Vulnerability & Exploit Database

Back to search

SSH Username Enumeration

This module uses a malformed packet or timing attack to enumerate users on an OpenSSH server. The default action sends a malformed (corrupted) SSH_MSG_USERAUTH_REQUEST packet using public key authentication (must be enabled) to enumerate users. On some versions of OpenSSH under some configurations, OpenSSH will return a "permission denied" error for an invalid user faster than for a valid user, creating an opportunity for a timing attack to enumerate users. Testing note: invalid users were logged, while valid users were not. YMMV.

Free Metasploit Download

Get your copy of the world's leading penetration testing tool

 Download Now

Module Name



  • kenkeiras
  • Dariusz Tytko
  • Michal Sajdak
  • Qualys
  • wvu <wvu [at]>



  • Malformed Packet
  • Timing Attack



Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use auxiliary/scanner/ssh/ssh_enumusers msf auxiliary(ssh_enumusers) > show actions ...actions... msf auxiliary(ssh_enumusers) > set ACTION <action-name> msf auxiliary(ssh_enumusers) > show options and set options... msf auxiliary(ssh_enumusers) > run

Related Vulnerabilities