This guide covers best-practices for SSH scanning, understanding the different types of SSH scanning techniques, and how to securely use them in a penetration testing environment.

Check authentication methods

nmap -p22 <ip> --script ssh-auth-methods --script-args="ssh.user=root

Send default nmap scripts for SSH

nmap -p22 <ip> -sC

Retrieve version

nmap -p22 <ip> -sV

Retrieve SSH version using Metaploit

msf auxiliary(ssh_version) > set rhosts
msf auxiliary(ssh_version) > set rport 22
msf auxiliary(ssh_version) > exploit

Retrieve supported algorithms

nmap -p22 <ip> --script ssh2-enum-algos

Retrieve weak keys

nmap -p22 <ip> --script ssh-hostkey --script-args ssh_hostkey=full