SSH Username Enumeration How-to

SSH Username Enumeration

OpenSSH portable 4.1 on SUSE Linux (and possibly other platforms and versions, and perhaps under limited configurations), allows remote attackers to determine valid usernames via timing discrepancies in which responses take longer for valid usernames than invalid ones. You test the OpenSSH server by providing usernames, and if there is a delay in user authentication, then the user exists. Assessing and auditing OpenSSH in this way will help to create a list of SSH usernames for a brute force attack.

NOTE: as of 20061014, it appears that this issue is dependent on the use of manually-set passwords that causes delays when processing /etc/shadow due to an increased number of rounds. Vulnerability Details : CVE-2006-5229 (See

Kali Linux SSH Username Enumeration Module

The Kali Linux SSH Username Enumeration module uses a time-based attack to enumerate users on an OpenSSH server. Below is the module with its options:

You can select a file containing usernames, one per line. I select the “unix_users.txt” username list (one of many included in Kali):

I set the options and run the module, but I do not find usernames using this list (snippet):

Next, I decided to use my list called “usernames_harvested,” a list of 44 usernames that I have collected through various user enumeration techniques such as SMTP and Samba (See my posts

Alas my harvested list yields no result at this time, I need to do more testing. I need to collect more names or try more default lists. But this outlines the process:


Leave a Reply

Your email address will not be published. Required fields are marked *