# 22 - SSH

## Introduction

**Port**: 22 (TCP) The **Secure Shell** (SSH) protocol is used for operating network services and transferring files securely over an unsecured network.

## Basic enumeration

Default enumeration:

```bash
nmap -p22 -sC -sV -n <TARGET>
```

To obtain the number of algorithms supported by the server and how to add them if they are not supported by default.

```bash
sudo nmap --script=ssh2-enum-algos -p22 -n <TARGET>ssh <USER>@<IP> -oKexAlgorithms=+diffie-hellman-group1-sha1 
```

To obtain the SSH server's key fingerprint. If the host key has been reused and it is [publicly known](https://github.com/rapid7/ssh-badkeys/tree/master/authorized), the attacker could lead to MITM attacks.

```bash
sudo nmap --script=ssh-hostkey -p22 -n <TARGET>
```

To check support for SSHv1.

```bash
sudo nmap --script=sshv1 -p22 -n <TARGET>
```

This command returns authentication methods that an SSH server supports (The username may be invalid).

```bash
sudo nmap --script=ssh-auth-methods --script-args="ssh.user=<USERNAME>" -p22 -n <TARGET>
```