ssh_scan.pl - helps map SSH server versions
Simply pipe in nmap(1) output of the -oG or -oM format:
# nmap -sS -p 22 -oG - 10.0.0.1/24 | ssh_scan.pl 10.0.0.1 example.org SSH-1.99-OpenSSH_2.9 ...
This script takes nmap output, extracts out what look like open SSH servers, and attempts to connect to the IP Address in quetion to obtain the SSH version string (via the Socket module). Network and broadcast addresses will be skipped.
Output consists of the IP Address, hostname, and server version for each running SSH daemon found, in tab-separated value format. The server version can also be ``timeout'' or a similar error message, depending on various failures to extract any meaningful data.
Errors will crop up when there exist connectivity problems between the scanner and the target, or when a nmap stealth scan reports the port as being open, but tcp_wrappers on the target host denies the full socket connection.
$ ssh_scan.pl < nmap-scan-output
The nmap output must be in the -oG or -oM format, and is accepted on STDIN. All results are written to STDOUT.
This script currently supports the following command line switches:
Newer versions of this script may be available from:
If the bug is in the latest version, send a report to the author. Patches that fix problems or add new features are welcome.
No known bugs.
nmap(1), perl(1)
http://www.monkey.org/~provos/scanssh/
http://www.google.com/search?q=nmap+service+detection
Jeremy Mates, http://sial.org/contact/
Socket code contributed by Michael Hornung, hornung@u.washington.edu.
Copyright (c) 2001, Jeremy Mates. This script is free software; you can redistribute it and/or modify it under the same terms as Perl itself.
$Id: ssh_scan.pl,v 1.9 2003/01/13 05:28:42 jmates Exp $