SSH Penetration Testing Guide - Security, Hardening, and Best Practices

Passive Information Gathering

Techniques to gather information without directly interacting with the target

WHOIS queries provide information about domain registration, including IP addresses and contact details.

whois example.com

This command retrieves registration information for the specified domain.

whois 192.168.1.1

This command retrieves information about the specified IP address.

User Enumeration

Techniques to identify potential usernames for SSH authentication attempts

theHarvester -d example.com -b all

This command uses theHarvester tool to gather email addresses from the target domain, which can be used to derive usernames.

python3 username-generator.py -f John -l Doe -o usernames.txt

This command generates potential usernames based on first and last names (e.g., jdoe, john.doe, j.doe).

Use wordlists like those found in SecLists to attempt common usernames:

cat /usr/share/seclists/Usernames/top-usernames-shortlist.txt

Network Reconnaissance

Techniques to identify network infrastructure and potential SSH servers

traceroute example.com

This command traces the route packets take to reach the target, revealing network infrastructure.

dig @ns1.example.com example.com axfr

This command attempts a zone transfer, which might reveal all DNS records for the domain.

sublist3r -d example.com

This command uses Sublist3r to enumerate subdomains, which might host SSH servers.

Documentation

Documenting your reconnaissance findings is crucial for the next phases