This script checks for the OpenSSH 7.7 (and prior) username enumeration vulnerability (CVE-2018-15473). It sends a malformed authentication packet and interprets the SSH server’s response to identify valid usernames.
https://www.exploit-db.com/download/45233
-
Python Compatibility Converted all print statements to Python 3 syntax
(print("...")). Replacedmap(str.strip, f.readlines())with a list comprehension for clarity and compatibility. -
Paramiko 3.x+ Compatibility Replaced:
paramiko.auth_handler.AuthHandler._handler_table[...]
with:
from paramiko.auth_handler import AuthHandler
client_table = AuthHandler._client_handler_table.fget(AuthHandler)
This avoids TypeError: 'property' object is not subscriptable.
-
Replaced direct patching:
handler_table[MSG_SERVICE_ACCEPT] = malform_packetwithclient_table[paramiko.common.MSG_SERVICE_ACCEPT] = malform_packet -
RSA Key Generation Optimization Avoided repeated generation of 1024-bit RSA keys (slow and insecure). Introduced a cached 2048-bit RSAKey for testing.
-
Logging & Output Fixes Removed reliance on args.outputFile being mandatory. Added fallback to sys.stdout if --outputFile is not provided.
-
Minor fixes Disabled Paramiko's noisy internal logging. Replaced deprecated or redundant exception-handling patterns. Applied consistent spacing/indentation (converted all tabs to 4 spaces).
- Python 3.6+
- Paramiko (tested with v3.4.0+)
Install dependencies:
pip3 install -r requirements.txtpython3 open-ssh-ue.py <hostname> --userList wordlist.txtpython3 open-ssh-ue.py hostname \
--userList wordlist.txt \
--threads 10 \
--outputFile results.json \
--outputFormat jsonhostname: The target SSH server IP or domain.
--port: SSH port (default is22)--threads: Number of concurrent threads (default is5)--userList: Path to a username list file (one username per line)--username: Test a single username--outputFile: Path to save results (optional; prints to terminal if omitted)--outputFormat: Output format:list,json, orcsv(default:list)
list: Plain text per-username resultjson: Structured list of valid/invalid usernamescsv: Comma-separated values
Use this tool only on systems you own or have explicit permission to test. Unauthorized use is illegal and unethical.