[NSE] Libssh2 Binding Status

[devin bjelland <devinbjelland () gmail com>]

Hi everyone,

Here is a summary of the current status of the libssh2 binding that I have
been working on. Because there is an unresolved bug and Windows support is
currently lacking, we have decided to hold off on merging the branch. In
the mean time, it is available at /nmap-exp/devin/nmap-libssh2. Hopefully,
Windows support will be working in the next few days, and Patrick and
myself are continuing to investigate the bug.

The bug is triggered intermittently during the ssh-brute script during the
ssh handshake. A call to nsock receive results in an EOF. It is very
probably related to the way we filter the data libssh2 sends through a
socketpair. We do this to allow us to use the existing nsock socket pool.
Until we figure this out, we are catching the error with pcall. You can set
max-retries=0 and it will check all passwords, albeit with a fair number of
retries.

The branch currently contains 5 new scripts:

ssh-auth-methods: Returns authentication methods a ssh server supports.

Sample usage:
nmap -p 22 --script ssh-auth-methods --script-args="ssh.user=<username>"
<target>

Sample output:
 22/tcp open  ssh     syn-ack
 | ssh-auth-methods:
 |   Supported authentication methods:
 |     publickey
 |_    password

ssh-brute: Performs brute-force password guessing against a ssh server.

Sample usage:
 nmap -p 22 --script ssh-brute --script-args
"userdb=users.lst,passdb=pass.lst" \
 <target>

Sample output:
 22/ssh open  ssh
 | ssh-brute:
 |  Accounts
 |    username:password
 |  Statistics
 |_   Performed 32 guesses in 25 seconds.

ssh-vuln-hostkey: Checks if ssh server has a predictable hostkey by
checking it against a list of fingerprints generated by HD Moore. You have
to download these hostkeys separately and specify their directory as the
fingerprintdir variable. The keys are available at
http://itsecurity.net/debian_ssh_scan_v4.tar.bz2. Additionally, you can
specify a file ssh hostkey fingerprints, one per line, and the scripts will
report if the hostkey matches one of the provided fingerprints.

Sample usage:
 nmap -p 22 --script ssh-vuln-hostkey --script-args
fingerprintdir=<directory with vulnerable fingerprints> <target>

Sample output:
 22/tcp   open   ssh     syn-ack
 | ssh-vuln-hostkey:
 |   Weak hostkeys:
 |_    2048 6d:cd:2a:8b:dc:3e:e0:92:00:47:59:16:8c:8b:17:70 (RSA)

ssh-publickey-acceptance: This script takes a table of paths to private
keys, passphrases, and usernames and checks each pair to
see if the target ssh server accepts them for publickey authentication. If
no keys are given or the known-bad option is given, the script will check
if a list of known static public keys are accepted for authentication.

Sample usage:
nmap -p 22 --script ssh-publickey-acceptance --script-args
"ssh.usernames={'root', 'user'}, ssh.privatekeys={'./id_rsa1',
'./id_rsa2'}, known-bad=true"  <target>

Sample output:
 22/tcp open  ssh     syn-ack
 | ssh-publickey-acceptance:
 |   Accepted Public Keys:
 |_    Key ./id_rsa1 accepted for user root

run-remote: Runs remote command on ssh server and returns command output.

Sample usage:
nmap -p 22 -v -d --script=run-remote --datadir=./
--script-args="run-remote.cmd=ls -l /, run-remote.username=myusername,
run-remote.password=mypassword" <target>

Sample output:
 22/tcp open  ssh     syn-ack 0
 | run-remote:
 |   output:
 |     total 124
 | drwxr-xr-x   2 root       root        4096 Jun 23 09:34 bin
 | drwxr-xr-x   3 root       root        4096 Jun 19 12:42 boot
 | ...
 |_drwxr-xr-x  14 root       root        4096 Jun  6 14:58 var

I hope you find these scripts useful. Let me know what you think and if you
have any suggestions for improvements or more ideas. Also, if you hear
about any static public keys not in publickeydb (in
nselib/data/publickeydb) on routers, load balancers, ect let me know. My
work pace will probably be a bit slower with school and now that Google
Summer of Code is officially over but I'm going to keep making improvements.

Cheers,
Devin Bjelland
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/