
Explore Hidden Networks with Double Pivoting - maxt
https://pentest.blog/explore-hidden-networks-with-double-pivoting/
======
wyldfire
> The SSH_enumusers auxiliary module allows user detection:

Gee, I naively assumed that ssh was designed to avoid leaking whether users
were valid or not. Is this based on just timing or does the protocol really
reveal whether or not it's a valid user?

~~~
jdwithit
Yes, it appears to be a timing attack where invalid users are denied more
quickly than valid users.

[https://www.rapid7.com/db/modules/auxiliary/scanner/ssh/ssh_...](https://www.rapid7.com/db/modules/auxiliary/scanner/ssh/ssh_enumusers)

~~~
jeffmcjunkin
And to be clear, this is an issue that resurfaced in August or so of 2016, and
is patched in supported OpenSSH daemons[0][1].

[0]
[https://access.redhat.com/security/cve/cve-2016-6210](https://access.redhat.com/security/cve/cve-2016-6210)

[1]
[https://www.ubuntu.com/usn/usn-3061-1/](https://www.ubuntu.com/usn/usn-3061-1/)

