01. SSH
1. Nmap Service and OS Detection
Command:
Explanation:
-sV: Enables version detection to determine the services running on open ports and their versions.-O: Enables OS detection to guess the operating system running on the target machine.
Example:
Risks:
- Scanning a system without permission may be illegal and considered unauthorized access.
- It may trigger IDS/IPS alerts and get the attacker blocked.
Mitigations:
- Use these commands only on authorized systems or in a controlled environment.
- Implement network monitoring tools to detect unauthorized scans.
2. SSH Connection to a Server
Command:
Explanation:
- Establishes an SSH connection to a remote machine using the specified username and IP address.
- Requires authentication (password or SSH key) to access the remote machine.
Example:
Risks:
- Using weak passwords can lead to brute-force attacks.
- If SSH is exposed to the internet, it becomes a target for attackers.
Mitigations:
- Use strong passwords and SSH key-based authentication.
- Disable SSH root login and limit login attempts.
- Implement firewall rules to restrict SSH access.
3. Checking SSH Port Connectivity with Netcat
Command:
Explanation:
- Netcat (
nc) checks if port 22 (SSH) is open on the target system.
- If the connection is successful, it means SSH is running on that port.
Example:
Risks:
- Attackers can use this to identify open SSH ports for brute-force attacks.
Mitigations:
- Use firewalls to restrict access to SSH.
- Implement intrusion detection systems to monitor unauthorized connection attempts.
4. Enumerating SSH Algorithms Using Nmap
Command:
nmap <IP Address> -p 22 --script ssh2-enum-algos
Explanation:
- Runs the
ssh2-enum-algos script to enumerate supported SSH encryption and authentication algorithms.
Example:
nmap 192.168.1.10 -p 22 --script ssh2-enum-algos
Risks:
- Attackers can identify weak encryption algorithms and exploit them.
Mitigations:
- Disable weak algorithms in the SSH configuration (
/etc/ssh/sshd_config).
- Regularly update SSH software to patch vulnerabilities.
5. Retrieving SSH Host Keys Using Nmap
Command:
nmap <IP Address> -p 22 --script ssh-hostkey --script-args ssh_hostkey=full
Explanation:
- Retrieves SSH host keys from the target system.
- Helps in identifying the authenticity of a remote SSH server.
Example:
nmap 192.168.1.10 -p 22 --script ssh-hostkey --script-args ssh_hostkey=full
Risks:
- Attackers can use the host key fingerprint for man-in-the-middle attacks.
Mitigations:
- Use SSH key fingerprint verification before connecting to a remote machine.
- Rotate SSH keys periodically.
6. Enumerating SSH Authentication Methods Using Nmap
Commands:
nmap <IP Address> -p 22 --script ssh-auth-methods --script-args="ssh.user=student"
nmap <IP Address> -p 22 --script ssh-auth-methods --script-args="ssh.user=admin"
Explanation:
- Determines available authentication methods (password, public key, etc.) for a given user.
- Useful for identifying potential weak authentication mechanisms.
Example:
nmap 192.168.1.10 -p 22 --script ssh-auth-methods --script-args="ssh.user=admin"
Risks:
- Attackers can use this information to determine possible attack vectors.
Mitigations:
- Disable password-based authentication and enforce SSH key-based authentication.
- Limit login attempts and implement account lockout policies.