Port 22 — SSH (Secure Shell)

Identify SSH service and version information.

nmap -sV -p 22 [targetip]
      

Detects whether SSH is open and retrieves version details such as OpenSSH version and OS hints.

nmap -p 22 --script ssh-hostkey,ssh2-enum-algos [targetip]
      

Gathers supported encryption algorithms, authentication methods, and host key fingerprints.

Enumeration focuses on identifying potential weak points in configuration, user credentials, and algorithms.

# Attempt connection
ssh [user]@[targetip]

# Banner grabbing
nc [targetip] 22
      

Look for version information (e.g., “OpenSSH 7.2p2 Ubuntu 4ubuntu2.8”) — older versions may be vulnerable.

# User enumeration (with Metasploit)
msfconsole
use auxiliary/scanner/ssh/ssh_enumusers
set RHOSTS [targetip]
set USER_FILE users.txt
run
      

Checks which usernames are valid through SSH response timing differences.

# Brute force login (authorized testing only)
hydra -L users.txt -P passwords.txt ssh://[targetip]
      

Hydra attempts username/password combinations. Use carefully and only when permitted.

Exploitation depends on authentication weaknesses or misconfigurations discovered earlier.

# Connect with discovered credentials
ssh [username]@[targetip]
      

After login, check system information, privilege escalation paths, and file permissions.

# Exploit weak key authentication
# If an id_rsa key is found, use:
chmod 600 id_rsa
ssh -i id_rsa [username]@[targetip]
      

Use found private keys or credentials from other compromised services. If the SSH server allows root login, that’s a critical misconfiguration.

# Exploit older SSH versions (rare)
searchsploit openssh
      

Some outdated SSH versions may have remote code execution or privilege escalation vulnerabilities.

• Weak or default credentials
• Outdated OpenSSH versions with known CVEs
• Publicly accessible private keys or authorized_keys files
• Root login allowed via SSH
• Weak or deprecated encryption algorithms