Secure shell (SSH)

protocolsandservers2 linux2 footprinting

Secure shell (SSH) is the most commonly used protocol to access a remote shell on a remote host.

🐊️ Port: 22 (TCP)

πŸ₯Š SSH can be used to create a secure connection for an insecure protocol. For instance, SFTP is for FTP over SSH.

Basic usage:

$ ssh username@IP
$ ssh username@IP -p port

You may use a private key instead of a password (if configured). Note that the key must have at least the permissions 600.

$ ssh username@IP -i /path/to/id_rsa

SSH Pentester Notes ☠️



  • The .ssh folder may contain a ssh key (often called id_rsa) to connect to a host. This file may be protected by a password, but using offline hash cracking, we may be able to find it.

  • Use -v to detect allowed authentication modes and force one that is convenient for us.

$ ssh [...] -v -o PreferredAuthentications=password
  • The password may be weak and vulnerable to brute force.
$ hydra -L user.list -P password.list ssh://IP -V -f

Additional Ressources


  • Run ssh-audit (3.0k ⭐) and analyze the output

  • Use puttygen saved_key.ppk -O private-openssh -o id_rsa to convert a Putty key file to a Linux SSH file.

πŸ‘» To-do πŸ‘»

Stuff that I found, but never read/used yet.

  • ssh xxx@yyy -T -L sp:domain:dp: create a tunnel mapping one port to another. ssh -N -f -l username IP
  • ssh-keygen
  • ssh-keygen -f key: leave in >> /root/.ssh/authorized_keys the pub
  • -R "xxx"
  • ssh -X with X11Forwarding enabled
  • sshpass -p 'XXX' ssh xxx@IP
  • Authorized keys
  • sudo systemctl restart sshd
  • ssh-copy-id username@server: add to remote server our public key
  • /etc/ssh/sshd_config
    • PermitRootLogin no
    • PubkeyAuthentication yes
    • PasswordAuthentication no
    • Hardening

SSH Forward Agent tests

$ ssh xxx@yyy -A
ssh> ssh-add -l
ssh> cat /proc/$$/environ | tr '\0' '\n' | grep SSH_AUTH_SOCK
ssh> cat /proc/*/environ 2> /dev/null | tr '\0' '\n' | grep SSH_AUTH_SOCK
ssh> SSH_AUTH_SOCK=/tmp/ssh-XXX/agent.$pid <something?>