# SSH Enumeration **SSH (Secure Shell)** is a network protocol used to securely access and manage remote systems over an unsecured network. It operates over TCP port 22 by default but can be configured to use different ports for increased security. It is widely used to administer servers and transfer data securely over networks. ## SSH: Nmap Enumeration Scripts **`ssh-auth-methods` -** Identifies the authentication methods supported by the SSH server. ```bash nmap --script ssh-auth-methods -p 22 target-ip ``` **`ssh-brute` -** Performs a brute-force attack on SSH credentials using a list of usernames and passwords. ```bash nmap --script ssh-brute -p 22 target-ip ``` **`ssh-enum-algos` -** Enumerates the cryptographic algorithms supported by the SSH server. ```bash nmap --script ssh-enum-algos -p 22 target-ip ``` **`ssh-hostkey` -** Retrieves and displays the public SSH host keys for the target server. ```bash nmap --script ssh-hostkey -p 22 target-ip ``` **`ssh-vuln-cve2018-15473` -** Checks for the SSH vulnerability identified by CVE-2018-15473, which allows attackers to enumerate valid usernames. ```bash nmap --script ssh-vuln-cve2018-15473 -p 22 target-ip ``` **`ssh2-enum-algos` -** Lists the algorithms used in SSH connections. ```bash nmap --script ssh2-enum-algos -p 22 target-ip ``` **`ssh-dss` -** Checks for the use of DSS (Digital Signature Standard) keys in SSH. ```bash nmap --script ssh-dss -p 22 target-ip ``` > **`nc 22`**: This command uses the Netcat utility to connect to the specified target on port 22, commonly used for SSH communication. This process is also known as **“`Banner Grabbing.`”** > **`Banner Grabbing`** is a technique used to gather information about a service running on a specific port, such as the version of the software and the operating system. ## SSH: SSH Dictionary Attack * This command uses Hydra to perform a brute-force attack on the SSH service of the target machine using the specified username and the **rockyou.txt** wordlist for password guessing. Hydra will try each password from the **rockyou.txt** file to find a match for the given username. ```bash hydra -l -P /usr/share/wordlists/rockyou.txt ssh ``` * This command scans the specified target for the SSH service on port 22 and employs Nmap’s **“ssh-brute”** script to perform a brute-force attack using the **“admin”** username. This script will attempt to guess the password for the `admin` user by trying a variety of passwords. ```bash nmap -p 22 --script ssh-brute --script-args userdb=admin ``` * In `msfconsole`, the **`ssh_login`** auxiliary module is used to perform SSH login attempts on a target system to test credentials. This module tries various combinations of usernames and passwords to find valid login credentials. ```bash use auxiliary/scanner/ssh/ssh_login ``` *** *** *** **`Hacker's Mantra:`**`One of the main cyber-risks is to think they don’t exist. The other is to try to treat all potential risks. - Stephane Nappo` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://blog.rootkid.in/exam-prep-notes/junior-penetration-tester-ejptv2-notes/assessment-methodologies/enumeration/ssh-enumeration.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.