LinkedInGithub
Edit

SSH 22

SSH Scanning and Enumeration - Port 22

SSH (Secure Shell) is a protocol used for secure communication between a client and a server. Here are the methods for scanning and enumerating SSH services.

SSH Overview:

  • Default Port: 22

  • Protocol: SSH allows encrypted communication over a network. Unlike FTP, SSH is a secure protocol that uses strong encryption to protect data during transmission.

Enumeration Techniques:

  1. Banner Grabbing:

    • Use nc or nmap to grab the SSH banner and get the version information.

    • Example:

      nc -vn <IP> 22
nmap -p 22 --script=banner <IP>

  2. Unauthenticated Enumeration with Nmap:

    • Use nmap to detect the SSH version and perform general enumeration.

      sudo nmap -sV -p22 -sC -A <IP>

  3. SSH Brute Force with Hydra:

    • Use Hydra to brute-force SSH login attempts with a wordlist. Example:

      hydra -t 1 -l <username> -P <password_list> -vV <IP> ssh

  4. Check for Weak Credentials:

    • Attempt to log in with default or weak credentials. Example:

      ssh username@<IP>

  5. SSH Configurations:

    • Look for insecure configurations like weak ciphers, outdated SSH versions, or insecure authentication methods in the /etc/ssh/sshd_config file.

      • Check for settings like:

        PasswordAuthentication yes
PermitRootLogin yes

  6. Automated Checks with Nmap Scripts:

    • Use nmap scripts to check for known SSH vulnerabilities, such as weak ciphers or root login. Example:

      nmap --script=ssh-* -p 22 <IP>

  7. SSH Key Enumeration:

    • Use tools like ssh-audit to audit the SSH server and get detailed information about its configuration and potential vulnerabilities. Example:

      ssh-audit <IP>

  8. Check for OpenSSH Version:

    • The SSH banner can also reveal which OpenSSH version is running, which may have known vulnerabilities.

    • Example:

      nmap -p 22 --script=sshv1 <IP>

  9. Testing for User Enumeration:

    • Attempt SSH login with common usernames and check if a different response is received for valid and invalid usernames. Example:

      ssh invalid_user@<IP>

Useful Tools for Scanning:

  • Nmap: For version detection, script scanning, and brute-force checks.

  • Hydra: For brute-forcing SSH credentials.

  • ssh-audit: For auditing SSH configurations and identifying weak points.

PreviousSNMP 161,162,10161,10162NextTFTP 69

Last updated