Scanning

The second phase of SSH penetration testing: identifying and analyzing SSH services

Port Scanning
Techniques to identify open SSH ports and services

Nmap Scanning

Nmap is the most versatile port scanner with extensive SSH scanning capabilities.

Basic SSH Scan:

nmap -p 22 192.168.1.0/24

This command scans for SSH (port 22) across the specified subnet.

Service Version Detection:

nmap -sV -p 22 192.168.1.1

This command detects the SSH service version on the target.

Aggressive Scan:

nmap -A -p 22 192.168.1.1

This command performs OS detection, version detection, script scanning, and traceroute.

SSH Scripts:

nmap --script ssh-auth-methods -p 22 192.168.1.1

This command identifies supported authentication methods on the SSH server.

SSH Brute Force Scripts:

nmap --script ssh-brute --script-args userdb=users.txt,passdb=passwords.txt -p 22 192.168.1.1

This command attempts to brute force SSH credentials using the specified username and password lists.

SSH Version and Configuration Analysis
Techniques to identify SSH version and configuration details

Banner Grabbing:

nc -v 192.168.1.1 22

This command uses netcat to connect to the SSH port and retrieve the banner, which often contains version information.

SSH Audit:

ssh-audit 192.168.1.1

This command uses the ssh-audit tool to analyze SSH server configuration and identify security issues.

SSH Client Connection:

ssh -v user@192.168.1.1

This command attempts an SSH connection with verbose output, revealing authentication methods and server configuration.

Nmap SSH2 Enumeration:

nmap --script ssh2-enum-algos -p 22 192.168.1.1

This command enumerates the encryption, compression, and MAC algorithms supported by the SSH server.

Vulnerability Scanning
Techniques to identify vulnerabilities in SSH servers

Nmap Vulnerability Scanning:

nmap --script vuln -p 22 192.168.1.1

This command runs Nmap's vulnerability detection scripts against the SSH server.

OpenVAS/Greenbone:

Use OpenVAS/Greenbone Vulnerability Management to perform a comprehensive vulnerability scan of the SSH server.

Metasploit:

use auxiliary/scanner/ssh/ssh_version

This Metasploit module identifies the SSH version, which can be cross-referenced with known vulnerabilities.

Common SSH Vulnerabilities:

  • CVE-2018-10933 (libssh Authentication Bypass)
  • CVE-2016-0777 (OpenSSH Client Information Leak)
  • CVE-2008-5161 (OpenSSH Plaintext Recovery)
  • CVE-2006-5051 (OpenSSH Privilege Separation)
SSH Configuration Analysis
Analyzing SSH server configurations for security weaknesses

Key Exchange Algorithms:

ssh -Q kex

This command lists the supported key exchange algorithms on your SSH client, which can be compared with the server's.

Cipher Algorithms:

ssh -Q cipher

This command lists the supported cipher algorithms on your SSH client.

Common Misconfigurations:

  • Weak ciphers (e.g., 3DES, Blowfish)
  • Weak MAC algorithms (e.g., MD5, SHA1)
  • Password authentication enabled
  • Root login permitted
  • Old protocol versions (SSH v1)
  • Default or predictable host keys