EvilZone
Hacking and Security => Hacking and Security => : hack3rcon September 14, 2015, 08:41:53 AM
-
Hello.
How can I find the list of username on a host for SSH login?
Thank you.
-
Edit: xor, that was awesome, thanks.
[Post cleared!]
-
Some implementations of SSH are subject to timing based attacks which can help you enumerate usernames.
Here's an example of what happens.
1. You establish a connection with the server.
2. You send the username and password.
3. The server checks if the username exists, if it doesn't it sends an authentication failed message.
4. If the username does exist, it hashes your password and checks it against the one stored locally.
Step 4 is what you will be attacking. A few server implementations will only perform expensive hash generation if it has determined that there is a username to check against.
This means, if a user doesn't exist, the server will reply really quickly.
If the user does exist, it will take the server a little longer to reply.
You can enhance the effect of this attack by sending HUGE passwords, as many characters as you can throw at it >1000's.
This will slow the server down when it's validating the password, because it has to hash it in chunks and is computationally expensive, slowing the response down.
TL;DR.
Server only checks users password if user exists.
Sending a really long password will slow down the CPU and take longer to reply.
If a user doesn't exist the server replies quickly.
If a user does exist, the server will hash the password and check, using a really long password will slow this process down and let you determine if a username is legitimate or not.
References:
http://www.behindthefirewalls.com/2014/07/openssh-user-enumeration-time-based.html
http://www.devconsole.info/?p=341
http://pentestmonkey.net/tools/timing-attack-checker
http://www.devconsole.info/?p=493
Hopefully this helps.
-- xor
-
Some implementations of SSH are subject to timing based attacks which can help you enumerate usernames.
Here's an example of what happens.
1. You establish a connection with the server.
2. You send the username and password.
3. The server checks if the username exists, if it doesn't it sends an authentication failed message.
4. If the username does exist, it hashes your password and checks it against the one stored locally.
Step 4 is what you will be attacking. A few server implementations will only perform expensive hash generation if it has determined that there is a username to check against.
This means, if a user doesn't exist, the server will reply really quickly.
If the user does exist, it will take the server a little longer to reply.
You can enhance the effect of this attack by sending HUGE passwords, as many characters as you can throw at it >1000's.
This will slow the server down when it's validating the password, because it has to hash it in chunks and is computationally expensive, slowing the response down.
TL;DR.
Server only checks users password if user exists.
Sending a really long password will slow down the CPU and take longer to reply.
If a user doesn't exist the server replies quickly.
If a user does exist, the server will hash the password and check, using a really long password will slow this process down and let you determine if a username is legitimate or not.
References:
http://www.behindthefirewalls.com/2014/07/openssh-user-enumeration-time-based.html
http://www.devconsole.info/?p=341
http://pentestmonkey.net/tools/timing-attack-checker
http://www.devconsole.info/?p=493
Hopefully this helps.
-- xor
iirc there is timing randomization in place to prevent such attacks ?
-
Not on all implementations. It's easy to find out by trying.
-
Not on all implementations. It's easy to find out by trying.
This would be interesting to test out on embedded boxes, but I seriously doupt this has any luck on any modern equipped box with a distro packed sshd.