Script `ssh-hostkey`

Script types:
Categories: safe, default, discovery
Download: https://svn.nmap.org/nmap/scripts/ssh-hostkey.nse

Script Summary

Shows SSH hostkeys.

Shows the target SSH server's key fingerprint and (with high enough verbosity level) the public key itself. It records the discovered host keys in nmap.registry for use by other scripts. Output can be controlled with the ssh_hostkey script argument.

You may also compare the retrieved key with the keys in your known-hosts file using the known-hosts argument.

The script also includes a postrule that check for duplicate hosts using the gathered keys.

Script Arguments

ssh-hostkey.known-hosts

If this is set, the script will check if the known hosts file contains a key for the host being scanned and will compare it with the keys that have been found by the script. The script will try to detect your known-hosts file but you can, optionally, pass the path of the file to this option.

ssh-hostkey.known-hosts-path.

Path to a known_hosts file.

ssh_hostkey

Controls the output format of keys. Multiple values may be given, separated by spaces. Possible values are

"full": The entire key, not just the fingerprint.
"sha256": Base64-encoded SHA256 fingerprint.
"md5": hex-encoded MD5 fingerprint (the default).
"bubble": Bubble Babble output,
"visual": Visual ASCII art representation.
"all": All of the above.

Example Usage

nmap host --script ssh-hostkey --script-args ssh_hostkey=full
nmap host --script ssh-hostkey --script-args ssh_hostkey=all
nmap host --script ssh-hostkey --script-args ssh_hostkey='visual bubble'

Script Output

Post-scan script results:
| ssh-hostkey: Possible duplicate hosts
| Key 1024 60:ac:4d:51:b1:cd:85:09:12:16:92:76:1d:5d:27:6e (DSA) used by:
|   192.168.1.1
|   192.168.1.2
| Key 2048 2c:22:75:60:4b:c3:3b:18:a2:97:2c:96:7e:28:dc:dd (RSA) used by:
|   192.168.1.1
|_  192.168.1.2

Requires

Authors:

Sven Klemm
Piotr Olma
George Chatzisofroniou