Nmap Development mailing list archives
bug in SSH-hostkey script
From: dan farmer <zen () fish2 com>
Date: Sat, 27 Jul 2013 11:19:10 -0700
Best illustrated by example… this seems to exist at least in v6 of nmap, I've tried 6.01 (centos linux v 6.2) and 6.25
(mac/mountain lion, via brew version.) I searched for the string ("SSH-hostkey: ERROR: Script execution failed (use -d
to debug)") on google and got zero hits, so….
By itself it works with no problem (this is a live internet host, not mine, where I discovered it on a test scan):
$ nmap -v -n -sV -p 22 203.15.106.34
Starting Nmap 6.25 ( http://nmap.org ) at 2013-07-27 09:55 PDT
NSE: Loaded 19 scripts for scanning.
Initiating Ping Scan at 09:55
Scanning 203.15.106.34 [2 ports]
Completed Ping Scan at 09:55, 0.22s elapsed (1 total hosts)
Initiating Connect Scan at 09:55
Scanning 203.15.106.34 [1 port]
Discovered open port 22/tcp on 203.15.106.34
Completed Connect Scan at 09:55, 0.22s elapsed (1 total ports)
Initiating Service scan at 09:55
Scanning 1 service on 203.15.106.34
Completed Service scan at 09:55, 0.84s elapsed (1 service on 1 host)
NSE: Script scanning 203.15.106.34.
Nmap scan report for 203.15.106.34
Host is up (0.22s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.3 (protocol 1.99)
Read data files from: /usr/local/bin/../share/nmap
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1.38 seconds
Now add the SSH-hostkey stuff:
$ nmap --script SSH-hostkey --script-args ssh_hostkey=full -n -v -sV -p 22 203.15.106.34
Starting Nmap 6.25 ( http://nmap.org ) at 2013-07-27 09:55 PDT
NSE: Loaded 20 scripts for scanning.
NSE: Script Pre-scanning.
Initiating Ping Scan at 09:55
Scanning 203.15.106.34 [2 ports]
Completed Ping Scan at 09:55, 0.22s elapsed (1 total hosts)
Initiating Connect Scan at 09:55
Scanning 203.15.106.34 [1 port]
Discovered open port 22/tcp on 203.15.106.34
Completed Connect Scan at 09:55, 0.22s elapsed (1 total ports)
Initiating Service scan at 09:55
Scanning 1 service on 203.15.106.34
Completed Service scan at 09:55, 0.85s elapsed (1 service on 1 host)
NSE: Script scanning 203.15.106.34.
Initiating NSE at 09:55
Completed NSE at 09:56, 8.30s elapsed
Nmap scan report for 203.15.106.34
Host is up (0.22s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.3 (protocol 1.99)
|_SSH-hostkey: ERROR: Script execution failed (use -d to debug)
NSE: Script Post-scanning.
Initiating NSE at 09:56
Completed NSE at 09:56, 0.00s elapsed
Read data files from: /usr/local/bin/../share/nmap
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.69 seconds
And now, with the -d flag as suggested above - interestingly, this one reports correctly, but still throws an error:
$ nmap -d --script SSH-hostkey --script-args ssh_hostkey=full -n -v -sV -p 22 203.15.106.34
Starting Nmap 6.25 ( http://nmap.org ) at 2013-07-27 11:16 PDT
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 1000, min 100, max 10000
max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
parallelism: min 0, max 0
max-retries: 10, host-timeout: 0
min-rate: 0, max-rate: 0
---------------------------------------------
NSE: Using Lua 5.2.
NSE: Loaded 20 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Initiating Ping Scan at 11:16
Scanning 203.15.106.34 [2 ports]
Completed Ping Scan at 11:16, 0.22s elapsed (1 total hosts)
Overall sending rates: 9.08 packets / s.
Initiating Connect Scan at 11:16
Scanning 203.15.106.34 [1 port]
Discovered open port 22/tcp on 203.15.106.34
Completed Connect Scan at 11:16, 0.22s elapsed (1 total ports)
Overall sending rates: 4.54 packets / s.
Initiating Service scan at 11:16
Scanning 1 service on 203.15.106.34
Completed Service scan at 11:16, 0.84s elapsed (1 service on 1 host)
NSE: Script scanning 203.15.106.34.
NSE: Starting runlevel 1 (of 1) scan.
NSE: Starting SSH-hostkey against 203.15.106.34:22.
Initiating NSE at 11:16
NSE: SSH-hostkey against 203.15.106.34:22 threw an error!
/usr/local/bin/../share/nmap/nselib/base64.lua:138: attempt to get length of local 'bdata' (a nil value)
stack traceback:
/usr/local/bin/../share/nmap/nselib/base64.lua:138: in function 'enc'
/usr/local/bin/../share/nmap/scripts/SSH-hostkey.nse:154: in function
</usr/local/bin/../share/nmap/scripts/SSH-hostkey.nse:122>
(...tail calls...)
Completed NSE at 11:16, 8.27s elapsed
Nmap scan report for 203.15.106.34
Host is up, received syn-ack (0.22s latency).
Scanned at 2013-07-27 11:16:30 PDT for 10s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 4.3 (protocol 1.99)
Final times for host: srtt: 219777 rttvar: 123712 to: 714625
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 1) scan.
NSE: Starting SSH-hostkey.
Initiating NSE at 11:16
NSE: Finished SSH-hostkey.
Completed NSE at 11:16, 0.00s elapsed
Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-service-probes nmap-services.
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.65 seconds
Results replicated pretty identically on an internal openssh-1.2.2 server on centos linux v 6.2.
FYI -
dan
¸¸.·´¯`·.¸><(((º>
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Current thread:
- bug in SSH-hostkey script dan farmer (Jul 27)
- Re: bug in SSH-hostkey script David Fifield (Jul 28)
- Re: bug in SSH-hostkey script dan farmer (Jul 31)
- Re: bug in SSH-hostkey script David Fifield (Jul 28)