SSH

Secure Shell protocol (port 22)

nmap

• to scan all the algo that are supported by the SSH server

nmap -p22 $IP --script ssh2-enum-aglos 

• to get host key

nmap -p22 $IP --script ssh-hostkey --script-args ssh_hostkey=full
#again.... -sC does this for us.

• to check what auth methods is there for a user

ssh -p22 $IP --script ssh-auth-methods --script-args="ssh.user=username"

• bruteforce a user

nmap $IP -p22 --scrip ssh-brute --script-args userdb=/path/to/username(s).txt

hydra

• bruteforce a user

hydra -l $username -P /path/to/wordlist $IP ssh

msfconsole

• bruteforce a user

use auxiliary/scanner/ssh/ssh_login

#options
set RHOSTS $IP
set userpass_file /path/to/wordlist
set STOP_ON_SUCESS true