GitHub - dekoder/massh-enum: OpenSSH 2.3 up to 7.4 Mass Username Enumeration (CVE-2018-15473).

This branch is up to date with trimstray/massh-enum:master.

Name	Name	Last commit message	Last commit date
Latest commit trimstray update paths Nov 15, 2019 865441d · Nov 15, 2019 History 42 Commits
.github	.github	update paths	Nov 15, 2019
bin	bin	trimstray#2 - added --output param (grepable format)	Aug 23, 2018
lib	lib	init commit	Aug 17, 2018
wordlists	wordlists	updated default users wordlist	Aug 17, 2018
.gitignore	.gitignore	updated gitignore	Jan 3, 2019
.travis.yml	.travis.yml	updated travis-ci config	Aug 18, 2018
LICENSE.md	LICENSE.md	fixed typos	Jan 22, 2019
README	README	fixed typos	Jan 29, 2019

Repository files navigation

+----------------+
| massh-enum 1.0 |
+----------------+

        OpenSSH 2.3 up to 7.4 Mass Username Enumeration (CVE-2018-15473)

        This script contains Matthew Daley Python script <https://bugfuzz.com/stuff/ssh-check-username.py>

        License: GPLv3, <http://www.gnu.org/licenses/>


Description

OpenSSH versions 2.3 up to 7.4 suffer from a username enumeration vulnerability.

The attacker can try to authenticate a user with a malformed packet (for
example, a truncated packet), and:

- if the user is invalid (it does not exist), then userauth_pubkey()
  returns immediately, and the server sends an SSH2_MSG_USERAUTH_FAILURE
  to the attacker;

- if the user is valid (it exists), then sshpkt_get_u8() fails, and the
  server calls fatal() and closes its connection to the attacker.

More information about this vulnerability:
* https://nvd.nist.gov/vuln/detail/CVE-2018-15473
* http://seclists.org/oss-sec/2018/q3/124

How it works?

# ./bin/massh-enum --hosts 10.240.20.0/28 --users wordlists/users
› Generating a list of hosts
› Username Enumeration
host: 10.240.20.1 (p:22), found user: root
host: 10.240.20.1 (p:22), found user: supervisor
host: 10.240.20.2 (p:22), found user: root

Requirements

- Bash (testing on 4.4.19)
- Python (testing on 2.7)
- Nmap (testing on 7.70)