LabEx
Log InJoin Free

Use an Auxiliary Scanner for SSH Enumeration in Metasploit

Kali LinuxBeginner
Practice Now

Introduction

In this lab, you will learn how to use an auxiliary scanner module within the Metasploit Framework to perform SSH (Secure Shell) version enumeration. Metasploit is a powerful penetration testing tool that contains a vast collection of exploits, payloads, and auxiliary modules.

Auxiliary modules are not used for direct exploitation but for other purposes like scanning, fuzzing, and information gathering. SSH enumeration is a key part of the reconnaissance phase of a security assessment. By identifying the specific version of an SSH server, an attacker can search for known vulnerabilities associated with that version.

You will learn to launch the Metasploit console, search for the appropriate module, configure its options, and run it against a target to discover its SSH version.

In this step, you will start the Metasploit Framework console and search for a module capable of scanning for SSH versions.

First, open a terminal. The Metasploit console is a command-line interface to the framework. You can start it by typing msfconsole. We will use the -q flag for a "quiet" startup, which suppresses the startup banner.

Execute the following command to launch the Metasploit console:

msfconsole -q

Once the console is loaded, you will see the Metasploit prompt, which looks like msf6 >. Now, you can use the search command to find modules. We are looking for a module related to SSH version scanning.

Type the following command into the Metasploit console and press Enter:

search ssh_version

Metasploit will search its module database and display any matches. The output will show the auxiliary/scanner/ssh/ssh_version module, which is exactly what we need.

msf6 > search ssh_version

Matching Modules
================

   ##  Name                                 Disclosure Date  Rank    Check  Description
   -  ----                                 ---------------  ----    -----  -----------
   0  auxiliary/scanner/ssh/ssh_version                     normal  No     Detect SSH Version


Interact with a module by name or index. For example info 0, use 0 or use auxiliary/scanner/ssh/ssh_version

msf6 >

Select the ssh_version module

In this step, you will select the ssh_version module you found and view its available options.

Now that you have identified the correct module, you need to load it into the framework's context. This is done using the use command followed by the full name of the module.

In the msfconsole prompt, type the following command:

use auxiliary/scanner/ssh/ssh_version

After you execute the command, you'll notice that the prompt changes. It now includes the name of the active module, indicating that it's ready for configuration. The new prompt will look like this: msf6 auxiliary(scanner/ssh/ssh_version) >.

To see what parameters you can configure for this module, use the show options command:

show options

This command will display a table of all the options for the ssh_version module, including their current settings, whether they are required, and a brief description. Pay close attention to the RHOSTS and THREADS options, as we will configure them in the next steps.

msf6 auxiliary(scanner/ssh/ssh_version) > show options

Module options (auxiliary/scanner/ssh/ssh_version):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOSTS                    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT    22               yes       The target port (TCP)
   THREADS  1                yes       The number of concurrent threads (max one per host)
   TIMEOUT  30               yes       Timeout for the SSH probe

...

Set the RHOSTS option to a target subnet

In this step, you will configure the target for your scan. The RHOSTS option specifies the remote host or hosts that Metasploit will scan.

For this lab, we will scan the local machine itself, as the setup script has installed and started an SSH server on it. The IP address for the local machine is always 127.0.0.1.

You can set module options using the set command, followed by the option name and the value you want to assign.

To set the target to your local machine, execute the following command in your msfconsole prompt:

set RHOSTS 127.0.0.1

Metasploit will confirm the change by printing the option and its new value.

RHOSTS => 127.0.0.1

You have now told the scanner which machine to target. If you were scanning a network, you could provide a range of IP addresses here (e.g., 192.168.1.0/24).

Set the number of concurrent threads

In this step, you will adjust the number of concurrent threads for the scanner. This option controls how many hosts are scanned simultaneously.

While scanning a single host like we are doing now doesn't benefit much from multiple threads, it's a crucial setting for scanning large networks to speed up the process. It's good practice to learn how to configure it.

The default value is 1. Let's increase it to 10. We will use the set command again.

In your msfconsole prompt, type the following command:

set THREADS 10

Metasploit will confirm the setting has been updated.

THREADS => 10

Now the scanner is configured to use up to 10 threads, which would make it significantly faster when scanning a range of IP addresses.

Run the module and review the discovered SSH versions

In this step, with all options configured, you will execute the scanner module and analyze the output.

The run command (or its alias, exploit) executes the currently loaded module with its configured settings.

To start the scan, simply type run in your msfconsole prompt and press Enter:

run

The module will now attempt to connect to port 22 on 127.0.0.1. If it finds an active SSH service, it will grab the version banner and display it. The output should look similar to the following:

[*] 127.0.0.1:22 - Scanned 1 of 1 hosts (100%)
[+] 127.0.0.1:22 - SSH server detected: SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.6
[*] Auxiliary module execution completed

The [+] symbol indicates success. The output shows that an SSH server was detected on 127.0.0.1 at port 22, and it reports the version as OpenSSH_8.9p1 on an Ubuntu system. This information is valuable for the next steps in a penetration test, such as searching for vulnerabilities specific to this version.

Summary

In this lab, you have successfully used a Metasploit auxiliary scanner to perform SSH version enumeration.

You have learned how to:

  • Launch the Metasploit Framework console.
  • Search for a specific module using the search command.
  • Select and load a module with the use command.
  • Configure module options like RHOSTS and THREADS using the set command.
  • Execute the module with the run command.
  • Interpret the results to identify the SSH server version on a target.

This process is a fundamental skill for information gathering and reconnaissance in the field of cybersecurity and penetration testing.

Related Kali Linux Courses
Kali Linux for Beginners

Kali Linux for Beginners

cybersecuritykalilinux
Kali Server Exploitation in Action

Kali Server Exploitation in Action

cybersecuritykalilinux