kippo-detect.nse

[ghost]

can i submit a new script here?

https://github.com/x-42/nmap-kippo-detect.nse/blob/master/kippo-detect.nse

[cldrn]

Do we have this as a signature already?

[ghost]

no, not that i'm aware of. at least not in 6.0.0. not sure about the newer version. script works good though!

[p-l-]

Hi!

Maybe it would be nice to check with the development version from the repository before!

I've just read your script and have a couple of comments:

• based on my understanding of your code, I believe it would be possible to do the job with a simple fingerprint instead of adding a new script. Am I wrong?
• Do you really want shortport.port_or_service(22, 'telnet', 'tcp')? and not 'ssh'? Or is it on purpose, because Nmap version scan says "telnet" when run against such a server?

[ghost]

i guess a fingerprint could possibly work.

my initial findings were that i was able to get TCP 22 to spit out data that could be used to fingerprint the kippo service, when connecting via a telnet client:

• http:https://x42.obscurechannel.com/2014/09/12/death-by-magick-number-fingerprinting-kippo-2014/

there's also an existing metasploit module, which works well and uses the technique i describe:

• http:https://www.rapid7.com/db/modules/auxiliary/scanner/ssh/detect_kippo

[ghost]

@dmiller-nmap thoughts?

[dmiller-nmap]

Version detection will not work for this, since the SSH banner is matched on the Null probe, so doing a NSE script is the right move. But @cldrn is correct, the portrule should be shortport.port_or_service(22,"ssh"). The actual data sent can be any 5 bytes that does not start with "\x00".

[p-l-]

@dmiller-nmap thanks for the explanation, makes sense.

If the string can be anything that does not start with "\x00", would it be possible (and useful) to make it random?