A very popular vulnerability in OpenSSH servers is related to the so-called user enumeration. It is connected with the fact that the procedure for checking the password of an existing and non-existing user is performed for different times. And this difference is sufficient for fixing by machine methods.
Probably the developers conceived this not as a bug, but as a feature, because if a user with the specified name does not exist at all, why check the password and waste CPU time on unnecessary cryptographic transformations? You can just “fight back” with the result - “wrong”. But the attacking side was able to use this to their advantage. If you put a list (dictionary) of popular usernames, then you can use it to carry out the so-called enumeration and highlight new targets for the attack.
to find all responding TCP ports. And then run the definition of the service version for those of interest. We're in luck - SSH is hanging on the standard port.
will show us the version of the SSH server specifically and execute the scripts standard for this service - in particular, getting a key snapshot.
Enumeration of usernames
and search for the module there by the keywords of interest:
Among all of the above, # 3 suits us. We use it:
Let's fill in the rest of the options:
You can use an arbitrary dictionary - a simple text file, where each login is a separate line. Launches module:
Many users are listed, but we are not interested in standard service ones - most likely we will not be able to enter interactively under them anyway. Therefore, we will select only those that look like ordinary human logins.
The syntax is not difficult, I think.
After a short attack (if we are lucky and if there is no brute-force blocking), we will see a message in the form of an SSH banner. So the password came up!
This is how it all can work in a couple of minutes.
The indicated vulnerability presumably existed before version 7.7 of the OpenSSH server. So check, update!
And here is the demo picture
Probably the developers conceived this not as a bug, but as a feature, because if a user with the specified name does not exist at all, why check the password and waste CPU time on unnecessary cryptographic transformations? You can just “fight back” with the result - “wrong”. But the attacking side was able to use this to their advantage. If you put a list (dictionary) of popular usernames, then you can use it to carry out the so-called enumeration and highlight new targets for the attack.
The course of the attack
I will demonstrate this attack in action:Server reconnaissance
To the banal simple. We scan the node looking for an SSH service. Moreover, you can perform a basic scan first:
Bash:
$ nmap -p- 192.168.0.112
Code:
$ nmap -p 22 -sV -sC 192.168.0.112
Enumeration of usernames
Launching Metasploit
Bash:
$ msfconsole
Bash:
msf6> search ssh enum
Among all of the above, # 3 suits us. We use it:
Bash:
msf6> use 3
Bash:
msf6 auxiliary(scanner/ssh/ssh_enumusers) > set RHOSTS 192.168.0.112msf6 auxiliary(scanner/ssh/ssh_enumusers) > set USER_FILE /usr/share/wordlists/metasploit/unix_users.txt
Many users are listed, but we are not interested in standard service ones - most likely we will not be able to enter interactively under them anyway. Therefore, we will select only those that look like ordinary human logins.
Bust attack
I prefer to use patator for attack.
Bash:
$ patator ssh_login host=192.168.0.112 user=litladmin password=FILE0 0=/usr/share/wordlists/rockyou.txt
After a short attack (if we are lucky and if there is no brute-force blocking), we will see a message in the form of an SSH banner. So the password came up!
This is how it all can work in a couple of minutes.
The indicated vulnerability presumably existed before version 7.7 of the OpenSSH server. So check, update!
And here is the demo picture
How to protect yourself
- First of all, patch your SSH to make it impossible to enumerate users.
- Use non-dictionary user logins that are allowed to log in interactively via SSH (for example, the same ssh90_user is better than just user).
- Use fail2ban to prevent brute force attacks.
- Use complex, non-dictionary passwords.