SSH 22

SSH Scanning and Enumeration - Port 22

SSH (Secure Shell) is a protocol used for secure communication between a client and a server. Here are the methods for scanning and enumerating SSH services.

SSH Overview:

• Default Port: 22

• Protocol: SSH allows encrypted communication over a network. Unlike FTP, SSH is a secure protocol that uses strong encryption to protect data during transmission.

Enumeration Techniques:

1. Banner Grabbing:

   • Use nc or nmap to grab the SSH banner and get the version information.

   • Example:

     nc -vn <IP> 22
     nmap -p 22 --script=banner <IP>

2. Unauthenticated Enumeration with Nmap:

   • Use nmap to detect the SSH version and perform general enumeration.

     sudo nmap -sV -p22 -sC -A <IP>

3. SSH Brute Force with Hydra:

   • Use Hydra to brute-force SSH login attempts with a wordlist. Example:

     hydra -t 1 -l <username> -P <password_list> -vV <IP> ssh

4. Check for Weak Credentials:

   • Attempt to log in with default or weak credentials. Example:

     ssh username@<IP>

5. SSH Configurations:

   • Look for insecure configurations like weak ciphers, outdated SSH versions, or insecure authentication methods in the /etc/ssh/sshd_config file.

     • Check for settings like:

       PasswordAuthentication yes
       PermitRootLogin yes

6. Automated Checks with Nmap Scripts:

   • Use nmap scripts to check for known SSH vulnerabilities, such as weak ciphers or root login. Example:

     nmap --script=ssh-* -p 22 <IP>

7. SSH Key Enumeration:

   • Use tools like ssh-audit to audit the SSH server and get detailed information about its configuration and potential vulnerabilities. Example:

     ssh-audit <IP>

8. Check for OpenSSH Version:

   • The SSH banner can also reveal which OpenSSH version is running, which may have known vulnerabilities.

   • Example:

     nmap -p 22 --script=sshv1 <IP>

9. Testing for User Enumeration:

   • Attempt SSH login with common usernames and check if a different response is received for valid and invalid usernames. Example:

     ssh invalid_user@<IP>

Useful Tools for Scanning:

• Nmap: For version detection, script scanning, and brute-force checks.

• Hydra: For brute-forcing SSH credentials.

• ssh-audit: For auditing SSH configurations and identifying weak points.