SSH Enumeration

What Does SSH Stands For ?

Secure Shell, is a service that helps us to access machines remotely in a very secure way. Secure way in the sense, this connection encrypts communication by using strong crypto-graphic algorithms, So that there is no way to perform a MITM attack. In a company, Whenever the Network Administrator wants to access any of thier machines SSH would be thier first choice (via putty).

SSH provides both password and public key-based authentication !

Secure access to the remote devices.
Secure file transfer.
Run commands on remote devices in a secure way.
Help in managing network devices and servers securely, Extensive use in managing data centers.

You can identify open ports and services by using nmap.

nmap -sCV <IP>     // When SSH is open, -sCV performs all various kinds off script scans.
searchsploit openssh     // Searches publicly available exploits via the command line.

Connect Remote Machine Using SSH ?

You can connect remote machine by providing inputs username and hostname in below format. For successful connection, correct password need to be provided.

ssh <username>@<hostname>

You can also connect directly providing remote IP. You will get "Connection refused" if ssh service not open.

ssh 192.168.1.16

User Enumeration Via Metasploit ?

Metasploit Framework is preinstalled on Kali Linux. You can run framework by using below command

msfconsole -q
search - ssh_enumusers
         ssh_login
         ssh_login_pubkey
show options and set 
exploit

Bruteforce Username or Password ?

Once ssh port is open, use seclistswordlist to bruteforce username and password.

Many scripts are available to enumerate ssh. You can display all available scripts by using below command.

ls -l /usr/share/nmap/scripts/ | grep ssh         // Displays all ssh nmap scripts (NSE).

use ssh-brute.nse to bruteforce the box or the application.

While pentesting a box or an application, we get to see port 22 is open. The first thing that should strike us is : 

If suppose we find an id_rsa.pub : Public Key that can be used in authorized_keys for login.

If suppose we find an id_rsa : Private Key that is used for login.
                               If it asks for a password => use ssh2john and john.
ssh -i id_rsa user@192.168.1.18

For passwordless login, add id_rsa.pub to the victim's authorized_keys.
PreviousFTP EnumerationNextSMB Enumeration

Last updated