SSH Enumeration

SSH (Secure Shell) provides encrypted remote access to systems. During penetration tests, SSH services offer valuable reconnaissance opportunities and potential attack vectors.

SSH Service Detection

Basic SSH discovery and version detection uses Nmap with version detection flags. Detailed enumeration uses Nmap SSH scripts. Banner grabbing with netcat reveals version information.

Information from SSH Banners

SSH banners reveal valuable information including protocol version, implementation (OpenSSH), version number (potential CVE matches), and distribution/patch level.

Authentication Method Enumeration

Discover what authentication methods are accepted using Nmap ssh-auth-methods script or manual connection with verbose output. Common methods include password, publickey, keyboard-interactive, and gssapi-with-mic.

Host Key Analysis

SSH host keys can reveal system information. Key exchange algorithm enumeration identifies weak configurations. Weak algorithms indicate vulnerability: DSA keys, MD5 integrity, CBC mode ciphers, small Diffie-Hellman groups.

Known Vulnerabilities

Historical SSH vulnerabilities include CVE-2016-0777/8 (Roaming), CVE-2018-15473 (User enumeration), and CVE-2019-6111 (SCP client vulnerabilities).

Information for Attack Planning

Enumeration data guides next steps: Password auth enabled means brute force opportunity, old version means check for CVEs, key-only auth means need to find/steal keys.