**SSH or Secure Shell or Secure Socket Shell,** is a network protocol that gives users a **secure way to access a computer over an unsecured network.**
[https://github.com/jtesta/ssh-audit](https://github.com/jtesta/ssh-audit) is an updated fork from [https://github.com/arthepsy/ssh-audit/](https://github.com/arthepsy/ssh-audit/)
**Features:**
* SSH1 and SSH2 protocol server support;
* analyze SSH client configuration;
* grab banner, recognize device or software and operating system, detect compression;
* gather key-exchange, host-key, encryption and message authentication code algorithms;
* output algorithm information \(available since, removed/disabled, unsafe/weak/legacy, etc\);
* output algorithm recommendations \(append or remove based on recognized software version\);
* output security information \(related issues, assigned CVE list, etc\);
* analyze SSH version compatibility based on algorithm information;
* historical information from OpenSSH, Dropbear SSH and libssh;
This is discovered by default by **nmap**. But you can also use **sslcan** or **sslyze**.
### Shodan
*`ssh`
## Brute force usernames, passwords and private keys
### Username Enumeration
In some versions of OpenSSH you can make a timing attack to enumerate users. You can use a metasploit module in order to exploit this:
```text
msf> use scanner/ssh/ssh_enumusers
```
### [Brute force](../brute-force.md#ssh)
Some common ssh credentials [here ](https://github.com/danielmiessler/SecLists/blob/master/Passwords/Default-Credentials/ssh-betterdefaultpasslist.txt)and [here](https://github.com/danielmiessler/SecLists/blob/master/Passwords/Common-Credentials/top-20-common-SSH-passwords.txt) and below.
### Private/Public Keys BF
If you know some ssh private key that could be used... lets try it. You can use the nmap script:
You can find interesting guides on how to harden SSH in [https://www.ssh-audit.com/hardening\_guides.html](https://www.ssh-audit.com/hardening_guides.html)
You can configure **SSH to behave as a SFTP** server. So, some users will connect to SFTP service \(in port 22\) instead of to the SSH service.
You can even set a **chroot to the SFTP users**. A configuration example of SFTP users inside the file _**/etc/ssh/sshd\_config**_ can be seen in the following images.
All the **ots-\*** users will be jailed inside a **chroot**.
![](../.gitbook/assets/image%20%28197%29.png)
![](../.gitbook/assets/image%20%28337%29.png)
### SFTP Tunneling
If you have access to a SFTP server you can also tunnel your traffic through this for example using the common port forwarding:
The **sftp** have the command "**symlink**". Therefor, if you have **writable rights** in some folder, you can create **symlinks** of **other folders/files**. As you are probably **trapped** inside a chroot this **won't be specially useful** for you, but, if you can **access** the created **symlink** from a **no-chroot****service** \(for example, if you can access the symlink from the web\), you could **open the symlinked files through the web**.
For example, to create a **symlink** from a new file **"**_**froot**_**" to "**_**/**_**"**:
```text
sftp> symlink / froot
```
If you can access the file "_froot_" via web, you will be able to list the root \("/"\) folder of the system.