SSH Enumeration

Techniques for discovering and analyzing SSH servers

Scanning for SSH Servers
Techniques to identify SSH servers on a network

Basic SSH Scan:

nmap -p 22 192.168.1.0/24

This command scans for SSH (port 22) across the specified subnet.

Service Version Detection:

nmap -sV -p 22 192.168.1.1

This command detects the SSH service version on the target.

Aggressive Scan:

nmap -A -p 22 192.168.1.1

This command performs OS detection, version detection, script scanning, and traceroute.

SSH Scripts:

nmap --script ssh-auth-methods -p 22 192.168.1.1

This command identifies supported authentication methods on the SSH server.

SSH Brute Force Scripts:

nmap --script ssh-brute --script-args userdb=users.txt,passdb=passwords.txt -p 22 192.168.1.1

This command attempts to brute force SSH credentials using the specified username and password lists.

SSH-Audit
Analyzing SSH server configurations for security issues

Basic SSH-Audit Scan:

ssh-audit 192.168.1.1

This command performs a basic audit of the SSH server configuration.

Specifying Port:

ssh-audit 192.168.1.1:2222

This command audits an SSH server running on a non-standard port.

JSON Output:

ssh-audit --json 192.168.1.1 >ssh_audit.json

This command saves the audit results in JSON format for further processing.

What SSH-Audit Checks:

  • SSH protocol version
  • Key exchange algorithms
  • Host key algorithms
  • Encryption algorithms (ciphers)
  • Message Authentication Code (MAC) algorithms
  • Known security vulnerabilities
  • Compliance with security standards

Sample Output:

# Example output (abbreviated) # general (gen) banner: SSH-2.0-OpenSSH_7.9p1 Ubuntu-10 (gen) software: OpenSSH 7.9p1 (gen) compatibility: OpenSSH 7.3+, Dropbear SSH 2018.76+ (gen) compression: enabled (zlib@openssh.com) # key exchange algorithms (kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76 (kex) diffie-hellman-group16-sha512 -- [info] available since OpenSSH 7.3, Dropbear SSH 2018.76 (kex) diffie-hellman-group14-sha256 -- [info] available since OpenSSH 7.3, Dropbear SSH 2018.76 # host-key algorithms (key) rsa-sha2-512 -- [info] available since OpenSSH 7.2 (key) rsa-sha2-256 -- [info] available since OpenSSH 7.2 (key) ssh-rsa -- [warn] using weak hashing algorithm -- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
Username Enumeration
Techniques to identify valid usernames on SSH servers

OpenSSH User Enumeration (CVE-2018-15473):

Older versions of OpenSSH (before 7.7) are vulnerable to a timing attack that allows attackers to enumerate valid usernames.

# Using Metasploit use auxiliary/scanner/ssh/ssh_enumusers set RHOSTS 192.168.1.1 set USER_FILE /path/to/usernames.txt run # Using a Python script python ssh_user_enum.py --userlist /path/to/usernames.txt 192.168.1.1

Timing Attack:

Some SSH servers respond differently (in terms of timing) when a valid username is provided versus an invalid one.

# Using Hydra with timing attack hydra -l root -p invalidpassword -t 1 ssh://192.168.1.1 -I

Observe the response time differences between valid and invalid usernames.

Default Usernames:

Many systems have default or commonly used usernames that can be tried:

  • root
  • admin
  • user
  • guest
  • test
  • ubuntu (on Ubuntu systems)
  • ec2-user (on AWS EC2 instances)
  • pi (on Raspberry Pi)
  • oracle (on Oracle systems)
  • postgres (on PostgreSQL servers)

Username Generation:

Usernames can often be derived from known information about the target organization:

  • First name (john)
  • Last name (smith)
  • First initial + last name (jsmith)
  • First name + last initial (johns)
  • First initial + middle initial + last name (jasmith)
  • Email address format (john.smith)

Tools like username-anarchy can generate username lists based on naming conventions:

./username-anarchy --input-file names.txt --select-format first,first.last,f.last >usernames.txt
Default Credentials
Identifying and testing for default SSH credentials

Common Default Credentials:

Many systems and devices come with default credentials that are often left unchanged:

  • root:root
  • admin:admin
  • admin:password
  • user:user
  • ubuntu:ubuntu
  • pi:raspberry (Raspberry Pi)
  • vagrant:vagrant (Vagrant boxes)
  • oracle:oracle (Oracle systems)
  • cisco:cisco (Cisco devices)

Testing Default Credentials:

# Using SSH client ssh root@192.168.1.1 # Enter default password when prompted # Using Hydra hydra -C default_creds.txt ssh://192.168.1.1

The -C option in Hydra uses a colon-separated file of username:password combinations.

Default Credential Resources:

  • SecLists: A collection of multiple types of lists used during security assessments, including default credentials.
  • DefaultCreds-cheat-sheet: GitHub repository with default credentials for various devices and systems.
  • CIRT.net Default Password List: Comprehensive list of default credentials for various vendors.
  • Vendor Documentation: Often contains default credentials for initial setup.

Device-Specific Default Credentials:

Different types of devices often have specific default credentials:

  • Routers and Switches: admin:admin, admin:password, cisco:cisco
  • IoT Devices: admin:admin, root:root, user:user
  • Network Attached Storage (NAS): admin:admin, admin:password
  • IP Cameras: admin:admin, admin:123456, root:pass
  • Industrial Control Systems: admin:1234, user:password