Monday, March 16, 2015

Discovering SSH Host Keys with NMAP

As network engineers we use SSH daily (hopefully, ssh and not telnet!) and with all the uproar over duplicate SSH keys lately I thought it would be a good time to do a blog about NMAP’s SSH Host-Key script. Last month, John Matherly, founder of Shodan published this blog:
If you aren’t familiar with www.shodan.com it’s a search engine for Internet connected devices. There is a monthly fee but if you are interested in hacking it’s well worth the cost.

Digitial Ocean is a Cloud Hosting Provider that sells “Droplets”. You spin up a droplet using their control panel ($5 per month for 512MB RAM, 20GB SSD and a TB of bandwidth!). Ubuntu is a very popular OS for a droplet and they have instructions explaining how duplicate SSH keys can be accidentally created. Here are their instructions - Avoid Duplicate SSH Host Keys. Well worth reading if you run any version of Linux and enable SSH. You can use lasdigital (Linux Action Show) as a code to get two months of hosting for free.

Background

The script returns the SSH Host key of the target. There are some script arguments depending on whether you want to see the fingerprint or the full key. With no options the script returns the Fingerprint. This is a quick way to verify that the device has a key created and to see the fingerprint if you are looking for duplicates.

I have used the script when I get a “Connection Refused” message when connecting to a network device that should have SSH running. If SSH is enabled but you get a connection refused message the device may not have a host key installed. 

Let’s check the keys!

In this example I configured SSH on a Cisco 3750 switch. I kicked off "cypto key generate rsa usage-keys mod 1024” and immediately ran the script. I was lucky enough to catch it right before it created the keys:

nmap --script ssh-hostkey 192.168.10.50
Starting Nmap 6.47 ( http://nmap.org ) at 2015-03-14 20:22 Pacific Daylight Time
Nmap scan report for 192.168.10.50
Host is up (0.053s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
|_ssh-hostkey:
23/tcp  open  telnet
443/tcp open  https
MAC Address: 00:1B:90:9F:FF:C0 (Cisco Systems)

When the keys finished I re-ran the script with no options to get the fingerprint:

nmap --script ssh-hostkey 192.168.10.50
Starting Nmap 6.47 ( http://nmap.org ) at 2015-03-14 20:24 Pacific Daylight Time
Nmap scan report for 192.168.10.50
Host is up (0.047s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
| ssh-hostkey:
|_  1024 5b:b1:f3:00:b9:09:4a:04:75:10:ce:f5:11:e7:48:73 (RSA)
23/tcp  open  telnet
443/tcp open  https
MAC Address: 00:1B:90:9F:FF:C0 (Cisco Systems) 


A Quick Policy Assessment

You arrive at a customer site and are asked to do log into the switches/routers and make sure that they meet the corporate security policy:
SSH key length at least 1024 bits
telnet disabled
HTTP disabled

You complete the assignment almost before the customer finishes describing it to you!

root@YHS-kali:~# nmap --script ssh-hostkey 10.99.16.231-254
Starting Nmap 6.47 ( http://nmap.org ) at 2015-03-17 13:50 PDT

Nmap scan report for 10.99.16.240
Host is up (0.0043s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE
23/tcp open  telnet
80/tcp open  http

Nmap scan report for 10.99.16.241
Host is up (0.0044s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE
23/tcp open  telnet
80/tcp open  http

Nmap scan report for 10.99.16.249
Host is up (0.0053s latency).
Not shown: 998 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
| ssh-hostkey:
|_  1024 6a:7a:5f:54:ba:ce:ce:1e:7a:2c:4e:d3:65:fb:51:bf (RSA)
443/tcp open  https

Nmap scan report for 10.99.16.250
Host is up (0.0076s latency).
Not shown: 998 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
| ssh-hostkey:
|_  1024 b5:75:9d:d4:0b:f2:29:97:d1:ce:c4:2f:13:aa:c7:c7 (RSA)
443/tcp open  https

Nmap scan report for 10.99.16.252
Host is up (0.0060s latency).
Not shown: 998 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
| ssh-hostkey:
|_  1024 08:62:de:73:1a:b6:66:cc:9b:62:f5:86:64:a7:68:a3 (RSA)
443/tcp open  https

Nmap scan report for 10.99.16.253
Host is up (0.0033s latency).
Not shown: 998 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
| ssh-hostkey:
|_  1024 c9:3a:9c:0f:79:7f:62:73:dd:3d:dd:16:c3:85:08:4c (RSA)
443/tcp open  https

Nmap scan report for 10.99.16.254
Host is up (0.0025s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
| ssh-hostkey:
|_  1024 07:f1:5d:51:1d:93:96:ae:72:96:e0:fd:95:2f:b9:b6 (RSA)
23/tcp  open  telnet
443/tcp open  https


Grabbing the banner from the services running on the device

NMAP also comes with a Banner Grab script. This one is handy if you are verifying that none of your devices are running SSH V1. Remember, NMAP can scan a range of IP addresses, not just one host!

nmap --script banner 192.168.10.50
Starting Nmap 6.47 ( http://nmap.org ) at 2015-03-14 21:19 Pacific Daylight Time
Nmap scan report for 192.168.10.50
Host is up (0.036s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
|_banner: SSH-2.0-Cisco-1.25
23/tcp  open  telnet
|_banner: \xFF\xFB\x01\xFF\xFB\x03\xFF\xFD\x18\xFF\xFD\x1F
443/tcp open  https
MAC Address: 00:1B:90:9F:FF:C0 (Cisco Systems)

Nmap done: 1 IP address (1 host up) scanned in 70.09 seconds


The "Full" script argument

This time the script was run against my SonicWall firewall
sudo nmap --script ssh-hostkey --script-args ssh_hostkey=full 192.168.10.254

Starting Nmap 6.40 ( http://nmap.org ) at 2015-03-14 19:09 PDT
Nmap scan report for 192.168.10.254
Host is up (0.0051s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
|_ssh-hostkey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDSypZN2N3s3ACk+yOF72YCB4mmHcvF/kIjLuoJz2C991orznolsbBWIdKWcGjcil6mvIT5nj93miiaLMrS746Y9r7GBvrzV2xiNSYsK1Gs61sWn13tyTFbDaUeHK5SW2DYFbXDKHHtiVkTlXtc4bVPrvNpSmgmbCsD2Wo+ZZdlzQ==
80/tcp open http
443/tcp open https
MAC Address: 00:17:C5:67:BE:CC (SonicWALL)

Configuring SSH on Recent Versions of Cisco IOS

It only takes a few steps to setup SSH on an IOS device. You should add it to your standard build script! Note: The Cisco IOS image used must be a k9(crypto) image in order to support SSH.

Switch(config)#ip ssh version 2
Switch(config)#ip domain-name hubbardonnetworking.com
Switch(config)#crypto key generate rsa usage-keys modulus 1024
The name for the keys will be: Switch.example.com

% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 1 seconds)
% Generating 1024 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 1 seconds)
exit

#sh ip ssh
SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded):
ssh-rsa

References









UNSECURED SSH – THE CHALLENGE OF MANAGING SSH KEYS AND ASSOCIATIONS


1 comment: