Quick Tutorial: SSH Enumeration for Penetration Testers
SSH, short for Secure Shell, is a service that helps in remotely manage infrastructure in a secure manner. Whenever an administrator wants to access a remote machine, ssh is a genuine choice. SSH provides both password and public key-based authentication. This protocol also encrypts communication by using strong cryptographic algorithms that mitigate Man in the Middle (MitM) attacks. The default port of the ssh server is 22.
This article covers SSH Enumeration techniques for Penetration Testers that help them to extract sensitive information and unauthorized access.
Usage
- Secure access to the remote devices.
- Secure file transfer
- Run commands on remote devices in a secure manner
- Help in managing network devices and servers securely. Extensive use in managing data centers.
How can you identify open ports and services?
You can identify open ports and services by using Nmap.
nmap <IP>
nmap -sC -sV <IP>
Now you can search for exploits by using searchsploit module available in Kali Linux.
searchsploit openssh
How to connect remote machine using SSH
You can connect remote machine by providing the inputs username and hostname in the below format. For a successful connection, a correct password needs to be provided.
ssh <username>@<hostname>
You can also connect directly providing remote IP. You will get "Connection refused" if the ssh service is not open.
ssh 192.168.1.11
Enumeration of users by Metasploit Framework
Metasploit Framework is preinstalled on Kali Linux. You can run the framework by using the below command:
msfconsole
You can search different auxiliary and exploit modules by using the "search" operator. After identifying, you can use the "use" operator to run those modules against the target.
search ssh_enumusers
Other modules related to ssh are also available in msfconsole.
search ssh_login
Bruteforce username and password
Once the ssh port is open, use Seclists Wordlists to brute force username and password.
By using Nmap
Many scripts are available to enumerate ssh. You can display all available scripts by using the below command:
ls /usr/share/nmap/scripts/ | grep ssh
Other options available with SSH
ssh -h
Conclusion
SSH is a secure protocol used by administrators to access remote devices in an unsecured network. This article covers ssh enumeration techniques that help penetration testers to gain access to remote devices.
Subscribe us to receive more such articles updates in your email.
If you have any questions, feel free to ask in the comments section below. Nothing gives me greater joy than helping my readers!
Disclaimer: This tutorial is for educational purpose only. Individual is solely responsible for any illegal act.