`

Note that fuzzers can cause unintentional denial of service

conditions, especially if they are optimized for speed. You may run

into applications running on low-powered servers that will crash as a

result of running a highly-capable fuzzer against them, so make sure

you have explicit permission from the company you’re working with

to perform such activities.

Assessing SSH Servers with Nmap's Scripting Engine

Nmap contains many NSE scripts that can also help test for

vulnerabilities and misconfigurations. All Nmap scripts live in the

/usr/share/nmap/scripts path. When you run Nmap with the -A flag,

it will blast all NSE scripts at the target, as well as enable operating

system detection, version detection, script scanning, and traceroute.

This is probably the noisiest scan you can do with Nmap, so never

use it when you need to be covert.

In the previous chapter, we identified a server running OpenSSH

on 172.16.10.13 (p-jumpbox-01). Let’s use an NSE script tailored to

SSH servers to see what we can discover about the supported

authentication methods:

$ nmap --script=ssh-auth-methods 172.16.10.13

Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-19 01:53 EDT

--snip--

PORT STATE SERVICE

22/tcp open ssh

| ssh-auth-methods:

| Supported authentication methods:

| publickey

|_ password

Nmap done: 1 IP address (1 host up) scanned in 0.26 seconds

The ssh-auth-methods NSE script enumerates the supported

authentication methods offered by the SSH server. If password is

one of them, this means that the server accepts passwords as an

authentication mechanism. SSH servers that allow password

authentication are prone to brute-force attacks. Later in this chapter,

we will perform a brute force against SSH servers.

Black Hat Bash (Early Access) © 2023 by Dolev Farhi and Nick Aleks