Quick Tutorial: SSH Enumeration for Penetration Testers

SSH, short for Secure Shell, is a service that helps in remotely manage infrastructure in a secure manner. Whenever an administrator wants to access a remote machine, ssh is a genuine choice. SSH provides both password and public key-based authentication. This protocol also encrypts communication by using strong cryptographic algorithms that mitigate Man in the Middle (MitM) attacks. The default port of the ssh server is 22.

This article covers SSH Enumeration techniques for Penetration Testers that help them to extract sensitive information and unauthorized access.


  • Secure access to the remote devices.
  • Secure file transfer
  • Run commands on remote devices in a secure manner
  • Help in managing network devices and servers securely. Extensive use in managing data centers.

How can you identify open ports and services?

You can identify open ports and services by using Nmap.

nmap <IP>

nmap -sC -sV <IP>

Now you can search for exploits by using searchsploit module available in Kali Linux.

searchsploit openssh

How to connect remote machine using SSH

You can connect remote machine by providing the inputs username and hostname in the below format. For a successful connection, a correct password needs to be provided.

ssh <username>@<hostname>

You can also connect directly providing remote IP. You will get "Connection refused" if the ssh service is not open.


Enumeration of users by Metasploit Framework

Metasploit Framework is preinstalled on Kali Linux. You can run the framework by using the below command:


You can search different auxiliary and exploit modules by using the "search" operator. After identifying, you can use the "use" operator to run those modules against the target.

search ssh_enumusers

Other modules related to ssh are also available in msfconsole.

search ssh_login

Bruteforce username and password

Once the ssh port is open, use Seclists Wordlists to brute force username and password.

By using Nmap

Many scripts are available to enumerate ssh. You can display all available scripts by using the below command:

ls /usr/share/nmap/scripts/ | grep ssh

Other options available with SSH

ssh -h


SSH is a secure protocol used by administrators to access remote devices in an unsecured network. This article covers ssh enumeration techniques that help penetration testers to gain access to remote devices.

Subscribe us to receive more such articles updates in your email.

If you have any questions, feel free to ask in the comments section below. Nothing gives me greater joy than helping my readers!

Disclaimer: This tutorial is for educational purpose only. Individual is solely responsible for any illegal act.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *