Invite Scene - #1 to Buy, Sell, Trade or Find Free Torrent Invites!

#1 TorrentInvites Community. Buy, Sell, Trade Or Find Free Torrent Invites, For Every Private Torrent Trackers. HDBITS, PTP, BTN, MTV, EMP, EXIGO, RED, OPS, TT, BIB, TTG, MTEAM, CHDBITS, CG, TIK, KG, FSC, BB, IPT, TL, GGN, AB, U2 etc.

Sign in to follow this  

Bug in OpenSSH Opens Linux Machines to Password Cracking Attack

Recommended Posts



A simple but highly critical vulnerability recently disclosed in the most widely used OpenSSH software allows attackers to try thousands of password login attempts per connection in a short period.
OpenSSH is the most popular software widely used for secure remote access to Linux-based systems. Generally, the software allows 3 to 6 Password login attempts before closing a connection, but a new vulnerability lets attackers perform thousands of authentication requests remotely.
OpenSSH servers with keyboard-interactive authentication enabled, including FreeBSD Linux, can be exploited to carry out the brute force attack on OpenSSH protocol, a security researcher with online alias KingCope explained in a blog post.

Exploit for the Vulnerability RELEASED 

Hackers could widely exploit the vulnerability because the keyboard-interactive authentication is by default enabled on most of the systems.
Researcher has also released a proof-of-concept exploit code, which is just a command, as follows:
ssh -lusername -oKbdInteractiveDevices=`perl -e 'print "pam," x 10000'` targethost
This simple command effectively allows up to 10,000 password attempts within two minutes of login grace time.
"The crucial part is that if the attacker requests 10,000 keyboard-interactive devices OpenSSH will gracefully execute the request and will be inside a loop to accept passwords until the specified devices are exceeded," KingCope said.
However, depending on the connection and the victim's Linux machine, two minutes of 'grace period' and thousands of login attempts are enough to achieve successful login by using dictionary attackwith a word-list of most commonly used passwords.
The vulnerability is present in the latest version of OpenSSH, which is Version 6.9.

How to Mitigate the Attack?

Administrators are advised to take following precautions until OpenSSH releases an official patch to address the issue:
  • Use a cryptographic  key pair that is at least 2,048 Bits in length
  • Always Use a Strong Password to protect your Private Key
  • Reducing the grace period to 20 or 30 seconds
  • Use Fail2Ban or Pam-Shield to limit failed login attempts

do you understand            if you having fun?                  it's a rising sun                           it's a man killing                              what's that feelin'

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this