anotherhadi/blog
1
Fork 0
mirror of https://github.com/anotherhadi/blog.git synced 2026-05-20 05:32:32 +02:00
Code Issues Packages Projects Releases Wiki Activity

Init ssh

Browse Source 
Signed-off-by: Hadi <hadi@example.com>
This commit is contained in:
Hadi
2026-05-04 14:15:59 +02:00
parent 3e60ae5a35
commit b4b755b608
1 changed files with 75 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/content/notes/network/ssh.md
+75
View File
@@ -0,0 +1,75 @@
---
title: "SSH"
description: "Enumeration, exploitation and post-exploitation techniques for SSH servers."
tags: ["ssh", "network", "service"]
publishDate: 2026-05-04
---
## Overview
SSH runs on **port 22** and provides an encrypted remote shell.
Common implementations: OpenSSH, Dropbear, Bitvise.
## Enumeration
### Banner grabbing
```bash
nc -nv $IP 22
ssh $IP
```
The banner reveals the software and version (e.g. `OpenSSH_9.2`).
### Nmap
```bash
nmap -sV -p 22 $IP
nmap -p 22 --script ssh-* $IP
```
Key scripts:
- `ssh-hostkey`: retrieves the server's public key
- `ssh-auth-methods`: lists accepted authentication methods
- `ssh-brute`: brute-force credentials
## Connect
```bash
ssh $user@$IP
ssh -p 2222 $user@$IP
ssh -i id_rsa $user@$IP
```
## Brute Force
```bash
hydra -l $user -P ~/wordlists/rockyou.txt ssh://$IP
medusa -h $IP -u $user -P ~/wordlists/rockyou.txt -M ssh
```
Only viable if password auth is enabled. Check with:
```bash
ssh -v $user@$IP
```
Look for `publickey,password` in the output.
## Key-Based Auth
If you find a private key (`id_rsa`), set permissions and connect:
```bash
chmod 600 id_rsa
ssh -i id_rsa $user@$IP
```
If the key is encrypted, crack the passphrase:
```bash
ssh2john id_rsa > hash.txt
john hash.txt --wordlist=~/wordlists/rockyou.txt
hashcat -m 22921 hash.txt ~/wordlists/rockyou.txt
```