SSH Username Enumeration - Metasploit
This page contains detailed information about how to use the auxiliary/scanner/ssh/ssh_enumusers metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: SSH Username Enumeration
Module: auxiliary/scanner/ssh/ssh_enumusers
Source code: modules/auxiliary/scanner/ssh/ssh_enumusers.rb
Disclosure date: -
Last modification time: 2021-01-27 10:14:52 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): 22
List of CVEs: CVE-2003-0190, CVE-2006-5229, CVE-2016-6210, CVE-2018-15473
This module uses a malformed packet or timing attack to enumerate users on an OpenSSH server. The default action sends a malformed (corrupted) SSH_MSG_USERAUTH_REQUEST packet using public key authentication (must be enabled) to enumerate users. On some versions of OpenSSH under some configurations, OpenSSH will return a "permission denied" error for an invalid user faster than for a valid user, creating an opportunity for a timing attack to enumerate users. Testing note: invalid users were logged, while valid users were not. YMMV.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
This module is a scanner module, and is capable of testing against multiple hosts.
msf > use auxiliary/scanner/ssh/ssh_enumusers
msf auxiliary(ssh_enumusers) > show options
... show and set options ...
msf auxiliary(ssh_enumusers) > set RHOSTS ip-range
msf auxiliary(ssh_enumusers) > exploit
Other examples of setting the RHOSTS option:
Example 1:
msf auxiliary(ssh_enumusers) > set RHOSTS 192.168.1.3-192.168.1.200
Example 2:
msf auxiliary(ssh_enumusers) > set RHOSTS 192.168.1.1/24
Example 3:
msf auxiliary(ssh_enumusers) > set RHOSTS file:/tmp/ip_list.txt
Required Options
- RHOSTS: The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
Knowledge Base
Introduction
This module uses a malformed packet or timing attack to enumerate users on an OpenSSH server.
Testing note: invalid users were logged, while valid users were not. YMMV.
Actions
Malformed Packet
The default action sends a malformed (corrupted) SSH_MSG_USERAUTH_REQUEST
packet using public key authentication (must be enabled) to enumerate users.
Timing Attack
On some versions of OpenSSH under some configurations, OpenSSH will return a "permission denied" error for an invalid user faster than for a valid user, creating an opportunity for a timing attack to enumerate users.
Options
USERNAME
Single username to test (username spray).
USER_FILE
File containing usernames, one per line.
THRESHOLD
Amount of seconds needed before a user is considered found (timing attack only).
CHECK_FALSE
Check for false positives (random username).
Usage
msf5 > use auxiliary/scanner/ssh/ssh_enumusers
msf5 auxiliary(scanner/ssh/ssh_enumusers) > set rhosts [redacted]
rhosts => [redacted]
msf5 auxiliary(scanner/ssh/ssh_enumusers) > echo $'wvu\nbcook' > users
[*] exec: echo $'wvu\nbcook' > users
msf5 auxiliary(scanner/ssh/ssh_enumusers) > set user_file users
user_file => users
msf5 auxiliary(scanner/ssh/ssh_enumusers) > set verbose true
verbose => true
msf5 auxiliary(scanner/ssh/ssh_enumusers) > run
[*] [redacted]:22 - SSH - Using malformed packet technique
[*] [redacted]:22 - SSH - Starting scan
[+] [redacted]:22 - SSH - User 'wvu' found
[-] [redacted]:22 - SSH - User 'bcook' not found
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/ssh/ssh_enumusers) > set action Timing Attack
action => Timing Attack
msf5 auxiliary(scanner/ssh/ssh_enumusers) > run
[*] [redacted]:22 - SSH - Using timing attack technique
[*] [redacted]:22 - SSH - Starting scan
[+] [redacted]:22 - SSH - User 'wvu' found
[-] [redacted]:22 - SSH - User 'bcook' not found
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/ssh/ssh_enumusers) > creds
Credentials
===========
host origin service public private realm private_type
---- ------ ------- ------ ------- ----- ------------
[redacted] [redacted] 22/tcp (ssh) wvu
msf5 auxiliary(scanner/ssh/ssh_enumusers) >
Go back to menu.
Msfconsole Usage
Here is how the scanner/ssh/ssh_enumusers auxiliary module looks in the msfconsole:
msf6 > use auxiliary/scanner/ssh/ssh_enumusers
msf6 auxiliary(scanner/ssh/ssh_enumusers) > show info
Name: SSH Username Enumeration
Module: auxiliary/scanner/ssh/ssh_enumusers
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
kenkeiras
Dariusz Tytko
Michal Sajdak
Qualys
wvu <[email protected]>
Available actions:
Name Description
---- -----------
Malformed Packet Use a malformed packet
Timing Attack Use a timing attack
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
CHECK_FALSE false no Check for false positives (random username)
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 22 yes The target port
THREADS 1 yes The number of concurrent threads (max one per host)
THRESHOLD 10 yes Amount of seconds needed before a user is considered found (timing attack only)
USERNAME no Single username to test (username spray)
USER_FILE no File containing usernames, one per line
Description:
This module uses a malformed packet or timing attack to enumerate
users on an OpenSSH server. The default action sends a malformed
(corrupted) SSH_MSG_USERAUTH_REQUEST packet using public key
authentication (must be enabled) to enumerate users. On some
versions of OpenSSH under some configurations, OpenSSH will return a
"permission denied" error for an invalid user faster than for a
valid user, creating an opportunity for a timing attack to enumerate
users. Testing note: invalid users were logged, while valid users
were not. YMMV.
References:
https://nvd.nist.gov/vuln/detail/CVE-2003-0190
https://nvd.nist.gov/vuln/detail/CVE-2006-5229
https://nvd.nist.gov/vuln/detail/CVE-2016-6210
https://nvd.nist.gov/vuln/detail/CVE-2018-15473
OSVDB (32721)
http://www.securityfocus.com/bid/20418
https://seclists.org/oss-sec/2018/q3/124
https://sekurak.pl/openssh-users-enumeration-cve-2018-15473/
Module Options
This is a complete list of options available in the scanner/ssh/ssh_enumusers auxiliary module:
msf6 auxiliary(scanner/ssh/ssh_enumusers) > show options
Module options (auxiliary/scanner/ssh/ssh_enumusers):
Name Current Setting Required Description
---- --------------- -------- -----------
CHECK_FALSE false no Check for false positives (random username)
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 22 yes The target port
THREADS 1 yes The number of concurrent threads (max one per host)
THRESHOLD 10 yes Amount of seconds needed before a user is considered found (timing attack only)
USERNAME no Single username to test (username spray)
USER_FILE no File containing usernames, one per line
Auxiliary action:
Name Description
---- -----------
Malformed Packet Use a malformed packet
Advanced Options
Here is a complete list of advanced options supported by the scanner/ssh/ssh_enumusers auxiliary module:
msf6 auxiliary(scanner/ssh/ssh_enumusers) > show advanced
Module advanced options (auxiliary/scanner/ssh/ssh_enumusers):
Name Current Setting Required Description
---- --------------- -------- -----------
RETRY_NUM 3 yes The number of attempts to connect to a SSH server for each user
SSH_DEBUG false no Enable SSH debugging output (Extreme verbosity!)
SSH_IDENT SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 yes SSH client identification string
SSH_TIMEOUT 10 no Specify the maximum time to negotiate a SSH session
ShowProgress true yes Display progress messages during a scan
ShowProgressPercent 10 yes The interval in percent that progress should be shown
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Auxiliary Actions
This is a list of all auxiliary actions that the scanner/ssh/ssh_enumusers module can do:
msf6 auxiliary(scanner/ssh/ssh_enumusers) > show actions
Auxiliary actions:
Name Description
---- -----------
Malformed Packet Use a malformed packet
Timing Attack Use a timing attack
Evasion Options
Here is the full list of possible evasion options supported by the scanner/ssh/ssh_enumusers auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(scanner/ssh/ssh_enumusers) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
permission denied
Here is a relevant code snippet related to the "permission denied" error message:
17:
18: The default action sends a malformed (corrupted) SSH_MSG_USERAUTH_REQUEST
19: packet using public key authentication (must be enabled) to enumerate users.
20:
21: On some versions of OpenSSH under some configurations, OpenSSH will return a
22: "permission denied" error for an invalid user faster than for a valid user,
23: creating an opportunity for a timing attack to enumerate users.
24:
25: Testing note: invalid users were logged, while valid users were not. YMMV.
26: },
27: 'Author' => [
<PEER-IP> Retrying '<USER>' due to connection error
Here is a relevant code snippet related to the "<PEER-IP> Retrying '<USER>' due to connection error" error message:
209: ret = nil
210:
211: while attempt_num <= retry_num and (ret.nil? or ret == :connection_error)
212: if attempt_num > 0
213: Rex.sleep(2 ** attempt_num)
214: vprint_status("#{peer(ip)} Retrying '#{user}' due to connection error")
215: end
216:
217: ret = check_user(ip, user, rport)
218: attempt_num += 1
219: end
<PEER-IP> User '<USER>' could not connect
Here is a relevant code snippet related to the "<PEER-IP> User '<USER>' could not connect" error message:
225: case attempt_result
226: when :success
227: print_good("#{peer(ip)} User '#{user}' found")
228: do_report(ip, user, rport)
229: when :connection_error
230: vprint_error("#{peer(ip)} User '#{user}' could not connect")
231: when :fail
232: vprint_error("#{peer(ip)} User '#{user}' not found")
233: end
234: end
235:
<PEER-IP> User '<USER>' not found
Here is a relevant code snippet related to the "<PEER-IP> User '<USER>' not found" error message:
227: print_good("#{peer(ip)} User '#{user}' found")
228: do_report(ip, user, rport)
229: when :connection_error
230: vprint_error("#{peer(ip)} User '#{user}' could not connect")
231: when :fail
232: vprint_error("#{peer(ip)} User '#{user}' not found")
233: end
234: end
235:
236: def run_host(ip)
237: print_status("#{peer(ip)} Using #{action.name.downcase} technique")
<PEER-IP> throws false positive results. Aborting.
Here is a relevant code snippet related to the "<PEER-IP> throws false positive results. Aborting." error message:
237: print_status("#{peer(ip)} Using #{action.name.downcase} technique")
238:
239: if datastore['CHECK_FALSE']
240: print_status("#{peer(ip)} Checking for false positives")
241: if check_false_positive(ip)
242: print_error("#{peer(ip)} throws false positive results. Aborting.")
243: return
244: end
245: end
246:
247: users = user_list
Please populate USERNAME or USER_FILE
Here is a relevant code snippet related to the "Please populate USERNAME or USER_FILE" error message:
245: end
246:
247: users = user_list
248:
249: if users.empty?
250: print_error('Please populate USERNAME or USER_FILE')
251: return
252: end
253:
254: print_status("#{peer(ip)} Starting scan")
255: users.each { |user| show_result(attempt_user(user, ip), user, ip) }
Go back to menu.
Related Pull Requests
- #14664 Merged Pull Request: Hide negative results behind vprint_error within
auxiliary/scanner/ssh/ssh_enumusers
- #10649 Merged Pull Request: Fix http://seclists.org links to https://
- #10593 Merged Pull Request: Refactor SSH mixins and update modules
- #10510 Merged Pull Request: Add full disclosure for CVE-2018-15473
- #10498 Merged Pull Request: Add module doc for ssh_enumusers
- #10479 Merged Pull Request: Add CVE-2018-15473 to ssh_enumusers
- #10456 Merged Pull Request: Remove SSH scanner using known_hosts
- #8716 Merged Pull Request: Print_Status -> Print_Good (And OCD bits 'n bobs)
- #8338 Merged Pull Request: Fix msf/core and self.class msftidy warnings
- #7018 Merged Pull Request: Un-Vendor the net-ssh library
- #6812 Merged Pull Request: Resolve #6807, remove all OSVDB references.
- #6655 Merged Pull Request: use MetasploitModule as a class name
- #6648 Merged Pull Request: Change metasploit class names
- #5768 Merged Pull Request: Update modules to use metasploit-credential instead of report_auth_info
- #5218 Merged Pull Request: Fix #3816 by deleting print_debug
References
- CVE-2003-0190
- CVE-2006-5229
- CVE-2016-6210
- CVE-2018-15473
- OSVDB (32721)
- BID-20418
- https://seclists.org/oss-sec/2018/q3/124
- https://sekurak.pl/openssh-users-enumeration-cve-2018-15473/
See Also
Check also the following modules related to this module:
- auxiliary/scanner/ssh/ssh_enum_git_keys
- auxiliary/scanner/ssh/ssh_identify_pubkeys
- auxiliary/scanner/ssh/ssh_login
- auxiliary/scanner/ssh/ssh_login_pubkey
- auxiliary/scanner/ssh/ssh_version
- auxiliary/scanner/ssh/apache_karaf_command_execution
- auxiliary/scanner/ssh/cerberus_sftp_enumusers
- auxiliary/scanner/ssh/detect_kippo
- auxiliary/scanner/ssh/eaton_xpert_backdoor
- auxiliary/scanner/ssh/fortinet_backdoor
- auxiliary/scanner/ssh/juniper_backdoor
- auxiliary/scanner/ssh/karaf_login
- auxiliary/scanner/ssh/libssh_auth_bypass
- auxiliary/fuzzers/ssh/ssh_kexinit_corrupt
- auxiliary/fuzzers/ssh/ssh_version_15
- auxiliary/fuzzers/ssh/ssh_version_2
- auxiliary/fuzzers/ssh/ssh_version_corrupt
- post/multi/gather/ssh_creds
- auxiliary/dos/windows/ssh/sysax_sshd_kexchange
- auxiliary/admin/http/cisco_7937g_ssh_privesc
- auxiliary/gather/kerberos_enumusers
- auxiliary/scanner/smb/smb_enumusers
- auxiliary/scanner/snmp/snmp_enumusers
- auxiliary/scanner/snmp/xerox_workcentre_enumusers
- auxiliary/scanner/smb/smb_enumusers_domain
Authors
- kenkeiras
- Dariusz Tytko
- Michal Sajdak
- Qualys
- wvu
Version
This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.