OpenSSH User Enumeration Time-Based Attack

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1044800 漏洞类型
发布时间 2013-07-12 更新时间 2013-07-12
漏洞平台 N/A CVSS评分 N/A
Hi List,

today, we will show a bug concerning OpenSSH. OpenSSH is the most used
remote control software nowadays on *nix like operating systems. Legacy
claims it replaced unencrypted daemons like rcp, rsh and telnet. Find a
version at:

By testing several OpenSSH installations we figured there is a delay of
time when it comes to cracking users (not) existing on a system. A
normal Brute-force-Attack tests for the correct user and password
combination, usually without knowledge if the user on the system exists.

For instance, the attacker is interested in the all-mighty “root” aka
“toor” account. He might go for password combinations like:


and so on. Permanent attacks against the service normally running on
Port 22/tcp implicate that Ssh-Brute-force-Attacks are still profitable.
If you are an Auditor and want to check for interesting accounts it
might be worthy to know which ones are available on the system to run a
more focused attack.

To assist you in this issue, there is a little trick to find out a User
name before trying to cracking it. To do this the length of the password
needs to be increased massively. In our case we go with 39.000
characters(A’s). Trying those passwords at an existing and a
non-existing account shows a quite high delay.

Find the rest of the post + some example code at the blogpost.

Curesec Research Team