PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-28 02:19:04 +00:00
Code Issues Projects Releases Wiki Activity

o [NSE] Improved ssh2's kex_init() parameters: all of the algorithm

Browse Source 
and language lists can be set using new keys in the "options" table
  argument. These all default to the same value used before. Also, the
  required "cookie" argument is now replaced by an optional "cookie"
  key in the "options" table, defaulting to random bytes as the RFC
  says the value should be. [Kris]

Only ssh2's fetch_host_key() uses this function, but I'm working on
a script and noticed the design flaw regarding the cookie arg (scripts
shouldn't be required to always pass this when it's specified that its
value should be random).  The rest was added because the default is
just a subset of algorithms offered across implementations.
This commit is contained in:
kris
2010-10-13 03:34:00 +00:00
parent 37d3bf21c0
commit 40a4644055
2 changed files with 15 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
CHANGELOG
View File

@@ -1,5 +1,12 @@
# Nmap Changelog ($Id$); -*-text-*-
o [NSE] Improved ssh2's kex_init() parameters: all of the algorithm
and language lists can be set using new keys in the "options" table
argument. These all default to the same value used before. Also, the
required "cookie" argument is now replaced by an optional "cookie"
key in the "options" table, defaulting to random bytes as the RFC
says the value should be. [Kris]
o Ncat now logs Nsock debug output to stderr instead of stdout, like
its other debug messages. [David]

16
nselib/ssh2.lua
View File

@@ -98,14 +98,15 @@ transport.kexdh_init = function( e )
end
--- Build a <code>kex_init</code> packet.
transport.kex_init = function( cookie, options )
transport.kex_init = function( options )
options = options or {}
local kex_algorithms = "diffie-hellman-group1-sha1"
local cookie = options['cookie'] or openssl.rand_bytes( 16 )
local kex_algorithms = options['kex_algorithms'] or "diffie-hellman-group1-sha1"
local host_key_algorithms = options['host_key_algorithms'] or "ssh-dss,ssh-rsa"
local encryption_algorithms = "aes128-cbc,3des-cbc,blowfish-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr"
local mac_algorithms = "hmac-md5,hmac-sha1,hmac-ripemd160"
local compression_algorithms = "none"
local languages = ""
local encryption_algorithms = options['encryption_algorithms'] or "aes128-cbc,3des-cbc,blowfish-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr"
local mac_algorithms = options['mac_algorithms'] or "hmac-md5,hmac-sha1,hmac-ripemd160"
local compression_algorithms = options['compression_algorithms'] or "none"
local languages = options['languages'] or ""
local payload = bin.pack( ">cAaa", SSH2.SSH_MSG_KEXINIT, cookie, kex_algorithms, host_key_algorithms )
payload = payload .. bin.pack( ">aa", encryption_algorithms, encryption_algorithms )
@@ -166,8 +167,7 @@ fetch_host_key = function( host, port, key_type )
status = socket:send("SSH-2.0-Nmap-SSH2-Hostkey\r\n")
if not status then socket:close(); return end
local cookie = openssl.rand_bytes( 16 )
local packet = transport.build( transport.kex_init( cookie, {host_key_algorithms=key_type} ) )
local packet = transport.build( transport.kex_init( {host_key_algorithms=key_type} ) )
status = socket:send( packet )
if not status then socket:close(); return end