#!/bin/bash

# bash snippet to use e.G. an nmap-script for ssh-os-fingerprinting againsts hosts behind a jumphost. 
# dependencies: git, openssh-client, nmap

folder="foobar123"
jumphost="jumphost"
target="1.2.3.4"
ssh_port="9022"

mkdir -p $folder && cd $folder
git clone https://github.com/richlamdev/ssh-default-banners.git 
ssh -f -L $ssh_port:$target:22 $jumphost sleep 10
nmap -p$ssh_port -sV --script ssh-default-banners/ssh-os.nse localhost 

cd ./.. && rm -rf $folder

# example output: 
#
# [...]
# Starting Nmap 7.60 ( https://nmap.org ) at 2021-09-30 15:50 CEST
# Nmap scan report for localhost (127.0.0.1)
# Host is up (0.000044s latency).
# Other addresses for localhost (not scanned): ::1
# 
# PORT     STATE SERVICE VERSION
# 9024/tcp open  ssh     OpenSSH 5.8 (protocol 2.0)
# | ssh-os:
# |_  SSH Banner: SSH-2.0-OpenSSH_5.8\x0D
# [...]