > > > > > > > Sent through the nmap-dev mailing list
> > > > > > > > http://cgi.insecure.org/mailman/listinfo/nmap-dev
> > > > > > > > Archived at http://seclists.org/nmap-dev/
> > > > > > _______________________________________________
> > > > > > Sent through the nmap-dev mailing list
> > > > > > http://cgi.insecure.org/mailman/listinfo/nmap-dev
> > > > > > Archived at http://seclists.org/nmap-dev/
> > > > > _______________________________________________
> > > > > Sent through the nmap-dev mailing list
> > > > > http://cgi.insecure.org/mailman/listinfo/nmap-dev
> > > > > Archived at http://seclists.org/nmap-dev/
> > > > _______________________________________________
> > > > Sent through the nmap-dev mailing list
> > > > http://cgi.insecure.org/mailman/listinfo/nmap-dev
> > > > Archived at http://seclists.org/nmap-dev/
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/