Banner grabbing for SSH server is like banner grabbing for web server. Let’s say banner grabbing is banner grabbing and a part of the reconnaissance while performing a security test.
nc
$ nc -v 10.0.0.1 22 Ncat: Version 6.25 ( http://nmap.org/ncat ) Ncat: Connected to 10.0.0.1:22. SSH-2.0-OpenSSH_5.4p1 FreeBSD-20100308
$ sudo scanssh 10.0.0.1 10.0.0.1:22 SSH-2.0-OpenSSH_5.4p1 FreeBSD-20100308 Effective host scan rate: 1.69 hosts/s
$ nmap -sV -p 22 10.0.0.1 Host is up (0.0012s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.4p1 (FreeBSD 20100308; protocol 2.0) Service Info: OS: FreeBSD; CPE: cpe:/o:freebsd:freebsd
Or use the banner script to get the details.
$ nmap -sV -p 22 --script=banner 10.0.0.1 Host is up (0.00100s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.4p1 (FreeBSD 20100308; protocol 2.0) |_banner: SSH-2.0-OpenSSH_5.4p1 FreeBSD-20100308 Service Info: OS: FreeBSD; CPE: cpe:/o:freebsd:freebsd
telnet
$ telnet 10.0.0.1 22 Trying 10.0.0.1... Connected to 10.0.0.1. Escape character is '^]'. SSH-2.0-OpenSSH_5.4p1 FreeBSD-20100308
$ python sshscan.py 1/1 Host: 10.0.0.1 Port: 22/open Connection failed FreeBSD router01.home.network 8.1-RELEASE-p6 FreeBSD 8.1-RELEASE-p6 #0: Mon Dec 12 18:59:41 EST 2011 root@FreeBSD_8.0_pfSense_2.0-snaps.pfsense.org:/usr/obj./usr/pfSensesrc/src/sys/pfSense_wrap.8.i386 i386
Well, as you can see there is not much difference from a web serverto a SSH server. Just use the right port.
