Nmap Development mailing list archives
[NSE] Libssh2 Binding Status
From: devin bjelland <devinbjelland () gmail com>
Date: Mon, 18 Aug 2014 22:17:54 -0500
Hi everyone, Here is a summary of the current status of the libssh2 binding that I have been working on. Because there is an unresolved bug and Windows support is currently lacking, we have decided to hold off on merging the branch. In the mean time, it is available at /nmap-exp/devin/nmap-libssh2. Hopefully, Windows support will be working in the next few days, and Patrick and myself are continuing to investigate the bug. The bug is triggered intermittently during the ssh-brute script during the ssh handshake. A call to nsock receive results in an EOF. It is very probably related to the way we filter the data libssh2 sends through a socketpair. We do this to allow us to use the existing nsock socket pool. Until we figure this out, we are catching the error with pcall. You can set max-retries=0 and it will check all passwords, albeit with a fair number of retries. The branch currently contains 5 new scripts: ssh-auth-methods: Returns authentication methods a ssh server supports. Sample usage: nmap -p 22 --script ssh-auth-methods --script-args="ssh.user=<username>" <target> Sample output: 22/tcp open ssh syn-ack | ssh-auth-methods: | Supported authentication methods: | publickey |_ password ssh-brute: Performs brute-force password guessing against a ssh server. Sample usage: nmap -p 22 --script ssh-brute --script-args "userdb=users.lst,passdb=pass.lst" \ <target> Sample output: 22/ssh open ssh | ssh-brute: | Accounts | username:password | Statistics |_ Performed 32 guesses in 25 seconds. ssh-vuln-hostkey: Checks if ssh server has a predictable hostkey by checking it against a list of fingerprints generated by HD Moore. You have to download these hostkeys separately and specify their directory as the fingerprintdir variable. The keys are available at http://itsecurity.net/debian_ssh_scan_v4.tar.bz2. Additionally, you can specify a file ssh hostkey fingerprints, one per line, and the scripts will report if the hostkey matches one of the provided fingerprints. Sample usage: nmap -p 22 --script ssh-vuln-hostkey --script-args fingerprintdir=<directory with vulnerable fingerprints> <target> Sample output: 22/tcp open ssh syn-ack | ssh-vuln-hostkey: | Weak hostkeys: |_ 2048 6d:cd:2a:8b:dc:3e:e0:92:00:47:59:16:8c:8b:17:70 (RSA) ssh-publickey-acceptance: This script takes a table of paths to private keys, passphrases, and usernames and checks each pair to see if the target ssh server accepts them for publickey authentication. If no keys are given or the known-bad option is given, the script will check if a list of known static public keys are accepted for authentication. Sample usage: nmap -p 22 --script ssh-publickey-acceptance --script-args "ssh.usernames={'root', 'user'}, ssh.privatekeys={'./id_rsa1', './id_rsa2'}, known-bad=true" <target> Sample output: 22/tcp open ssh syn-ack | ssh-publickey-acceptance: | Accepted Public Keys: |_ Key ./id_rsa1 accepted for user root run-remote: Runs remote command on ssh server and returns command output. Sample usage: nmap -p 22 -v -d --script=run-remote --datadir=./ --script-args="run-remote.cmd=ls -l /, run-remote.username=myusername, run-remote.password=mypassword" <target> Sample output: 22/tcp open ssh syn-ack 0 | run-remote: | output: | total 124 | drwxr-xr-x 2 root root 4096 Jun 23 09:34 bin | drwxr-xr-x 3 root root 4096 Jun 19 12:42 boot | ... |_drwxr-xr-x 14 root root 4096 Jun 6 14:58 var I hope you find these scripts useful. Let me know what you think and if you have any suggestions for improvements or more ideas. Also, if you hear about any static public keys not in publickeydb (in nselib/data/publickeydb) on routers, load balancers, ect let me know. My work pace will probably be a bit slower with school and now that Google Summer of Code is officially over but I'm going to keep making improvements. Cheers, Devin Bjelland _______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] Libssh2 Binding Status devin bjelland (Aug 18)