Skip to content
📕 The Red Book

SSH

Enum

Section titled “Enum”
Terminal window
# Get versions
nmap $IP -p 22 -sV -O


# See welcome msg
nc $IP 22


# Get algorithms
nmap $IP -p 22 --script ssh2-enum-algos


# Get public Key
nmap $IP -p 22 --script ssh-hostkey --script-args ssh_hostkey=full


# Weak passwords
nmap $IP -p 22 --script ssh-auth-methods --script-args="ssh.user=root"

Bruteforce with hydra

Section titled “Bruteforce with hydra”
Terminal window
hydra -l root -P /usr/share/wordlists/rockyou.txt $IP ssh

Common password with nmap

Section titled “Common password with nmap”
Terminal window
nmap $IP --script ssh-brute --script-args userdb=/path/to/users -p 22

Metasploit

Section titled “Metasploit”
Terminal window
msfconsole
use auxiliary/scanner/ssh/ssh_login
set rhosts $IP
set userpass_file /usr/share/wordlists/metasploit/root_userpass.txt
set STOP_ON_SUCCESS true
set verbose true
run