Back to All Modules

SSH Enumeration

#Overview

Secure Shell (SSH) operates on TCP port 22 and is the standard protocol for remote command-line access to Linux/Unix systems and increasingly Windows hosts (via OpenSSH Server). SSH enumeration focuses on identifying the SSH server version, supported authentication methods, supported algorithms (for cryptographic weaknesses), and in some cases, valid usernames through timing-based or response-based enumeration techniques.

#Prerequisites

  • Tools: nc, ssh, ssh-audit.py, nmap, Metasploit (auxiliary/scanner/ssh/ssh_version, ssh_enumusers)
  • Access Level: Network access to port 22

#Detection & Enumeration

# Simple banner grab with nc
nc -nv 10.10.11.11 22

# Using ssh client for banner
ssh -v user@10.10.11.11 2>&1 | grep -i "remote protocol\|OpenSSH"

# nmap version detection
nmap -sV -p 22 10.10.11.11
BASH

Sample banner output:

SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.11
TEXT

This reveals: protocol version (2.0), server software (OpenSSH 8.2p1), and OS (Ubuntu with patch level 4ubuntu0.11).

#Comprehensive SSH Audit (ssh-audit.py)

# Full security audit (version, algorithms, vulnerabilities)
ssh-audit.py 10.10.11.11

# JSON output for parsing
ssh-audit.py -j 10.10.11.11 | tee ssh_audit.json

# Key information from ssh-audit:
# - Server version and CVEs
# - Supported key exchange algorithms
# - Supported ciphers (weak CBC modes flagged)
# - Supported MAC algorithms
# - Host key types and lengths
# - Compression support
BASH

#Authentication Method Enumeration

# Attempt connection with specific auth method
ssh -o PreferredAuthentications=password -v user@10.10.11.11 2>&1

# Check if public key authentication is allowed
ssh -o PreferredAuthentications=publickey -o PasswordAuthentication=no -v user@10.10.11.11 2>&1

# Check if keyboard-interactive is supported
ssh -o PreferredAuthentications=keyboard-interactive -v user@10.10.11.11 2>&1
BASH

#User Enumeration via Timing/Response

# Metasploit SSH user enumeration (CVE-2018-15473 for older OpenSSH)
msfconsole -q -x "use auxiliary/scanner/ssh/ssh_enumusers; set RHOSTS 10.10.11.11; set USER_FILE users.txt; run"

# Manual timing-based test (valid users respond differently than invalid ones)
time ssh -o StrictHostKeyChecking=no -o NumberOfPasswordPrompts=1 invaliduser@10.10.11.11 2>&1
time ssh -o StrictHostKeyChecking=no -o NumberOfPasswordPrompts=1 validuser@10.10.11.11 2>&1

# OpenSSH versions 7.7 and earlier are vulnerable to CVE-2018-15473
# This vulnerability allows user enumeration by observing response differences
# in the authentication protocol exchange.
BASH

#Host Key Retrieval

# Retrieve SSH host key fingerprints
ssh-keyscan 10.10.11.11

# Retrieve all key types
ssh-keyscan -t rsa,dsa,ecdsa,ed25519 10.10.11.11
BASH

#SSH Tunneling (Critical for Post-Exploitation)

# SSH tunneling (critical for post-exploitation)
ssh -L 8080:127.0.0.1:80 user@pivot     # Local port forward (access remote service locally)
ssh -R 8080:127.0.0.1:80 user@pivot     # Remote port forward (expose local service remotely)
ssh -D 1080 user@pivot                  # Dynamic SOCKS proxy (proxy all traffic through pivot)
BASH

#Additional SSH Tools

# ssh-audit tool (proper name)
ssh-audit 10.10.10.10                   # Check SSH config, key exchange, encryption, MACs
pip install ssh-audit

# SSH key scanning
ssh-keyscan -t rsa,ecdsa,ed25519 10.10.10.10  # Get host keys without authenticating

# nmap SSH scripts
nmap --script ssh2-enum-algos -p 22 10.10.10.10   # Enumerate SSH algorithms
nmap --script ssh-hostkey -p 22 10.10.10.10       # Get SSH host key fingerprint
BASH

#Common Pitfalls

  • SSH banner grabbing with nc only shows the initial protocol banner. Use ssh -v for full debug output showing algorithm negotiation.
  • Old OpenSSH versions return error messages differently for valid vs. invalid users (CVE-2018-15473, patched in 7.8+). Modern implementations return a generic "Permission denied" for both.
  • Timing-based user enumeration is unreliable over networks with variable latency. Multiple samples are needed, and differences are often negligible on modern OpenSSH.
  • SSH servers may be configured to hide their version banner. The DebianBanner option on Debian/Ubuntu systems can suppress version info.
  • Windows OpenSSH behaves differently from Linux OpenSSH in terms of authentication flow and may return different error patterns.

#OPSEC Considerations

  • SSH banner grabbing is a single TCP connection and blends in with normal network activity. SSH servers are probed constantly by bots and scanners, making a single connection unremarkable.
  • User enumeration attempts generate failed authentication events (auth.log on Linux, Security Event Log 4625 on Windows). Multiple failed attempts from the same IP targeting different usernames is a clear brute-force/enumeration pattern.
  • ssh-audit.py establishes an SSH connection and negotiates algorithms but does not authenticate. This is logged as a connection attempt but does not generate a failed authentication event (no username/password is sent).
  • SSH connection attempts to unusual source IPs are more likely to trigger alerts. An SSH connection from an IP in an unexpected geographic region is flagged by geolocation-based rules.
  • Repeated TCP connections to port 22 (from user enumeration) are a strong IOC. Limit attempts and space them out if stealth is required.

#Post-Exploitation Value

  • SSH version information matches against known CVEs (e.g., OpenSSH 8.2 has CVE-2020-15778 for scp command injection; older versions have user enumeration).
  • Weak algorithms (CBC ciphers, SHA1 MACs, small DH primes) may be exploitable in man-in-the-middle scenarios.
  • Valid username list enables credential brute-force or password spraying attacks.
  • SSH keys found during local enumeration (id_rsa in home directories) can be tested against the SSH service.
  • Host key fingerprints help identify the same host across different IPs or confirm machine identity.

#Cross-References

#Tool References

ToolDescriptionLink
nc (netcat)Raw TCP/UDP connection toolBuilt into most Linux distros
sshOpenSSH clientBuilt into all Unix-like systems
ssh-audit.pySSH server security audithttps://github.com/jtesta/ssh-audit
ssh-keyscanSSH host key collectorBuilt into OpenSSH
MetasploitSSH version and user enumeration moduleshttps://www.metasploit.com/

#Source Machines

  • BoardLight (Easy, Linux) -- SSH on port 22 (OpenSSH 8.2p1 Ubuntu), credentials from Dolibarr config file (larissa)
  • Broker (Easy, Linux) -- SSH available but not primary foothold vector (ActiveMQ exploit used instead)
  • Soccer (Easy, Linux) -- SSH accessible with credentials from WebSocket SQLi (player:PlayerOftheMatch2022)