Skip to content

OpenSSH 2.3 up to 7.4 Mass Username Enumeration (CVE-2018-15473).

License

Notifications You must be signed in to change notification settings

trimstray/massh-enum

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

42 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

+----------------+
| massh-enum 1.0 |
+----------------+

        OpenSSH 2.3 up to 7.4 Mass Username Enumeration (CVE-2018-15473)

        This script contains Matthew Daley Python script <https://bugfuzz.com/stuff/ssh-check-username.py>

        License: GPLv3, <http://www.gnu.org/licenses/>


Description

OpenSSH versions 2.3 up to 7.4 suffer from a username enumeration vulnerability.

The attacker can try to authenticate a user with a malformed packet (for
example, a truncated packet), and:

- if the user is invalid (it does not exist), then userauth_pubkey()
  returns immediately, and the server sends an SSH2_MSG_USERAUTH_FAILURE
  to the attacker;

- if the user is valid (it exists), then sshpkt_get_u8() fails, and the
  server calls fatal() and closes its connection to the attacker.

More information about this vulnerability:
* https://nvd.nist.gov/vuln/detail/CVE-2018-15473
* http://seclists.org/oss-sec/2018/q3/124

How it works?

# ./bin/massh-enum --hosts 10.240.20.0/28 --users wordlists/users
› Generating a list of hosts
› Username Enumeration
host: 10.240.20.1 (p:22), found user: root
host: 10.240.20.1 (p:22), found user: supervisor
host: 10.240.20.2 (p:22), found user: root

Requirements

- Bash (testing on 4.4.19)
- Python (testing on 2.7)
- Nmap (testing on 7.70)