Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [NSE] find-ssh-hostkey script

From: Nick Nikolaou <nikolasnikolaou1 () gmail com>
Date: Fri, 11 Mar 2011 02:01:31 +0000

Now, if we add prescript.nse to the default category. Nmap will no
longer produce a listing of command line parameters, when it is run
without parameters. This is undesired, and thus no prescripts could
ever be added to the default category. I am not sure if this is good
or bad, but it certainly is how it works at the moment.



That makes sense, thanks.

Dion's alternative idea of using the script to verify host-hostkey pairings
seems like a good way to go.
Maybe using an argument to read hosts and keys from a list and print a
warning if something has changed.


On 10 March 2011 15:44, Toni Ruottu <toni.ruottu () iki fi> wrote:


I could have been a bit more accurate. To this email I have attached a
dummy prerule script prescript.nse that does nothing. When I run nmap
without any parameters. It prints a listing of command line options to
the screen. On the other hand, if I run the attached script, nmap will
produce a scan result as follows...

cyberix@eval:~/opt/nmap/bin$ ./nmap --script prescript

Starting Nmap 5.51SVN ( http://nmap.org ) at 2011-03-10 17:41 EET
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 0.05 seconds

Now, if we add prescript.nse to the default category. Nmap will no
longer produce a listing of command line parameters, when it is run
without parameters. This is undesired, and thus no prescripts could
ever be added to the default category. I am not sure if this is good
or bad, but it certainly is how it works at the moment.

On Thu, Mar 10, 2011 at 2:30 PM, Nick Nikolaou
<nikolasnikolaou1 () gmail com> wrote:


Pre scripts can probably not be in the default category, as
with pre scripts you do not need to specify targets on the command
line, but normally we would want to give an error, if the user does
not specify one.



My understanding of the prerule is a bit hazy. Couldn't we make it that

if

the user doesn't specify an argument the script doesn't do anything and

just

prints a debug message saying that the script is skipped because no

argument

was given?

Is there a way to use a prerule script only to identify a specific host
(from a large block) and perform a scan specified by the user? (-sC,-sV)

On 9 March 2011 17:59, Dion Stempfley <dion.stempfley () gmail com> wrote:


Another thought is if I know a pairing of host,ssh-host-key then I can
validate that the ssh-host-key hasn't been modified or that the pairing

is

still valid.  Could possibly establish that nobody switched hosts for

some

reason.



 By host you mean IP address?


On 9 March 2011 17:59, Dion Stempfley <dion.stempfley () gmail com> wrote:


Another thought is if I know a pairing of host,ssh-host-key then I can
validate that the ssh-host-key hasn't been modified or that the pairing

is

still valid.  Could possibly establish that nobody switched hosts for

some

reason.

On Wed, Mar 9, 2011 at 10:20 AM, Nick Nikolaou
<nikolasnikolaou1 () gmail com>wrote:



nmap -sC --script-args
newtargets,sshtarget=AB:CD:EF:AB:CD:EF:AB:CD:EF:AB:CD:EF:AB:CD:AB:CD




(The script could be in default category, and just do nothing unless

there

is an sshtarget specification in the argument list.)



That's a good idea. I didn't think of that but it's a good example of

how

the script can be used.




Is this the type of usage you had in mind



My original idea was to have a way to uniquely identify a host

regardless

of
IP address. For example it could be useful to a pen-tester working on

a

specific machine in a dynamic IP address environment.

I understand that the same thing can be achieved by getting all the
machines' SSH keys, saving them in an output file and using grep to

get

the

specific machine's IP address, but there may be cases that the script

would

simplify this process. (For example scanning using Zenmap?)

Another way of going about this could be adding another parameter to

the

existing ssh-hostkey script. Since the script already gets the keys

and

adds
them to the nmap registry, it could search for the specific key if

that

parameter is passed.

Nick




On 9 March 2011 14:41, Toni Ruottu <toni.ruottu () iki fi> wrote:



Seems useful, yet I am not sure I fully understand the use case

behind

this, and if it would be better to have one script for this, or to
have multiple scripts that can be combined to do the job.

The most obvious use case I can come up for this type of script is

one

where I would want to perform a port scan on a host that has a

certain

ssh key. I could be the admin of a company that has lots of laptops,
and a dhcp server that assigns IP addresses to those laptops
dynamically. All laptops have an ssh daemon in place for remote
administration. Now the CEO calls me and says there is something

wrong

with his laptop. Instead of asking him to figure out the IP address

of

his computer, I simply look up a database of ssh keys, and define

the

scan target by the ssh key.

nmap -sC --script-args
newtargets,sshtarget=AB:CD:EF:AB:CD:EF:AB:CD:EF:AB:CD:EF:AB:CD:AB:CD

(The script could be in default category, and just do nothing unless
there is an sshtarget specification in the argument list.)

Running the command would use the pre script to locate the machine,
and add it to scan targets. Nmap would then scan the host, and tell

me

the ip address of the host and services running on it. Maybe some
script could identify a virus on that machine. If one does not want

to

perform full port scan on the host one could set the scan type to

ping

scan.

Is this the type of usage you had in mind. This is just the picture

I

got. Maybe I misunderstood something.


On Tue, Mar 8, 2011 at 6:45 PM, Nick Nikolaou
<nikolasnikolaou1 () gmail com> wrote:

Hey everyone,

Attached is a script I wrote that attempts to identify a host

given

its

SSH

hostkey as an argument. I got the idea from Fyodor's presentation

--@usage
-- nmap --script=find-ssh-hostkey --script-args
fingerprint=AB:CD:EF:AB:CD:EF:AB:CD:EF:AB:CD:EF:AB:CD:AB:CD
--
--@output
-- 22/tcp  open  ssh
-- |_find-ssh-hostkey: Key found.


After (limited) testing it seems to work. I don't have access to

many

machines running SSH so I can't test it thoroughly.

The script name can be confusing seems it's very similar to other

scripts

that show the host's SSH key so feel free to change it to

something

more

meaningful.

I hope you find it useful.

Any comments are more than welcome.

Nick

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/




_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/




_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: