Nmap Development mailing list archives

[NSE script] SSH1 Hostkey

From: Sven Klemm <sven () c3d2 de>
Date: Sun, 03 Aug 2008 17:53:59 +0200

Hi,

I've attached a script that shows the SSH1 hostkey. I am also workingon a script for SSH2 hostkeys but it's not yet ready.


The script requires the lua openssl bindings.

Cheers,
Sven

--
Sven Klemm
http://cthulhu.c3d2.de/~sven/


id = "SSH1-Hostkey"
author = "Sven Klemm <sven () c3d2 de>"
description = "Show SSH1 Hostkey"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html";
categories = {"safe"}

require("stdnse")
require("shortport")
require("openssl")
require("bin")

portrule = shortport.port_or_service(22, "ssh")

action = function(host, port)
  local socket = nmap.new_socket()
        local catch = function() socket:close() end
        local try = nmap.new_try(catch)

        try(socket:connect(host.ip, port.number))
  -- fetch banner
        try(socket:receive_lines(1))
  -- send our banner
        try(socket:send("SSH-1.5-Nmap-SSH1-Hostkey\r\n"))

  local data, packet_length, padding, offset
  data = try(socket:receive())
  socket:close()
  offset, packet_length = bin.unpack( ">i", data )
  padding = 8 - packet_length % 8
  offset = offset + padding

  if padding + packet_length + 4 == data:len() then
    -- seems to be a proper SSH1 packet
    local msg_code,host_key_bits,host_key_exponent,host_key_modulus,length
    offset, msg_code = bin.unpack( ">c", data, offset )
    if msg_code == 2 then -- 2 => SSH_SMSG_PUBLIC_KEY
      -- ignore cookie and server key bits
      offset, _, _ = bin.unpack( ">A8i", data, offset )
      -- skip server key exponent and modulus
      offset, length = bin.unpack( ">S", data, offset )
      offset = offset + math.ceil( length / 8 )
      offset, length = bin.unpack( ">S", data, offset )
      offset = offset + math.ceil( length / 8 )

      offset, host_key_bits = bin.unpack( ">i", data, offset )
      offset, length = bin.unpack( ">S", data, offset )
      offset, host_key_exponent = bin.unpack( ">A" .. math.ceil( length / 8 ), data, offset )
      host_key_exponent = openssl.bignum_bin2dec( host_key_exponent )
      offset, length = bin.unpack( ">S", data, offset )
      offset, host_key_modulus = bin.unpack( ">A" .. math.ceil( length / 8 ), data, offset )
      host_key_modulus = openssl.bignum_bin2dec( host_key_modulus )

      return host_key_bits .. ' ' .. host_key_exponent .. ' ' .. host_key_modulus
    end
  end

end


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Current thread:

[NSE script] SSH1 Hostkey Sven Klemm (Aug 03)
- Re: [NSE script] SSH1 Hostkey Sven Klemm (Aug 05)
  - Re: [NSE script] SSH1 Hostkey Sven Klemm (Aug 05)
    - Re: [NSE script] SSH1 Hostkey Brandon Enright (Aug 05)
    - Re: [NSE script] SSH1 Hostkey doug (Aug 05)
    - Re: [NSE script] SSH1 Hostkey Sven Klemm (Sep 01)
    - Re: [NSE script] SSH1 Hostkey Sven Klemm (Aug 05)
    - Re: [NSE script] SSH1 Hostkey Brandon Enright (Aug 05)