New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add CVE-2018-15473 to ssh_enumusers #10479

merged 5 commits into from Aug 20, 2018


None yet
3 participants
Copy link

wvu-r7 commented Aug 17, 2018

Code has been refactored, continuing from our work in #3157. cc @kenkeiras!

  • Test Malformed Packet action
  • Test Timing Attack action
  • Make sure I didn't mess up the refactor
msf5 auxiliary(scanner/ssh/ssh_enumusers) > run

[*] [redacted]:22 - SSH - Using malformed packet technique
[*] [redacted]:22 - SSH - Starting scan
[+] [redacted]:22 - SSH - User 'wvu' found
[-] [redacted]:22 - SSH - User 'bcook' not found
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/ssh/ssh_enumusers) >

@wvu-r7 wvu-r7 requested review from bcook-r7 and busterb and removed request for bcook-r7 Aug 17, 2018

Make false positive check optional
I couldn't repro this with pubkey-only auth. It also goes to the log.

@wvu-r7 wvu-r7 removed the delayed label Aug 18, 2018


This comment has been minimized.

Copy link

busterb commented Aug 18, 2018

Nice, I'm glad you integrated it into the existing module.

@busterb busterb self-assigned this Aug 20, 2018

wvu-r7 added some commits Aug 20, 2018

Refactor once more with feeling
Also flesh out malformed-packet auth method. Let's not be lazy here. :-)

@busterb busterb merged commit 819b850 into rapid7:master Aug 20, 2018

1 of 3 checks passed

Metasploit Automation - Sanity Test Execution Running automation sanity tests. Details available on completion.
continuous-integration/travis-ci/pr The Travis CI build is in progress
Metasploit Automation - Test Execution Successfully completed all tests.

busterb added a commit that referenced this pull request Aug 20, 2018


This comment has been minimized.

Copy link

busterb commented Aug 20, 2018

Release Notes

This adds the malformed packet technique described in CVE-2018-15473 to the ssh_enumusers module. This is a very effective attack because it is quick, affects almost every version of OpenSSH, and does not produce error logs as a side-effect when a user does exist.

@wvu-r7 wvu-r7 deleted the wvu-r7:feature/ssh branch Aug 21, 2018

msjenkins-r7 added a commit that referenced this pull request Aug 21, 2018

@wvu-r7 wvu-r7 referenced this pull request Sep 6, 2018


Refactor SSH mixins and update modules #10593

3 of 3 tasks complete
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment