Skip to content

Introduction

SSH (Secure Shell) is a protocol for secure remote access and file transfer between systems. It encrypts all communications, protecting against eavesdropping and attacks. SSH uses a client-server model and supports both password and key-based authentication.

SSH Connection Management

Use the following commands to establish SSH connections.

Connection Type Command Description
Password Auth ssh -p 22 [USERNAME]@[TARGET-IP] Connects to an SSH server using password.
Private Key Auth chmod 600 PATH/TO/PRIVATE-KEY then ssh -i PATH/TO/PRIVATE/KEY [USERNAME]@[TARGET-IP] Sets the correct permissions for a private key and uses it to establish an SSH connection.

Brute-Forcing SSH Credentials

Hydra can be used to brute-force SSH logins under different scenarios:

Scenario Command
Unknown User hydra -L user.txt -p "Password" -f [TARGET-IP] ssh
Unknown Password hydra -l user -P /opt/rockyou.txt -f [TARGET-IP] ssh
Unknown User and Password hydra -L user.txt -P /opt/rockyou.txt -f [TARGET-IP] ssh
Different Port hydra -l user -P /opt/rockyou.txt -f [TARGET-IP] ssh -s 9999

Bypassing SSH Restrictions

Useful techniques for executing commands or scripts over SSH:

Scenario Command
Escaping to Another Shell sshpass -p '[PASSWORD]' ssh [USERNAME]@[TARGET-IP] -t bash
Remote Command Execution ssh [USERNAME]@[TARGET-IP] 'echo "[COMMAND-HERE]"'
Execute Local Script Remotely ssh [USERNAME]@[TARGET-IP] 'bash -s' < /path/to/local_script.sh

Nmap NSE Scripts for SSH

Nmap NSE scripts specifically designed for SSH to discover vulnerabilities or gather information.

Task Command Description
Discovering SSH-related Scripts ls /usr/share/nmap/scripts/ \| grep "ssh" Lists all Nmap NSE scripts related to SSH. This helps in selecting the appropriate scripts for targeted SSH testing.
Run SSH NSE Scripts nmap -p 22 --script ssh* [TARGET-IP] Executes SSH-related Nmap scripts against a target IP on port 22 for comprehensive vulnerability scanning and information gathering.