SSH

It is doubtful we will be able to exploit SSH without at least a list of usernames.

SSH version

nc -nv <ip> 22

Based on the SSH version we can google which OS it is installed on.

SSH Keys

When you try to SSH for the first time, you're asked if you want to accept the key fingerprint. Look out for those within the network as it might happen that you manage to put your hands on some ssh keys and use fingerprint to determin whether the same keys are used on other machines and accounts.

Try to ssh:

ssh root@<ip>

Example of an answer:

The authenticity of host '<ip> (<ip>)' can't be established.
ED25519 key fingerprint is SHA256:7S9+7ItI4yK4Nwm/2iwZIxfY9SeJdq6H2OI8vUUsrlI.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '<ip>' (ED25519) to the list of known hosts.

SSH nmap scripts

nmap scripts are located here:

ls -ltra /usr/share/nmap/scripts/*ssh*

You can use one of them to (for instance) enumerate the ssh-hostkey:

nmap $IP -p 22 -sV --script=ssh-hostkey