Service Detection
Banner Grab
Brute-Force
Login with Credentials
Login with Key
Specify Algorithm (Old Servers)
User Enumeration
CVE-2018-15473 (OpenSSH < 7.7)
Nmap
SSH Tunneling
Local Port Forward
Access internal service through SSH:Remote Port Forward
Expose attacker service to target network:Dynamic SOCKS Proxy
SSH Key Theft
Crack Key Passphrase
Authorized Keys Persistence
NSE Scripts
Quick Reference
| Check | Command |
|---|---|
| Brute-force | hydra -L users.txt -P pass.txt ssh://TARGET |
| Key login | ssh -i id_rsa user@TARGET |
| Local forward | ssh -L 8080:INTERNAL:80 user@TARGET |
| SOCKS proxy | ssh -D 9050 user@TARGET |
| Crack key | ssh2john id_rsa > hash; john hash |