Home SSH Pentesting -> Enumeration
Post
Cancel

SSH Pentesting -> Enumeration

Posted 2022-06-03 3 min read

Enumeration

Enumeration Is a technigue of discovering potential attack vectors in a target system.

Technigues

  • Port Scanning.
  • Search Engines
  • Authentication Methods.
  • Supported Algorithms.
  • Host Keys

Port Scanning

Scannig ssh port using nmap

1
2
3
4
5
6
7
8
9
10
11
12

┌──(cyberkhalid㉿kali)-[~/pentest/data]
└─$ nmap -sT -sV -p 22 10.42.0.21
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-07 01:29 EDT
Nmap scan report for 10.42.0.21
Host is up (0.00049s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.68 seconds

Authentication Methods.

Authentication method is a method that is used to authenticate to an ssh server. There are two widely used methods of authentication for ssh:

  • Password authentication (using user name and passwords)
  • Public key-based authentication (using public and private key pairs)

Enumerating authentication methods in use

1
2
3
4
5
6
7
8
9
10
11
12
13
14

┌──(cyberkhalid㉿kali)-[~/pentest/data]
└─$ nmap -sT --script ssh-auth-methods --script-args="ssh.user=root" -p 22 10.42.0.21
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-07 01:31 EDT
Nmap scan report for 10.42.0.21
Host is up (0.00050s latency).

PORT   STATE SERVICE
22/tcp open  ssh
| ssh-auth-methods: 
|   Supported authentication methods: 
|     publickey
|_    password

Nmap done: 1 IP address (1 host up) scanned in 13.57 seconds

Search Enigines

  • Shodan
  • Censys

Shodan

syntax

port:22

Finding ssh server with shodan sshshodan

Censys

syntax

services.port=22

Finding ssh server with censys sshcensys

Supported Algorithms

Algorithms that are used for secure connections and authentications on an ssh server.

Enumerating supported algorithms

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48

┌──(cyberkhalid㉿kali)-[~]
└─$ nmap -sT -p 22 --script ssh2-enum-algos 10.42.0.21
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-07 01:31 EDT
Nmap scan report for 10.42.0.21
Host is up (0.00050s latency).

PORT   STATE SERVICE
22/tcp open  ssh
| ssh2-enum-algos: 
|   kex_algorithms: (9)
|       curve25519-sha256
|       curve25519-sha256@libssh.org
|       ecdh-sha2-nistp256
|       ecdh-sha2-nistp384
|       ecdh-sha2-nistp521
|       diffie-hellman-group-exchange-sha256
|       diffie-hellman-group16-sha512
|       diffie-hellman-group18-sha512
|       diffie-hellman-group14-sha256
|   server_host_key_algorithms: (5)
|       rsa-sha2-512
|       rsa-sha2-256
|       ssh-rsa
|       ecdsa-sha2-nistp256
|       ssh-ed25519
|   encryption_algorithms: (6)
|       chacha20-poly1305@openssh.com
|       aes128-ctr
|       aes192-ctr
|       aes256-ctr
|       aes128-gcm@openssh.com
|       aes256-gcm@openssh.com
|   mac_algorithms: (10)
|       umac-64-etm@openssh.com
|       umac-128-etm@openssh.com
|       hmac-sha2-256-etm@openssh.com
|       hmac-sha2-512-etm@openssh.com
|       hmac-sha1-etm@openssh.com
|       umac-64@openssh.com
|       umac-128@openssh.com
|       hmac-sha2-256
|       hmac-sha2-512
|       hmac-sha1
|   compression_algorithms: (2)
|       none
|_      zlib@openssh.com

Nmap done: 1 IP address (1 host up) scanned in 13.44 seconds

Host Keys

A host key is a cryptographic key used for authenticating computers in the SSH protocol. Host keys are key pairs, typically using the RSA, DSA, or ECDSA algorithms. Public host keys are stored on and/or distributed to SSH clients, and private keys are stored on SSH servers.

Retrieving host keys of a target system

1
2
3
4
5
6
7
8
9
10
11
12
13
14

┌──(cyberkhalid㉿kali)-[~/pentest/data]
└─$ nmap -sT --script ssh-hostkey --script-args ssh_hostkey=full -p 22 10.42.0.21
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-07 01:41 EDT
Nmap scan report for 10.42.0.21
Host is up (0.00040s latency).

PORT   STATE SERVICE
22/tcp open  ssh
| ssh-hostkey: 
|   ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDiztvOFUYBRcNXYBnY2MznKrVtoGiDuctb8fKQhaM8BEOttoEckRvl3DDctXFIKt3hgkKv55zGoBvmDu7wta4pa/RvgM3K5Cv3mXhm85rGg68SnMa3TXHih/hlgUmbMu1v/aNxQjtk4ZmAt+Ae2PkZcpq7Ghzg8N/EBs4E6xHAzHQKN4hR+hPKOHeZBE8/+646kGPfITx4J5tsV7XonbymkHE8hfMIz2uaWjtqGQJ8sQogKGQAzTnbHv6sUsbWq0vr6vLHEGlRazXKVdV8BUQFc9uRZSVRHEfqJmVeR0QAJPOy8WVSzQcOwo4vLvWYcC5qB1M0pN2gddKcFYc7NONRtArJkDsNALIqkwqwIgfKffiz5CETJhKoUlHD88x3s8buXLRTdrGrBwC8oWfEsJjmf7CzWKWqRY8oJjQM4kx8i7Pg/9ItI1rYYDGd70VQYR4ebMi3Qu+3ALa1jn+44TMGlqXhhgAs0JXufuvWuGbUExu5MlZhGJZjHpQ4c2UDUaU=
|   ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAHzNKoQbAwJIFErvQBZJiGR1aPOGRjTSbSaHwpN1Sax8w0cEOk9R8OGWGGFCS4LwxHabEY/mPEjHilcLaIFLSU=
|_  ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBg1/hr+sJJQC5dKH4mfxwFAbKQGrNrX0efgEmvgeg6h

Nmap done: 1 IP address (1 host up) scanned in 13.61 seconds

References

Infrastructure Pentesting, SSH
This post is licensed under CC BY 4.0 by the author.
Recently Updated
Contents