Shell Wars: Episode I - The Phantom SSH Username Enumeration

Today I want to welcome you to a new series of posts I’m putting together, ‘Stories from the Shell’. These posts will detail some of the more interesting hacks I’ve managed to pull off over the course of my penetration testing career. So, let’s dive right in.

A few months ago, I was performing an external network assessment on behalf of a large airline company.

After running our standard vulnerability scanner, I had a couple of medium risk issues, but nothing that serious. I decided to boot up my nmap vulscan results, generated with this command:

sudo nmap -Pn — randomize-hosts -vv -T4 -n — host-timeout=4h — script vulscan — script-args vulscandb=exploitdb.csv — defeat-rst-ratelimit — open -sTUV -O -iL external-ips.txt -oA nmap-full -p T:1–65535,U:7,9,17,19,49,53,67–69,80,88,111,120,123,135–139,158,161–162,177,427,443,445,497,500,514–515,518,520,593,623,626,631,996–999,1022–1023,1025–1030,1433–1434,1645–1646,1701,1718–1719,1812–1813,1900,2000,2048–2049,2222–2223,3283,3456,3703,4444,4500,5000,5060,5353,5632,9200,10000,17185,20031,30718,31337,32768–32769,32771,32815,33281,49152–49154,49156,49181–49182,49185–49186,49188,49190–49194,49200–49201,65024

Looking through the results this scan caught my eye:

SSH running on port 1122? Very suspicious 🤔 . I wonder if it’s vulnerable to that informational username enumeration issue that came out: CVE-2018–15473. There’s a tool to exploit this on GitHub:

https://github.com/Rhynorater/CVE-2018-15473-Exploit/blob/master/sshUsernameEnumExploit.py

Interesting… Let’s try that with a 13,000 line wordlist of SSH usernames we can find online. I set it up and head to bed, waking up the next morning to find a lovely list of 59 valid usernames:

After a little bit of ‘cut’ting we now have a list of valid usernames:

Now I fully expected to have to use a password list here, but just for the hell of it, let’s try hydra’s ‘-e nsr’ option. (I realise it would also just have been possible to feed the ssh username list into hydra)

Bingo! we now have low privileged access to the machine! I then spent a few hours trying various privilege escalation techniques, eventually finding a Dirty Cow exploit that worked on RHEL.

Interestingly enough it turns out this was a test FTP server, but inside the root .ssh folder were keys to their production FTP server and a number of other machines. All of which they had left exposed to the public internet and out of scope to ensure their PCI compliancy, fun times 😃