Some implementations of SSH are subject to timing based attacks which can help you enumerate usernames.
Here's an example of what happens.
1. You establish a connection with the server.
2. You send the username and password.
3. The server checks if the username exists, if it doesn't it sends an authentication failed message.
4. If the username does exist, it hashes your password and checks it against the one stored locally.
Step 4 is what you will be attacking. A few server implementations will only perform expensive hash generation if it has determined that there is a username to check against.
This means, if a user doesn't exist, the server will reply really quickly.
If the user does exist, it will take the server a little longer to reply.
You can enhance the effect of this attack by sending HUGE passwords, as many characters as you can throw at it >1000's.
This will slow the server down when it's validating the password, because it has to hash it in chunks and is computationally expensive, slowing the response down.
TL;DR.
Server only checks users password if user exists.
Sending a really long password will slow down the CPU and take longer to reply.
If a user doesn't exist the server replies quickly.
If a user does exist, the server will hash the password and check, using a really long password will slow this process down and let you determine if a username is legitimate or not.
References:
http://www.behindthefirewalls.com/2014/07/openssh-user-enumeration-time-based.htmlhttp://www.devconsole.info/?p=341http://pentestmonkey.net/tools/timing-attack-checkerhttp://www.devconsole.info/?p=493Hopefully this helps.
-- xor
