Re: Inconsistent results from nmap --script=ssh-hostkey.nse

[Daniel Miller <bonsaiviking () gmail com>]

On Wed, Apr 15, 2015 at 1:46 PM, Terrance Roddy <Terrance.Roddy () walmart com>
wrote:

>  I am using your excellent nmap tool for internal penetration testing of
> (segments of) our enormous internal network.
>
> I recently encountered a situation where the identical nmap command
> returns different results, and even the results that return are sometimes
> malformed.
>
> Platform information:
>
> I am running my tests from Kali Linux 1.0.9
> nmap –V
> Nmap version 6.47 ( *http://nmap.org* <http://nmap.org> )
> Platform: i686-pc-linux-gnu
> Compiled with: nmap-liblua-5.2.3 openssl-1.0.13 libpcre-8.30 libpcap-1.3.0
> namp-libdnet-1.12 ipvx
> Compiled without:
> Available nsock engines: epoll poll select
>
>
> I am running this against an entire list of IP addresses, but have
> simplified it down to a single address:
>
> sudo nmap –script=ssh-hostkey.nse –sS –sV --open \
>         -p
> T:22,T:1026,T:1027,T:1028,T:1029,T:1030,T:1033,T:1035,T:2000,T:5060 \
>         29.161.17.1
>
> Two consecutive runs produced the following (URL-Obfuscated) outputs:
>
> *Starting Nmap 6.47 ( **http://nmap.org* <http://nmap.org>* ) at
> 2015-04-15 09:18 CDT*
> *Nmap scan report for Obfuscated.URL.com <http://Obfuscated.URL.com>
> (29.161.17.1)*
> *Host is up (0.15s latency).*
> *Not shown: 8 closed ports*
> *PORT     STATE  SERVICE   VERSION*
> *22/tcp   open   ssh       Cisco SSH 1.25 (protocol 2.0)*
> *| ssh-hostkey:*
> *|   1024 c2:e5:67:b5:4a:cc:2c:eb:7c:98:c6:7d:16:21:d5:df (RSA)*
> *5060/tcp open   sip-proxy Cisco SIP Gateway (IOS 12.x)*
> *Service Info: OS: IOS; Device: router; CPE: cpe:/o:cisco:ios*
>
> *Service detection performed. Please report any incorrect results at *
> *http://nmap.org/submit* <http://nmap.org/submit>
> *Nmap done: 1 IP address (1 host up) scanned in 28.86 seconds*
>
>
> *Starting Nmap 6.47 ( **http://nmap.org* <http://nmap.org>* ) at
> 2015-04-15 09:19 CDT*
> *Nmap scan report for Obfuscated.URL.com <http://Obfuscated.URL.com>
> (29.161.17.1)*
> *Host is up (0.15s latency).*
> *Not shown: 8 closed ports*
> *PORT     STATE  SERVICE   VERSION*
> *22/tcp   open   ssh       Cisco SSH 1.25 (protocol 2.0)*
> *| ssh-hostkey:*
> *5060/tcp open   sip-proxy Cisco SIP Gateway (IOS 12.x)*
> *Service Info: OS: IOS; Device: router; CPE: cpe:/o:cisco:ios*
>
> *Service detection performed. Please report any incorrect results at *
> *http://nmap.org/submit* <http://nmap.org/submit>
> *Nmap done: 1 IP address (1 host up) scanned in 28.59 seconds*
>
>
> Whether or not the RSA (and for that matter, the DSA) key-signature is
> returned seems to be entirely random.
>
> Very rarely, the script fails at that point with an error (which appears
> in some of the bug-feedback threads):
> |_ssh-hostkey: ERROR: Script execution failed (use –d to debug)
>
> However, none of the commentary about the ssh-hostkey.nse ERROR includes
> any information about random failure to display one or both hostkey
> signatures.
>
> I have tried running without the –-open (same result, more noise in
> output), and with the –d flag (much output that I do not understand, but
> essentially the same key result: sometimes the key is displayed, sometimes
> not).
> Since I am performing these tests on a restricted-access secure
> environment, I have difficulty copying the debug output into this email
> (all samples above were hand-typed from visible screen displays), but could
> probably find a way to do that if it would honestly be helpful.
Terrance,

Thanks for the bug report. There have been a few changes made to the
ssh-hostkey script and the ssh1.lua and ssh2.lua libraries it uses since
the 6.47 release. Unfortunately, I can't really distill them into a patch
that does not also depend on several unrelated changes in NSE. I'll put a
summary of changes at the end.

For debugging your current situation, it would be helpful to have the
output of a problematic run with the -d and --script-trace options.

Dan

P.S. Here's the summary of changes since 6.47:

* Support diffie-hellman-group14-sha1 in ssh2.lua. The lack of support
caused the script to crash when scanning OpenSSH 6.7 or any SSH server that
didn't support diffie-hellman-group1-sha1

* Fixed a couple bugs causing crashes and corrupted output when SSH1 was in
use: http://seclists.org/nmap-dev/2014/q4/332

* Fixed a check for number of host keys that resulted in empty output (like
you saw). When no keys are found, the script produces no output.

* We now do a banner check to determine that the service is indeed SSH
before trying to enumerate the host key types. This saves some work when
tcpwrappers is denying access.

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/