loading
loading
Vulnerabilities
Multi-threaded, IPv6-aware username enumeration via CVE-2018-15473.
overview
cve-2018-15473 confirms which accounts exist on an OpenSSH server by exploiting a username-enumeration flaw in versions 7.7 and earlier. It sends a malformed authentication request during the handshake: the server hangs up on that request for a real account but returns a normal auth failure for a name that does not exist, and that difference reveals valid usernames without ever completing a login. It tests a single username or a whole wordlist and understands IPv6 targets.
A confirmed account list is a foothold for the next stage. Validated usernames narrow password spraying and brute-force runs to real users, which raises the hit rate and cuts the noise of a credential attack. Multi-threading keeps enumeration fast across a large wordlist.
On Trickest, this is a Vulnerabilities node that takes a target host and a username source, then writes a file and a folder of confirmed accounts. Run it against an SSH service you have already found, then feed the valid usernames into a credential-testing tool such as hydra.
use cases
Test a username wordlist against an OpenSSH server and confirm which accounts exist from the server's differing responses to a malformed auth request.
Pass one username with -u to check whether a specific account is present, useful when you already have a name to verify.
Feed validated usernames into password spraying or brute forcing so the attack targets real accounts instead of guessing both user and password.
Enumerate IPv6 SSH services and services on a non-default port that IPv4-only or port-22-only tools cannot reach.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| hostname | STRING | · | Target host or IP to enumerate (positional). |
| usernames | FILE | -w | Wordlist of usernames to test. |
| single-username | STRING | -u | A single username to test. |
| port | STRING | -p | Target SSH port (default 22). |
| threads | STRING | --threads | Number of enumeration threads (default 4). |
| verbose | BOOLEAN | -v | Print both valid and invalid usernames (default false). |
Showing key inputs. cve-2018-15473 exposes 6 inputs in total.
example
# test a username wordlist against an OpenSSH service on a custom portpython3 ssh-username-enum.py -p 2222 --threads 8 -w users.txt 198.51.100.24[*] Starting user enumeration on 198.51.100.24:22[*] Loaded 214 usernames from users.txt[+] admin is a valid user[+] deploy is a valid user[+] git is a valid user[-] backup is not a valid user[-] oracle is not a valid user[*] Enumeration complete: 3 valid, 211 invalidguidance
Use this tool when you find an SSH service running a vulnerable OpenSSH version and want a validated username list before a credential attack. Confirm the target is in range first with a port scanner, then pass the results to a brute-force tool such as hydra or medusa.
Network login brute forcer. Consumes the validated usernames this tool produces.
Parallel credential brute forcer. Another consumer of the enumerated SSH accounts.
Multi-protocol credential and enumeration tool. Broader than this single-CVE check.
faq
related
A Go script for bypassing 403 forbidden responses.
An open-source tool that automates detecting and exploiting command injection.
Detect and abuse vulnerable implementations of stateless sessions.
A Python tool to find Cross-Origin Resource Sharing misconfigurations.
A tool to find HTTP splitting vulnerabilities.
Accurately fingerprint and detect Netscaler and Citrix ADC versions vulnerable to CVE-2023-3519.
An SSH host and a username wordlist feed the enumerator, which exploits CVE-2018-15473 to confirm real accounts and writes the valid usernames as output.
Facts on this page come from the live Trickest tool library.