Detecting SSH Username Enumeration

A very quick post about a new thread which has been started yesterday on the OSS-Security mailing list. It’s about a vulnerability affecting almost ALL SSH server version. Quoted from the initial message;

It affects all operating systems, all OpenSSH versions (we went back as far as OpenSSH 2.3.0, released in November 2000)

It is possible to enumerate usernames on a server that offers SSH services publicly. Of course, it did not take too long to see a proof-of-concept posted. I just tested it and it works like a charm:

$ ./ssh-check-username.py victim.domain.com test
[*] Invalid username
$ ./ssh-check-username.py victim.domain.com xavier
[+] Valid username

This is very nice/evil (depending on the side you’re working on). For Red Teams, it’s nice to enumerate usernames and focus on the weakest ones (“guest”, “support”, “test”, etc). There are plenty of username lists available online to brute force the server.

From a Blue Team point of view, how to detect if a host is targeted by this attack? Search for this type of event:

Aug 16 21:42:10 victim sshd[10680]: fatal: ssh_packet_get_string: incomplete message [preauth]

Note that the offending IP address is not listed in the error message. It’s time to keep an eye on your log files and block suspicious IP addresses that make too many SSH attempts (correlate with your firewall logs).

One comment

  1. On MacOS X, the attack will be detected with:

    Aug 19 21:49:51 ••My_mac•• sshd[53057]: Invalid user unknown from
    Aug 19 21:49:51 ••My_mac•• sshd[53057]: input_userauth_request: invalid user unknown [preauth]
    Aug 19 21:49:51 ••My_mac•• sshd[53057]: Connection closed by [preauth]

    on an unknown user, and:

    Aug 19 21:49:57 ••My_mac•• sshd[53059]: error: buffer_get_ret: trying to get more bytes 1907 than in buffer 564 [preauth]
    Aug 19 21:49:57 ••My_mac•• sshd[53059]: error: buffer_get_string_ret: buffer_get failed [preauth]
    Aug 19 21:49:57 ••My_mac•• sshd[53059]: fatal: buffer_get_string: buffer error [preauth]

    on a known user.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.