Quick Tutorial: SSH Enumeration for Penetration Testers

SSH, short for Secure Shell, is a service that helps in remotely managing infrastructure in a secure manner. Whenever an administrator wants to access a remote machine, ssh is a genuine choice. SSH provides both password and public key-based authentication. This protocol also encrypts communication by using strong cryptographic algorithms that mitigate Man in the Middle (MitM) attacks. The default port of ssh server is 22.

This article covers SSH Enumeration techniques for Penetration Testers that help them to extract sensitive information and unauthorized access.


  • Secure access to the remote devices.
  • Secure file transfer
  • Run commands on remote devices in a secure manner
  • Help in managing network devices and servers securely. Extensive use in managing data centers.

How can you identify open ports and services

You can identify open ports and services by using Nmap.

nmap <IP>

nmap -sC -sV <IP>

Now you can search exploit by using searchsploit module available in Kali Linux.

searchsploit openssh

How to connect remote machine using SSH

You can connect remote machine by providing inputs username and hostname in below format. For successful connection, correct password need to be provided.

ssh <username>@<hostname>

You can also connect directly providing remote IP. You will get "Connection refused" if ssh service not open.


Enumeration of users by Metasploit Framework

Metasploit Framework is preinstalled on Kali Linux. You can run framework by using below command:


You can search different auxiliary and exploit modules by using the "search" operator. After identifying, you can use the "use" operator to run those modules against the target.

search ssh_enumusers

Other modules related to ssh also available in msfconsole.

search ssh_login

Bruteforce username and password

Once ssh port is open, use Seclists Wordlists to bruteforce username and password.

By using Nmap

Many scripts are available to enumerate ssh. You can display all available scripts by using below command:

ls /usr/share/nmap/scripts/ | grep ssh

Other options available with SSH

ssh -h


SSH is a secure protocol used by administrators to access remote devices in an unsecured network. This article covers ssh enumeration techniques that help penetration testers to gain access to remote devices.

Subscribe us to receive more such articles updates in your email.

If you have any questions, feel free to ask in the comments section below. Nothing gives me greater joy than helping my readers!

Disclaimer: This tutorial is for educational purpose only. Individual is solely responsible for any illegal act.

You may also like...

Leave a Reply

Your email address will not be published.