Nmap ssh-hostkey NSE Script

This page contains detailed information about how to use the ssh-hostkey NSE script. For list of all NSE scripts, visit the Nmap NSE Library.

Script Overview

Script source code: https://github.com/nmap/nmap/tree/master/scripts/ssh-hostkey.nse
Script categories: safe, default, discovery
Target service / protocol: ssh
Target network port(s): 22
List of CVEs: -

Script Description

The ssh-hostkey.nse script shows SSH hostkeys.

Shows the target SSH server's key fingerprint and (with high enough verbosity level) the public key itself. It records the discovered host keys in nmap.registry for use by other scripts. Output can be controlled with the ssh_hostkey script argument.

You may also compare the retrieved key with the keys in your known-hosts file using the known-hosts argument.

The script also includes a postrule that check for duplicate hosts using the gathered keys.

Ssh-hostkey NSE Script Arguments

This is a full list of arguments supported by the ssh-hostkey.nse script:

ssh_hostkey

Controls the output format of keys. Multiple values may be given, separated by spaces. Possible values are

"full": The entire key, not just the fingerprint.
"sha256": Base64-encoded SHA256 fingerprint.
"md5": hex-encoded MD5 fingerprint (the default).
"bubble": Bubble Babble output,
"visual": Visual ASCII art representation.
"all": All of the above.

ssh-hostkey.known-hosts

If this is set, the script will check if the known hosts file contains a key for the host being scanned and will compare it with the keys that have been found by the script. The script will try to detect your known-hosts file but you can, optionally, pass the path of the file to this option.

ssh-hostkey.known-hosts-path.

Path to a known_hosts file.

- - -
To use these script arguments, add them to the Nmap command line using the --script-args arg1=value,[arg2=value,..] syntax. For example:

nmap --script=ssh-hostkey --script-args ssh_hostkey=value,ssh-hostkey.known-hosts=value <target>

Ssh-hostkey NSE Script Example Usage

Here's an example of how to use the ssh-hostkey.nse script:

nmap host --script ssh-hostkey --script-args ssh_hostkey=full

nmap host --script ssh-hostkey --script-args ssh_hostkey=all

nmap host --script ssh-hostkey --script-args ssh_hostkey='visual bubble'

Ssh-hostkey NSE Script Example Output

Here's a sample output from the ssh-hostkey.nse script:

22/tcp open  ssh
|  ssh-hostkey: 2048 f0:58:ce:f4:aa:a4:59:1c:8e:dd:4d:07:44:c8:25:11 (RSA)
22/tcp open  ssh
|  ssh-hostkey: 2048 f0:58:ce:f4:aa:a4:59:1c:8e:dd:4d:07:44:c8:25:11 (RSA)
|  +--[ RSA 2048]----+
|  |       .E*+      |
|  |        oo       |
|  |      . o .      |
|  |       O . .     |
|  |      o S o .    |
|  |     = o + .     |
|  |    . * o .      |
|  |     = .         |
|  |    o .          |
|_ +-----------------+
22/tcp open  ssh     syn-ack
| ssh-hostkey: Key comparison with known_hosts file:
|   GOOD Matches in known_hosts file:
|       L7: 199.19.117.60
|       L11: foo
|       L15: bar
|       L19: <unknown>
|   WRONG Matches in known_hosts file:
|       L3: 199.19.117.60
| ssh-hostkey: 2048 xuvah-degyp-nabus-zegah-hebur-nopig-bubig-difeg-hisym-rumef-cuxex (RSA)
|_ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAwVuv2gcr0maaKQ69VVIEv2ob4OxnuI64fkeOnCXD1lUx5tTA+vefXUWEMxgMuA7iX4irJHy2zer0NQ3Z3yJvr5scPgTYIaEOp5Uo/eGFG9Agpk5wE8CoF0e47iCAPHqzlmP2V7aNURLMODb3jVZuI07A2ZRrMGrD8d888E2ORVORv1rYeTYCqcMMoVFmX9l3gWEdk4yx3w5sD8v501Iuyd1v19mPfyhrI5E1E1nl/Xjp5N0/xP2GUBrdkDMxKaxqTPMie/f0dXBUPQQN697a5q+5lBRPhKYOtn6yQKCd9s1Q22nxn72Jmi1RzbMyYJ52FosDT755Qmb46GLrDMaZMQ==

Post-scan script results:
| ssh-hostkey: Possible duplicate hosts
| Key 1024 60:ac:4d:51:b1:cd:85:09:12:16:92:76:1d:5d:27:6e (DSA) used by:
|   192.168.1.1
|   192.168.1.2
| Key 2048 2c:22:75:60:4b:c3:3b:18:a2:97:2c:96:7e:28:dc:dd (RSA) used by:
|   192.168.1.1
|_  192.168.1.2

Ssh-hostkey NSE Script Example XML Output

Here's a sample XML output from the ssh-hostkey.nse script produced by providing the -oX <file> Nmap option:

 <table>
   <elem key="key">ssh-dss AAAAB3NzaC1kc3MAAACBANraqxAILTygMTgFu/0snrJck8BkhOpBbN61DAZENgeulLMaJdmNFWZpvhLOJVXSqHt2TCrspbMyvpBH4Fnv7Kb+QBAhXyzeCNnOQ7OVBfqNzkfezoFrQJgOQZSEenP6sCVDqcW2j0KVumnYdPU7FGa8SLfNqA+hUOR2HSSluynFAAAAFQDWKNq4PVbpDA7UExE8JSHnWxv4AwAAAIAWEDdNu5mWfTz52IdxELNjsmn5FvKRmnhPqq/PrTkYqAADL5WYazg7POQZ4yI2nqTq++47ONDK87Wke3qbeIhMrV13Mrgf2JuCUSNqrfEmvzZ2l9x3QyZrj+bJRPRuhwYq8rFup01qaANJ0p4WS/7voNbRhh+l57FkJF+XAJRRTAAAAIEAts1Se+u+hV9ZedXopzfXv1I5ZOSONxZanM10wjM2GRWygCYsHqDM315swBPkzhmB73oBesnhDW3bq0dmW3wvk4gzQZ2E2SHhzVGjlgDpjEahlQ+XGpDZsvqqFGGGx8lvKYFUxBR+UkqMRGmjkHw5sK5ydO1n4R3XJ4FfQFqmoyU=</elem>
   <elem key="bits">1024</elem>
   <elem key="fingerprint">18782fd3be7178a38e584b5a83bd60a8</elem>
   <elem key="type">ssh-dss</elem>
 </table>
 <table>
   <elem key="key">ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAwVuv2gcr0maaKQ69VVIEv2ob4OxnuI64fkeOnCXD1lUx5tTA+vefXUWEMxgMuA7iX4irJHy2zer0NQ3Z3yJvr5scPgTYIaEOp5Uo/eGFG9Agpk5wE8CoF0e47iCAPHqzlmP2V7aNURLMODb3jVZuI07A2ZRrMGrD8d888E2ORVORv1rYeTYCqcMMoVFmX9l3gWEdk4yx3w5sD8v501Iuyd1v19mPfyhrI5E1E1nl/Xjp5N0/xP2GUBrdkDMxKaxqTPMie/f0dXBUPQQN697a5q+5lBRPhKYOtn6yQKCd9s1Q22nxn72Jmi1RzbMyYJ52FosDT755Qmb46GLrDMaZMQ==</elem>
   <elem key="bits">2048</elem>
   <elem key="fingerprint">f058cef4aaa4591c8edd4d0744c82511</elem>
   <elem key="type">ssh-rsa</elem>
 </table>
 <table key="Key comparison with known_hosts file">
   <table key="GOOD Matches in known_hosts file">
     <table>
       <elem key="lnumber">5</elem>
       <elem key="name">localhost</elem>
       <elem key="key">ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAwVuv2gcr0maaKQ69VVIEv2ob4OxnuI64fkeOnCXD1lUx5tTA+vefXUWEMxgMuA7iX4irJHy2zer0NQ3Z3yJvr5scPgTYIaEOp5Uo/eGFG9Agpk5wE8CoF0e47iCAPHqzlmP2V7aNURLMODb3jVZuI07A2ZRrMGrD8d888E2ORVORv1rYeTYCqcMMoVFmX9l3gWEdk4yx3w5sD8v501Iuyd1v19mPfyhrI5E1E1nl/Xjp5N0/xP2GUBrdkDMxKaxqTPMie/f0dXBUPQQN697a5q+5lBRPhKYOtn6yQKCd9s1Q22nxn72Jmi1RzbMyYJ52FosDT755Qmb46GLrDMaZMQ==</elem>
     </table>
   </table>
 </table>

 <table>
   <table key="hosts">
     <elem>192.168.1.1</elem>
     <elem>192.168.1.2</elem>
   </table>
   <table key="key">
     <elem key="fingerprint">2c2275604bc33b18a2972c967e28dcdd</elem>
     <elem key="bits">2048</elem>
     <elem key="type">ssh-rsa</elem>
   </table>
 </table>
 <table>
   <table key="hosts">
     <elem>192.168.1.1</elem>
     <elem>192.168.1.2</elem>
   </table>
   <table key="key">
     <elem key="fingerprint">60ac4d51b1cd8509121692761d5d276e</elem>
     <elem key="bits">1024</elem>
     <elem key="type">ssh-dss</elem>
   </table>
 </table>

Nmap ssh-hostkey NSE Script

Script Overview

Script Description

Ssh-hostkey NSE Script Arguments

Ssh-hostkey NSE Script Example Usage

Ssh-hostkey NSE Script Example Output

Ssh-hostkey NSE Script Example XML Output

Authors

References

See Also

Version

Nessus Plugin Library

Solving Problems with Office 365 Email from GoDaddy

Empire Module Library

CrackMapExec Module Library

Metasploit Android Modules

Top 16 Active Directory Vulnerabilities

Top 10 Vulnerabilities: Internal Infrastructure Pentest

Terminal Escape Injection

Cisco Password Cracking and Decrypting Guide

Capture Passwords using Wireshark

SSH Brute Force Attack Tool using PuTTY / Plink (ssh-putty-brute.ps1)

SMB Brute Force Attack Tool in PowerShell (SMBLogin.ps1)

Port Scanner in PowerShell (TCP/UDP)

Nessus CSV Parser and Extractor

Default Password Scanner (default-http-login-hunter.sh)