Full Disclosure mailing list archives
Re: OpenSSH User Enumeration Time-Based Attack
From: Swair Mehta <swairmehta () gmail com>
Date: Wed, 10 Jul 2013 15:17:30 -0700
I havent tried this yet but it makes sense. To avoid linearization attacks from figuring out sensitive data, there are specific precautions that are taken. (some UNIX login program had a similar timing issue if I am not mistaken).
From the looks of it, sshd is looking for the username in some file and if
it doesn't exist, it waits sometime and returns, if it does, then it calculates the long hash. On Wed, Jul 10, 2013 at 6:38 AM, Curesec Research Team <crt () curesec com>wrote:
Hi List, today, we will show a bug concerning OpenSSH. OpenSSH is the most used remote control software nowadays on *nix like operating systems. Legacy claims it replaced unencrypted daemons like rcp, rsh and telnet. Find a version at: https://www.openssh.com. By testing several OpenSSH installations we figured there is a delay of time when it comes to cracking users (not) existing on a system. A normal Brute-force-Attack tests for the correct user and password combination, usually without knowledge if the user on the system exists. For instance, the attacker is interested in the all-mighty “root” aka “toor” account. He might go for password combinations like: root:root root:toor root:password root:system and so on. Permanent attacks against the service normally running on Port 22/tcp implicate that Ssh-Brute-force-Attacks are still profitable. If you are an Auditor and want to check for interesting accounts it might be worthy to know which ones are available on the system to run a more focused attack. To assist you in this issue, there is a little trick to find out a User name before trying to cracking it. To do this the length of the password needs to be increased massively. In our case we go with 39.000 characters(A’s). Trying those passwords at an existing and a non-existing account shows a quite high delay. Find the rest of the post + some example code at the blogpost. http://cureblog.de/openssh-user-enumeration-time-based-attack/ Cheers, Curesec Research Team _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
-- Swair Mehta
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- OpenSSH User Enumeration Time-Based Attack Curesec Research Team (Jul 10)
- Re: OpenSSH User Enumeration Time-Based Attack Jason Hellenthal (Jul 10)
- Re: OpenSSH User Enumeration Time-Based Attack Swair Mehta (Jul 10)
- Re: OpenSSH User Enumeration Time-Based Attack Jann Horn (Jul 11)
- Re: OpenSSH User Enumeration Time-Based Attack Curesec Research Team (Jul 13)
- Re: OpenSSH User Enumeration Time-Based Attack Florian Reinholz (Jul 13)
- Re: OpenSSH User Enumeration Time-Based Attack Grandma Eubanks (Jul 13)
- <Possible follow-ups>
- Re: OpenSSH User Enumeration Time-Based Attack security curmudgeon (Jul 13)