Categories: safe, default, discovery
Shows SSH hostkeys.
Shows the target SSH server's key fingerprint and (with high enough
verbosity level) the public key itself. It records the discovered host keys
nmap.registry for use by other scripts. Output can be
controlled with the
ssh_hostkey script argument.
You may also compare the retrieved key with the keys in your known-hosts
file using the
The script also includes a postrule that check for duplicate hosts using the gathered keys.
If this is set, the script will check if the known hosts file contains a key for the host being scanned and will compare it with the keys that have been found by the script. The script will try to detect your known-hosts file but you can, optionally, pass the path of the file to this option.
Path to a known_hosts file.
Controls the output format of keys. Multiple values may be given, separated by spaces. Possible values are
"full": The entire key, not just the fingerprint.
"sha256": Base64-encoded SHA256 fingerprint.
"md5": hex-encoded MD5 fingerprint (the default).
"bubble": Bubble Babble output,
"visual": Visual ASCII art representation.
"all": All of the above.
nmap host --script ssh-hostkey --script-args ssh_hostkey=full nmap host --script ssh-hostkey --script-args ssh_hostkey=all nmap host --script ssh-hostkey --script-args ssh_hostkey='visual bubble'
Post-scan script results: | ssh-hostkey: Possible duplicate hosts | Key 1024 60:ac:4d:51:b1:cd:85:09:12:16:92:76:1d:5d:27:6e (DSA) used by: | 192.168.1.1 | 192.168.1.2 | Key 2048 2c:22:75:60:4b:c3:3b:18:a2:97:2c:96:7e:28:dc:dd (RSA) used by: | 192.168.1.1 |_ 192.168.1.2
License: Same as Nmap--See https://nmap.org/book/man-legal.html