forked from trimstray/massh-enum
-
Notifications
You must be signed in to change notification settings - Fork 0
/
README
43 lines (29 loc) · 1.27 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
+----------------+
| massh-enum 1.0 |
+----------------+
OpenSSH 2.3 up to 7.4 Mass Username Enumeration (CVE-2018-15473)
This script contains Matthew Daley Python script <https://bugfuzz.com/stuff/ssh-check-username.py>
License: GPLv3, <http://www.gnu.org/licenses/>
Description
OpenSSH versions 2.3 up to 7.4 suffer from a username enumeration vulnerability.
The attacker can try to authenticate a user with a malformed packet (for
example, a truncated packet), and:
- if the user is invalid (it does not exist), then userauth_pubkey()
returns immediately, and the server sends an SSH2_MSG_USERAUTH_FAILURE
to the attacker;
- if the user is valid (it exists), then sshpkt_get_u8() fails, and the
server calls fatal() and closes its connection to the attacker.
More information about this vulnerability:
* https://nvd.nist.gov/vuln/detail/CVE-2018-15473
* http://seclists.org/oss-sec/2018/q3/124
How it works?
# ./bin/massh-enum --hosts 10.240.20.0/28 --users wordlists/users
› Generating a list of hosts
› Username Enumeration
host: 10.240.20.1 (p:22), found user: root
host: 10.240.20.1 (p:22), found user: supervisor
host: 10.240.20.2 (p:22), found user: root
Requirements
- Bash (testing on 4.4.19)
- Python (testing on 2.7)
- Nmap (testing on 7.70)