22/tcp - SSH
General Information
Name
Secure Shell Socket
Service
SSH (Secure Shell Socket) is a network protocol that gives users, a secure way to access a computer over an unsecure network.
Notes
Ability to login into a machine remotely. SSH is the encrypted version of telnet
Connection
Client
# Credentials
ssh USERNAME@IP
# ID RSA
ssh -i id_rsa_FILE USERNAME@IPRecon Checkklist
Banner Grabbing
# netcat
nc -nv IP 22
# telnet
telnet IP 22Brute Force (Hydra)
hydra -L USER_DICT -P PASS_DICT IP ssh
# or
hydra -L USER_DICT -P PASS_DICT ssh://IPSSH Audit
# Single Target
ssh-audit TARGET
# Multiple Targets
ssh-audit -T TARGETS_FILESGet/Put Files
# Get (download) file
scp USER@TARGET:/path/to/remote/file /path/to/local/destination
# Put (upload) file
scp /path/to/local/file USER@TARGET:/path/to/remote/destinationScripts
Nmap
ssh-brute
Attempts password guessing using brute force. The userdb file need to contain the username or list of usernames.
nmap -p 22 --script ssh-brute <target> —script-args userdb=<dict>
ssh-hostkey
Displays the SSH server's public key for comparison.
nmap -p 22 --script ssh-hostkey --script-args ssh_hostkey=full <target>
ssh2-enum-algos
Enumerates algorithms supported by the SSH server.
nmap -p 22 --script ssh2-enum-algos <target>
ssh-auth-methods
Enumerate authentication methods for a specific user
nmap -p 22 —script ssh-auth-methods —script-args=”ssh.user=<username>” <target>
ssh-run
Run commands
nmap -p 22 —script ssh-run —script-args=”ssh-run.cmd=<command>,ssh-run.uslername=<user>,ssh-run.password=<pass>”
Metasploit
auxiliary/scanner/ssh/ssh_version
Gets the version of the SSH server.
RHOSTS, THREADS, USER_AS_PASS
auxiliary/scanner/ssh/ssh_login
Attempts brute-force authentication on an SSH server.
RHOSTS, USER_FILE, PASS_FILE, VERBOSE, STOP_ON_SUCCESS
auxiliary/scanner/ssh/ssh_enumusers
Enumerates valid users on an SSH server.
RHOSTS, USER_AS_PASS, THREADS
Last updated