Brief

INFO

OpenSSH versions < 7.7 An OpenSSH user enumeration vulnerability (CVE-2018-15473) became public via a GitHub commit. This vulnerability does not produce a list of valid usernames, but it does allow guessing of usernames.

https://blog.nviso.eu/2018/08/21/openssh-user-enumeration-vulnerability-a-close-look

Exploit

By sending a malformed public key authentication message to an OpenSSH server, the existence of a particular username can be ascertained. If the user does not exist, an authentication failure message will be sent to the client. In case the user exists, failure to parse the message will abort the communication: the connection will be closed without sending back any message.

# https://github.com/epi052/cve-2018-15473
./ssh-username-enum.py -u root <target>
./ssh-username-enum.py -w users.txt -v <target>

❯ RedSquad

Explorer

CVE-2018-15473 - OpenSSH

Brief

Exploit

Table of Contents