CVE-2016-6210: OpenSSH – user enumeration
1.Sphere of influence
OpenSSH <=OpenSSH 7.2p2
2.Descriptions of the vulnerability
When we use the user name does not exist to connect ssh server, SSHD will be based BLOWFISH algorithm to generate a fake password, but if the user name exists, SSHD uses a SHA256 / SHA512 algorithm to encrypt the password. So we sent a large password (> 10KB), SHA256 algorithm to calculate time much longer than the BLOWFISH algorithm fake password. So based on this principle, we can enumerate ssh username.
3.Vulnerability to prove
python script testing is as follows
First, using a user name that does not exist for testing:Respectively, using a local network to internal network servers, network external network VPS server for testing
Then use the root account exists for testing
8.7 seconds> 2.56 seconds, the test is successful!
First, using a user name that does not exist for testing:
Then use the root account exists for testing:
12.66 seconds> 4.74 seconds, the test is successful!