Rapid7 Vulnerability & Exploit Database

SSH Username Enumeration

Back to Search

SSH Username Enumeration



This module uses a malformed packet or timing attack to enumerate users on an OpenSSH server. The default action sends a malformed (corrupted) SSH_MSG_USERAUTH_REQUEST packet using public key authentication (must be enabled) to enumerate users. On some versions of OpenSSH under some configurations, OpenSSH will return a "permission denied" error for an invalid user faster than for a valid user, creating an opportunity for a timing attack to enumerate users. Testing note: invalid users were logged, while valid users were not. YMMV.


  • kenkeiras
  • Dariusz Tytko
  • Michal Sajdak
  • Qualys
  • wvu <wvu@metasploit.com>


Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use auxiliary/scanner/ssh/ssh_enumusers
msf auxiliary(ssh_enumusers) > show actions
msf auxiliary(ssh_enumusers) > set ACTION < action-name >
msf auxiliary(ssh_enumusers) > show options
    ...show and set options...
msf auxiliary(ssh_enumusers) > run 

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security