sshd and rshd leak usernames.

Description:sshd and rshd leak usernames. A lot of sites security-consious enough to run sshd probably don't want username validation to be this easy
Author:Christophe Kalt <kalt@STEALTH.NET> and David Holland
Compromise:Test validity of suspected system usernames
Vulnerable Systems:Linux, NetBSD, Digital UNIX 4.0, all from rshd, as well as any systems running a vulnerable version of sshd. Remember to use the VERBOSE (-v) flag if you try to exploit sshd.
Date:13 June 1997
Notes:The syntax quoted at the bottom is not correct, you need to give an actual command (like ls) for the rsh problem to be demonstrated.

Date: Sat, 14 Jun 1997 18:22:02 -0400
From: Christophe Kalt <kalt@STEALTH.NET>
Subject: Re: rshd gives away usernames

ssh also has this problem.

The line "Remote: Rhosts/hosts.equiv authentication refused:
client user 'kalt', server user 'kalt', client host
''." only appears when the account
exists. (need to run in verbose mode)

This might not the case if the remote sshd doesn't allow
this particular kind of authentication.  I didn't check for
other schemes.

On Jun 13, David Holland wrote:
| Try 'rsh victimhost -l realuser' and 'rsh victimhost -l nosuchuser'.
| The error reported is different.
| Therefore, it's possible to determine which account names are valid.
| This is an issue only for particularly paranoid sites that probably
| already have rshd disabled, but I thought it would be worth issuing a
| warning anyway.

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]