Scribd
Upload
4 views4 pages

5e712b51-aaca-4be6-88e0-94e3684dc814_10._ssh_enumeration

SSH Enumeration is the process of gathering information about a target system's SSH service, crucial for penetration testing. It involves identifying service versions, authentication methods, valid usernames, and potential vulnerabilities. Common techniques include banner grabbing, brute-force login, and using tools like Metasploit and Nmap for effective enumeration.

Uploaded by

ahmed samir
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
4 views4 pages

5e712b51-aaca-4be6-88e0-94e3684dc814_10._ssh_enumeration

SSH Enumeration is the process of gathering information about a target system's SSH service, crucial for penetration testing. It involves identifying service versions, authentication methods, valid usernames, and potential vulnerabilities. Common techniques include banner grabbing, brute-force login, and using tools like Metasploit and Nmap for effective enumeration.

Uploaded by

ahmed samir
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

10.

SSH Enumeration
Created @June 5, 2025 10:00 PM

Tags

Topic: SSH Enumeration


SSH Enumeration is the process of gathering information about a target system's
SSH (Secure Shell) service. It is a critical phase in penetration testing or
vulnerability assessment, especially when attempting to gain remote access to
servers.

1. What is SSH?
SSH (Secure Shell) is a secure remote login protocol used to access and
manage devices, primarily Unix/Linux systems.

It encrypts all communication, providing confidentiality and integrity.

SSH has replaced insecure protocols like Telnet and Rlogin.

Default port: 22/tcp , but it can be changed by administrators.

2. Why Enumerate SSH?


SSH enumeration helps identify:

10. SSH Enumeration 1


SSH service version (which might have known vulnerabilities)

Supported authentication methods (password, key-based)

Valid usernames (if user enumeration is possible)

Brute-forceable accounts

Weak SSH configurations (e.g., root login enabled, outdated versions)

3. Common SSH Enumeration Techniques


Technique Purpose

Identify SSH version and implementation (e.g., OpenSSH


Banner Grabbing
7.2p2)

Brute-Force Login Try common usernames and passwords

Some versions leak user info through response times or error


Username Enumeration
messages

Key-based Auth Testing Attempt login using stolen or guessed private keys

Config Analysis (post-


Identify if root login is allowed or password auth is disabled
access)

4. Metasploit Modules for SSH Enumeration


Module Purpose

auxiliary/scanner/ssh/ssh_version Retrieve SSH service version (banner)

auxiliary/scanner/ssh/ssh_login Perform brute-force login attempts

auxiliary/scanner/ssh/ssh_login_pubkey Attempt login using a public key

auxiliary/scanner/ssh/ssh_enumusers (If supported) Identify valid usernames

5. Sample Workflow
1. Scan for SSH port (22/tcp) using Nmap or Metasploit:

db_nmap -p22 -sV target_ip

2. Check SSH version:

10. SSH Enumeration 2


use auxiliary/scanner/ssh/ssh_version
set RHOSTS target_ip
run

Expected Output:

[*] 192.168.1.10:22 - SSH server version: SSH-2.0-OpenSSH_7.6p1 Ubuntu-


4ubuntu0.3

3. Attempt password brute-force:

use auxiliary/scanner/ssh/ssh_login
set RHOSTS target_ip
set USERNAME root
set PASS_FILE /usr/share/wordlists/rockyou.txt
run

Expected Output:

[+] 192.168.1.10:22 - Login Successful: root:toor

4. Try key-based login (if you have keys):

use auxiliary/scanner/ssh/ssh_login_pubkey
set RHOSTS target_ip
set USERNAME user
set KEY_PATH /home/user/.ssh/id_rsa
run

6. Risks of Misconfigured SSH


Allowing root login over SSH.

Weak passwords or brute-forceable accounts.

Use of outdated SSH versions vulnerable to CVEs.

10. SSH Enumeration 3


Missing rate limiting or 2FA for login attempts.

7. Real-World Impact
SSH is often the first target for attackers on internet-facing systems.

Gaining SSH access typically means full control of the server.

Brute-forced SSH credentials are a common cause of compromise in the


wild.

Summary
Aspect Details

Default Port 22/tcp

Secure Replacement Replaces Telnet/Rlogin

Protocol Layer Application Layer (uses TCP)

Common Tools Metasploit, Nmap, Hydra, Medusa

Goal of Enumeration Version info, brute-force, user leaks

SSH Enumeration is foundational in remote exploitation. Understanding SSH


fingerprinting, login patterns, and misconfigurations can be the difference
between discovery and compromise.

10. SSH Enumeration 4

You might also like