Nmap Development mailing list archives
bug in SSH-hostkey script
From: dan farmer <zen () fish2 com>
Date: Sat, 27 Jul 2013 11:19:10 -0700
Best illustrated by example… this seems to exist at least in v6 of nmap, I've tried 6.01 (centos linux v 6.2) and 6.25 (mac/mountain lion, via brew version.) I searched for the string ("SSH-hostkey: ERROR: Script execution failed (use -d to debug)") on google and got zero hits, so…. By itself it works with no problem (this is a live internet host, not mine, where I discovered it on a test scan): $ nmap -v -n -sV -p 22 203.15.106.34 Starting Nmap 6.25 ( http://nmap.org ) at 2013-07-27 09:55 PDT NSE: Loaded 19 scripts for scanning. Initiating Ping Scan at 09:55 Scanning 203.15.106.34 [2 ports] Completed Ping Scan at 09:55, 0.22s elapsed (1 total hosts) Initiating Connect Scan at 09:55 Scanning 203.15.106.34 [1 port] Discovered open port 22/tcp on 203.15.106.34 Completed Connect Scan at 09:55, 0.22s elapsed (1 total ports) Initiating Service scan at 09:55 Scanning 1 service on 203.15.106.34 Completed Service scan at 09:55, 0.84s elapsed (1 service on 1 host) NSE: Script scanning 203.15.106.34. Nmap scan report for 203.15.106.34 Host is up (0.22s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 4.3 (protocol 1.99) Read data files from: /usr/local/bin/../share/nmap Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 1.38 seconds Now add the SSH-hostkey stuff: $ nmap --script SSH-hostkey --script-args ssh_hostkey=full -n -v -sV -p 22 203.15.106.34 Starting Nmap 6.25 ( http://nmap.org ) at 2013-07-27 09:55 PDT NSE: Loaded 20 scripts for scanning. NSE: Script Pre-scanning. Initiating Ping Scan at 09:55 Scanning 203.15.106.34 [2 ports] Completed Ping Scan at 09:55, 0.22s elapsed (1 total hosts) Initiating Connect Scan at 09:55 Scanning 203.15.106.34 [1 port] Discovered open port 22/tcp on 203.15.106.34 Completed Connect Scan at 09:55, 0.22s elapsed (1 total ports) Initiating Service scan at 09:55 Scanning 1 service on 203.15.106.34 Completed Service scan at 09:55, 0.85s elapsed (1 service on 1 host) NSE: Script scanning 203.15.106.34. Initiating NSE at 09:55 Completed NSE at 09:56, 8.30s elapsed Nmap scan report for 203.15.106.34 Host is up (0.22s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 4.3 (protocol 1.99) |_SSH-hostkey: ERROR: Script execution failed (use -d to debug) NSE: Script Post-scanning. Initiating NSE at 09:56 Completed NSE at 09:56, 0.00s elapsed Read data files from: /usr/local/bin/../share/nmap Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 9.69 seconds And now, with the -d flag as suggested above - interestingly, this one reports correctly, but still throws an error: $ nmap -d --script SSH-hostkey --script-args ssh_hostkey=full -n -v -sV -p 22 203.15.106.34 Starting Nmap 6.25 ( http://nmap.org ) at 2013-07-27 11:16 PDT --------------- Timing report --------------- hostgroups: min 1, max 100000 rtt-timeouts: init 1000, min 100, max 10000 max-scan-delay: TCP 1000, UDP 1000, SCTP 1000 parallelism: min 0, max 0 max-retries: 10, host-timeout: 0 min-rate: 0, max-rate: 0 --------------------------------------------- NSE: Using Lua 5.2. NSE: Loaded 20 scripts for scanning. NSE: Script Pre-scanning. NSE: Starting runlevel 1 (of 1) scan. Initiating Ping Scan at 11:16 Scanning 203.15.106.34 [2 ports] Completed Ping Scan at 11:16, 0.22s elapsed (1 total hosts) Overall sending rates: 9.08 packets / s. Initiating Connect Scan at 11:16 Scanning 203.15.106.34 [1 port] Discovered open port 22/tcp on 203.15.106.34 Completed Connect Scan at 11:16, 0.22s elapsed (1 total ports) Overall sending rates: 4.54 packets / s. Initiating Service scan at 11:16 Scanning 1 service on 203.15.106.34 Completed Service scan at 11:16, 0.84s elapsed (1 service on 1 host) NSE: Script scanning 203.15.106.34. NSE: Starting runlevel 1 (of 1) scan. NSE: Starting SSH-hostkey against 203.15.106.34:22. Initiating NSE at 11:16 NSE: SSH-hostkey against 203.15.106.34:22 threw an error! /usr/local/bin/../share/nmap/nselib/base64.lua:138: attempt to get length of local 'bdata' (a nil value) stack traceback: /usr/local/bin/../share/nmap/nselib/base64.lua:138: in function 'enc' /usr/local/bin/../share/nmap/scripts/SSH-hostkey.nse:154: in function </usr/local/bin/../share/nmap/scripts/SSH-hostkey.nse:122> (...tail calls...) Completed NSE at 11:16, 8.27s elapsed Nmap scan report for 203.15.106.34 Host is up, received syn-ack (0.22s latency). Scanned at 2013-07-27 11:16:30 PDT for 10s PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack OpenSSH 4.3 (protocol 1.99) Final times for host: srtt: 219777 rttvar: 123712 to: 714625 NSE: Script Post-scanning. NSE: Starting runlevel 1 (of 1) scan. NSE: Starting SSH-hostkey. Initiating NSE at 11:16 NSE: Finished SSH-hostkey. Completed NSE at 11:16, 0.00s elapsed Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-service-probes nmap-services. Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 9.65 seconds Results replicated pretty identically on an internal openssh-1.2.2 server on centos linux v 6.2. FYI - dan ¸¸.·´¯`·.¸><(((º> _______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- bug in SSH-hostkey script dan farmer (Jul 27)
- Re: bug in SSH-hostkey script David Fifield (Jul 28)
- Re: bug in SSH-hostkey script dan farmer (Jul 31)
- Re: bug in SSH-hostkey script David Fifield (Jul 28)