CVE-2006-5229

OpenSSH - Username Enumeration via Timing Discrepancy

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2006-5229. PoCs published by Marco Ivaldi.

AI-analyzed exploit summary This script exploits a timing attack vulnerability in OpenSSH (CVE-2006-5229) to determine valid usernames by measuring response time discrepancies. It uses Expect to automate SSH login attempts and analyzes the time taken for 'Permission denied' responses.

Description

OpenSSH portable 4.1 on SUSE Linux, and possibly other platforms and versions, and possibly under limited configurations, allows remote attackers to determine valid usernames via timing discrepancies in which responses take longer for valid usernames than invalid ones, as demonstrated by sshtime. NOTE: as of 20061014, it appears that this issue is dependent on the use of manually-set passwords that causes delays when processing /etc/shadow due to an increased number of rounds.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Marco Ivaldi · bashremotemultiple

https://www.exploit-db.com/exploits/3303

View Code ZIP pw:eip

This script exploits a timing attack vulnerability in OpenSSH (CVE-2006-5229) to determine valid usernames by measuring response time discrepancies. It uses Expect to automate SSH login attempts and analyzes the time taken for 'Permission denied' responses.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: OpenSSH portable 4.1 (and earlier versions with PAM support)

No auth needed

Prerequisites: Approved target hostkey · Wordlist of usernames · Expect interpreter installed

MITRE ATT&CK