SSH Pentesting Notes

Protocol Overview

Basic Information

Port: TCP 22 (default)
Protocol Type: Encrypted, application layer
Purpose: Secure remote access and file transfer
Security: Strong encryption and authentication mechanisms

Protocol Versions

SSH-1
- Legacy protocol
- Vulnerable to MITM attacks
- Should be disabled
SSH-2
- Current standard
- Improved security
- Supports multiple authentication methods

Initial Enumeration

Port Scanning

# Basic Nmap scan
nmap -p22 -sV <target>

# Aggressive scan with scripts
nmap -p22 -sV -sC -A <target>

# All SSH scripts
nmap -p22 --script ssh* <target>

Banner Grabbing

# Using netcat
nc -vn <target> 22

# Using telnet
telnet <target> 22

# Direct SSH connection
ssh -v <target>

Authentication Methods

Testing Different Auth Methods

# Password authentication
ssh -v user@<target> -o PreferredAuthentications=password

# Public key authentication
ssh -i key_file user@<target>

# Keyboard-interactive
ssh -v user@<target> -o PreferredAuthentications=keyboard-interactive

Key-Based Authentication Check

# Generate new key pair
ssh-keygen -t rsa -b 4096

# Copy key to server
ssh-copy-id -i ~/.ssh/id_rsa.pub user@<target>

# Test key permissions
ls -la ~/.ssh/

Brute Force Attacks

Using Hydra

# Basic password attack
hydra -l user -P passwords.txt ssh://<target>

# Multiple users
hydra -L users.txt -P passwords.txt ssh://<target>

# With timing controls
hydra -l user -P passwords.txt ssh://<target> -t 4 -W 5

Using Medusa

# Basic attack
medusa -h <target> -u user -P passwords.txt -M ssh

# Parallel connections
medusa -h <target> -u user -P passwords.txt -M ssh -t 10

Using Ncrack

ncrack -p 22 --user user -P passwords.txt <target>

Common NSE Scripts

# Run all SSH scripts
nmap --script ssh* -p 22 <target>

# Important individual scripts
nmap -p22 --script ssh-auth-methods <target>     # Authentication methods
nmap -p22 --script ssh-brute <target>            # Brute force
nmap -p22 --script ssh-hostkey <target>          # Host key check
nmap -p22 --script ssh-publickey-acceptance <target>  # Public key testing
nmap -p22 --script ssh2-enum-algos <target>      # Algorithm enumeration

SSH Auditing

Using SSH-Audit

# Clone and run ssh-audit
git clone https://github.com/jtesta/ssh-audit.git
cd ssh-audit
./ssh-audit.py <target>

# Basic audit
./ssh-audit.py <target> --level basic

# Detailed audit
./ssh-audit.py <target> --level aggressive

File Operations

SCP (Secure Copy)

# Download file
scp user@<target>:/path/to/file local_file

# Upload file
scp local_file user@<target>:/path/to/destination

# Recursive copy
scp -r user@<target>:/remote/dir/ local_dir/

SFTP Operations

# Connect
sftp user@<target>

# Common commands
sftp> ls
sftp> get file
sftp> put file
sftp> mget *.txt
sftp> mput *.txt
sftp> bye

Configuration Files

Server Configuration

Main config: /etc/ssh/sshd_config
Host keys: /etc/ssh/ssh_host_*_key
Known hosts: /etc/ssh/ssh_known_hosts

User Configuration

SSH directory: ~/.ssh/
Private keys: ~/.ssh/id_*
Known hosts: ~/.ssh/known_hosts
Authorized keys: ~/.ssh/authorized_keys

Common Vulnerabilities

Configuration Issues:
- Weak passwords allowed
- Root login enabled
- Old protocol versions
- Weak ciphers/MACs
Authentication Problems:
- Password authentication enabled
- Empty passwords allowed
- Weak private key protection
- Misconfigured authorized_keys
Version-specific:
- OpenSSH vulnerabilities
- Legacy SSH-1 problems
- Weak key exchange methods
- Deprecated algorithms

Post Exploitation

Information Gathering

Check SSH configuration
List authorized keys
Examine user permissions
Review SSH logs
Search for private keys

Privilege Escalation

Check for writable config files
Look for unprotected keys
Test for SSH agent hijacking
Examine cron jobs
Review sudo permissions

Common SSH Response Codes

Message

Meaning

Permission denied

Authentication failed

Connection refused

Port closed or filtered

Host key verification failed

Changed/unknown host key

Connection timed out

Host unreachable/blocked

Best Practices for Pentesting

Initial Reconnaissance:
- Identify SSH version
- Check available algorithms
- Test authentication methods
- Review banners/fingerprints
Deep Enumeration:
- Run SSH audits
- Test key-based auth
- Check configuration
- Verify encryption methods
Documentation:
- Record findings
- Note configurations
- Document vulnerabilities
- Save evidence
Risk Assessment:
- Evaluate security posture
- Check compliance
- Assess attack surface
- Recommend hardening steps

Common Dangerous Settings

Setting

Risk

PermitRootLogin yes

Allows direct root access

PasswordAuthentication yes

Enables password attacks

PermitEmptyPasswords yes

Allows blank passwords

Protocol 1

Uses vulnerable protocol

X11Forwarding yes

Potential GUI exploitation

AllowTcpForwarding yes

Possible tunneling abuse

DebianBanner yes

Information disclosure

PreviousSMB Pentesting Notes NextIPMI Pentesting Notes

hashtagProtocol Overview

hashtagBasic Information

hashtagProtocol Versions

hashtagInitial Enumeration

hashtagPort Scanning

hashtagBanner Grabbing

hashtagAuthentication Methods

hashtagTesting Different Auth Methods

hashtagKey-Based Authentication Check

hashtagBrute Force Attacks

hashtagUsing Hydra

hashtagUsing Medusa

hashtagUsing Ncrack

hashtagCommon NSE Scripts

hashtagSSH Auditing

hashtagUsing SSH-Audit

hashtagFile Operations

hashtagSCP (Secure Copy)

hashtagSFTP Operations

hashtagConfiguration Files

hashtagServer Configuration

hashtagUser Configuration

hashtagCommon Vulnerabilities

hashtagPost Exploitation

hashtagInformation Gathering

hashtagPrivilege Escalation

hashtagCommon SSH Response Codes

hashtagBest Practices for Pentesting

hashtagCommon Dangerous Settings