sshd and rshd leak usernames.
| Description: | sshd and rshd leak usernames. A lot of sites security-consious enough to run sshd probably don't want username validation to be this easy |
| Author: | Christophe Kalt <kalt@STEALTH.NET> and David Holland |
| Compromise: | Test validity of suspected system usernames |
| Vulnerable Systems: | Linux, NetBSD, Digital UNIX 4.0, all from rshd, as well as any systems running a vulnerable version of sshd. Remember to use the VERBOSE (-v) flag if you try to exploit sshd. |
| Date: | 13 June 1997 |
| Notes: | The syntax quoted at the bottom is not correct, you need to give an actual command (like ls) for the rsh problem to be demonstrated. |
Date: Sat, 14 Jun 1997 18:22:02 -0400
From: Christophe Kalt <kalt@STEALTH.NET>
To: BUGTRAQ@NETSPACE.ORG
Subject: Re: rshd gives away usernames
ssh also has this problem.
The line "Remote: Rhosts/hosts.equiv authentication refused:
client user 'kalt', server user 'kalt', client host
'millennium.stealth.net'." only appears when the account
exists. (need to run in verbose mode)
This might not the case if the remote sshd doesn't allow
this particular kind of authentication. I didn't check for
other schemes.
On Jun 13, David Holland wrote:
| Try 'rsh victimhost -l realuser' and 'rsh victimhost -l nosuchuser'.
| The error reported is different.
|
| Therefore, it's possible to determine which account names are valid.
| This is an issue only for particularly paranoid sites that probably
| already have rshd disabled, but I thought it would be worth issuing a
| warning anyway.
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
world.
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources:
