22/tcp - SSH

General Information

Name

Secure Shell Socket

Service

SSH (Secure Shell Socket) is a network protocol that gives users, a secure way to access a computer over an unsecure network.

Notes

Ability to login into a machine remotely. SSH is the encrypted version of telnet

Connection

Client

# Credentials
ssh USERNAME@IP
# ID RSA
ssh -i id_rsa_FILE USERNAME@IP

Recon Checkklist

Banner Grabbing

# netcat
nc -nv IP 22
# telnet
telnet IP 22

Brute Force (Hydra)

hydra -L USER_DICT -P PASS_DICT IP ssh
# or
hydra -L USER_DICT -P PASS_DICT ssh://IP

SSH Audit

# Single Target
ssh-audit TARGET
# Multiple Targets
ssh-audit -T TARGETS_FILES

Get/Put Files

# Get (download) file
scp USER@TARGET:/path/to/remote/file /path/to/local/destination
# Put (upload) file
scp /path/to/local/file USER@TARGET:/path/to/remote/destination

Scripts

Nmap

Script Name

Description

Usage

ssh-brute

Attempts password guessing using brute force. The userdb file need to contain the username or list of usernames.

nmap -p 22 --script ssh-brute <target> —script-args userdb=<dict>

ssh-hostkey

Displays the SSH server's public key for comparison.

nmap -p 22 --script ssh-hostkey --script-args ssh_hostkey=full <target>

ssh2-enum-algos

Enumerates algorithms supported by the SSH server.

nmap -p 22 --script ssh2-enum-algos <target>

ssh-auth-methods

Enumerate authentication methods for a specific user

nmap -p 22 —script ssh-auth-methods —script-args=”ssh.user=<username>” <target>

ssh-run

Run commands

nmap -p 22 —script ssh-run —script-args=”ssh-run.cmd=<command>,ssh-run.uslername=<user>,ssh-run.password=<pass>”

List all available nmap scripts :

nmap --script-help="ssh-*"

ls /usr/share/nmap/scripts/ssh-*.nse

We can run all the available nmap scripts with:

nmap --script ssh-* -p 22 IP

Metasploit

Script Name

Description

Parameters

auxiliary/scanner/ssh/ssh_version

Gets the version of the SSH server.

RHOSTS, THREADS, USER_AS_PASS

auxiliary/scanner/ssh/ssh_login

Attempts brute-force authentication on an SSH server.

RHOSTS, USER_FILE, PASS_FILE, VERBOSE, STOP_ON_SUCCESS

auxiliary/scanner/ssh/ssh_enumusers

Enumerates valid users on an SSH server.

RHOSTS, USER_AS_PASS, THREADS

Previous21/tcp - FTP Nextrecon/technologies

Last updated 1 year ago

hashtagGeneral Information

hashtagConnection

hashtagClient

hashtagRecon Checkklist

hashtagBanner Grabbing

hashtagBrute Force (Hydra)

hashtagSSH Audit

hashtagGet/Put Files

hashtagScripts

hashtagNmap

hashtagMetasploit