📕
The Red Book
  • 📕The Red Book
  • 🦳Stages of Ethical Hacking
    • 1️⃣Information Gathering
      • Active Information Gathering
        • DNS Zone Transfers
        • NMAP
        • netdiscover
        • sqlMap
        • Nikto
        • Shodan
        • RustScan
        • Amass
        • fping
      • Passive Information Gathering
        • Website Recon & Footprinting
        • Whois Enumeration
        • Netcraft
        • ⭐DNS
        • Identify if site is protected by firewall or proxy - wafw00f
        • Subdomain Enumeration - Sublist3r
        • ❌theHarvester (borked)
        • Email gathering
        • Leaked Password Databases
        • Certificates
    • 2️⃣Enumeration
      • SMB
        • Windows discover & Mount
        • NMAP Scripts
        • SMBMap
        • Samba with Linux
        • Dictionary Attack
      • FTP
      • SSH
      • HTTP
        • Subdomain
        • IIS
        • Apache
      • SQL
    • 3️⃣Vulnerability Assessment
      • Nessus
  • 💾System/Host Based Attacks
    • 🪟Windows
      • Frequently exploited Windows Services
    • 🐧Linux
  • 🥽Dorks
    • Google
      • Cheatsheet
      • Examples
    • Extra
  • 🎣Phishing
    • Gophish
    • evilgophish
    • King Phisher
    • EvilURL
  • 🔎OSINT
    • Temporary links
  • 👾Data exfiltration
    • Temporary links
  • 🐝OWASP
    • Top10
  • 📙Cheat Sheet
    • Curl
Powered by GitBook
On this page
  • Enum
  • Bruteforce with hydra
  • Common password with nmap
  • Metasploit
Edit on GitHub
  1. Stages of Ethical Hacking
  2. Enumeration

SSH

The Secure Shell Protocol is a cryptographic network protocol for operating network services securely over an unsecured network. Its most notable applications are remote login and command-line executi

Default port: 22

Enum

# Get versions
nmap $IP -p 22 -sV -O

# See welcome msg
nc $IP 22

# Get algorithms
nmap $IP -p 22 --script ssh2-enum-algos

# Get public Key
nmap $IP -p 22 --script ssh-hostkey --script-args ssh_hostkey=full

# Weak passwords
nmap $IP -p 22 --script ssh-auth-methods --script-args="ssh.user=root"

Bruteforce with hydra

hydra -l root -P /usr/share/wordlists/rockyou.txt $IP ssh

Common password with nmap

nmap $IP --script ssh-brute --script-args userdb=/path/to/users -p 22

Metasploit

msfconsole
use auxiliary/scanner/ssh/ssh_login
set rhosts $IP
set userpass_file /usr/share/wordlists/metasploit/root_userpass.txt
set STOP_ON_SUCCESS true
set verbose true
run
PreviousFTPNextHTTP

Last updated 2 years ago

🦳
2️⃣