LabEx
Log InJoin Free

SSH Enumeration and Key-Based Access

LinuxBeginner
Practice Now

Introduction

Welcome to this hands-on lab focused on SSH enumeration and exploiting weak key-based authentication. Secure Shell (SSH) is a fundamental protocol for secure remote administration, but misconfigurations can create significant security vulnerabilities.

In this lab, you will simulate a penetration test against a target system. You will begin by verifying network connectivity, then use the powerful nmap tool to enumerate the SSH service and gather information. Next, you will leverage a provided private key to exploit a common misconfiguration—improper file permissions—to gain passwordless shell access. Finally, you will explore the target system to locate and retrieve a hidden flag.

Upon completion, you will understand how to:

  • Verify network connectivity using ping.
  • Enumerate an SSH service with nmap.
  • Understand the basics of SSH key-based authentication.
  • Exploit weak key permissions to gain unauthorized access.
  • Navigate a remote system to find sensitive information.

Let's get started.

Verify Connectivity to Target with Ping

In this step, you will start by confirming that your machine can communicate with the target system. The ping command is a standard network diagnostic tool that sends ICMP packets to a host to test its reachability. This is the first and most basic step in any network reconnaissance.

Your environment includes a target system accessible via the hostname target.

Execute the following command in the terminal to send four packets to the target and verify it is online:

ping -c 4 target

You should see a response similar to the one below, confirming that the target is reachable and the network connection is stable. The IP address and response times may differ slightly.

PING target (172.17.0.2) 56(84) bytes of data.
64 bytes from target (172.17.0.2): icmp_seq=1 ttl=64 time=0.091 ms
64 bytes from target (172.17.0.2): icmp_seq=2 ttl=64 time=0.068 ms
64 bytes from target (172.17.0.2): icmp_seq=3 ttl=64 time=0.065 ms
64 bytes from target (172.17.0.2): icmp_seq=4 ttl=64 time=0.067 ms

--- target ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3074ms
rtt min/avg/max/mdev = 0.065/0.072/0.091/0.011 ms

With connectivity confirmed, you can proceed to the next phase of enumeration.

Scan Open Ports with Nmap

In this step, you will use nmap to scan the target for open ports and identify the services running on them. Nmap (Network Mapper) is a critical tool for security professionals, used for network discovery and security auditing.

We will perform a targeted scan on port 22, the standard port for SSH, to gather version information and the host key.

Execute the following command in your terminal:

nmap -sV -p 22 --script ssh-hostkey target
  • -sV: Enables service and version detection.
  • -p 22: Specifies that only port 22 should be scanned.
  • --script ssh-hostkey: A Nmap Scripting Engine (NSE) script that retrieves the target's SSH host keys.

The output will look similar to this:

Starting Nmap 7.80 ( https://nmap.org ) at 2025-09-19 11:56 CST
Nmap scan report for target (172.17.0.2)
Host is up (0.00020s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.78 seconds

The scan confirms that port 22/tcp is open and running OpenSSH 8.9p1. This information is vital for the next step, where you will attempt to connect.

Connect to Target via SSH

In this step, you will use the provided SSH private key to connect to the target. SSH key-based authentication is generally more secure than password authentication, but it relies on both the private key being kept secret and the file permissions on both client and server being correctly configured.

A private key file, id_rsa, has been placed in your ~/project directory. For SSH to use a private key, its permissions must be restrictive. Set the correct permissions with the chmod command:

chmod 600 id_rsa

This command ensures that only the file owner has read and write permissions, which is a requirement for most SSH clients.

If you encounter a password prompt despite having the correct key, the issue is likely server-side permissions. SSH requires the user's home directory to not have write permissions for group or others. Check the current permissions:

docker exec target-container ls -ld /home/testuser

If you see permissions like drwxrwxrwx (777), fix them:

docker exec target-container chmod 755 /home/testuser

Now, use the private key to connect to the target as the user testuser.

ssh -i id_rsa testuser@target
  • -i id_rsa: Specifies the identity file (private key) to use for authentication.

You may be prompted to confirm the authenticity of the host. Type yes and press Enter.

The authenticity of host 'target (172.17.0.2)' can't be established.
ED25519 key fingerprint is SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes

Due to a misconfiguration on the server (insecure permissions on the user's home directory), the SSH service will accept the key, and you will be granted access without a password. You will be logged in and see the target's shell prompt.

Welcome to Ubuntu 22.04.1 LTS (GNU/Linux 5.15.0-48-generic x86_64)
...
testuser@target:~$

You have successfully gained shell access to the target system.

Explore Target System and Locate Flag

In this step, your final objective is to find and read the flag file. Now that you have a shell on the target system, you can explore its filesystem just like a local machine. This is the post-exploitation phase, where an attacker searches for valuable data.

You are currently in the testuser's home directory (/home/testuser). Use the ls command to list the files and directories in this location.

ls

You will see the contents of the home directory, which should include the flag file.

testuser@target:~$ ls
flag.txt
testuser@target:~$

You have located flag.txt. Now, use the cat command to display its contents and reveal the flag.

cat flag.txt

The terminal will print the flag's value.

testuser@target:~$ cat flag.txt
labex{ssh_k3y_b4s3d_acc3ss_fl4g}
testuser@target:~$

Congratulations! You have successfully enumerated the SSH service, exploited a key-based authentication vulnerability, and captured the flag. Copy the flag value to complete the lab.

To disconnect from the target, type exit and press Enter.

Summary

In this lab, you successfully executed a simulated attack targeting a misconfigured SSH service. You progressed through the key stages of a penetration test, from initial reconnaissance to post-exploitation.

You learned how to:

  • Use ping to verify that a target is online.
  • Employ nmap to perform a detailed scan of an SSH port, identifying the service version.
  • Understand the client-side requirements for SSH key-based authentication, including proper private key permissions (chmod 600).
  • Exploit a server-side vulnerability related to insecure file permissions to gain unauthorized shell access.
  • Navigate a remote filesystem to locate and retrieve a flag.

This exercise demonstrates a critical security principle: security is a chain, and a single weak link—in this case, improper directory permissions—can compromise the entire system, even when strong authentication mechanisms like SSH keys are in use. Always ensure that your SSH configurations and file permissions are hardened according to security best practices.

Related Linux Courses
Quick Start with Linux

Quick Start with Linux

linux
Become a Junior System Administrator

Become a Junior System Administrator

linuxshell
Linux for Noobs

Linux for Noobs

linux