A very quick post about a new thread which has been started yesterday on the OSS-Security mailing list. It’s about a vulnerability affecting almost ALL SSH server version. Quoted from the initial message;
It affects all operating systems, all OpenSSH versions (we went back as far as OpenSSH 2.3.0, released in November 2000)
$ ./ssh-check-username.py victim.domain.com test [*] Invalid username $ ./ssh-check-username.py victim.domain.com xavier [+] Valid username
This is very nice/evil (depending on the side you’re working on). For Red Teams, it’s nice to enumerate usernames and focus on the weakest ones (“guest”, “support”, “test”, etc). There are plenty of username lists available online to brute force the server.
From a Blue Team point of view, how to detect if a host is targeted by this attack? Search for this type of event:
Aug 16 21:42:10 victim sshd: fatal: ssh_packet_get_string: incomplete message [preauth]
Note that the offending IP address is not listed in the error message. It’s time to keep an eye on your log files and block suspicious IP addresses that make too many SSH attempts (correlate with your firewall logs).