Init ssh

Signed-off-by: Hadi <hadi@example.com>

src/content/notes/network/ssh.md

@@ -0,0 +1,75 @@
+---
+title: "SSH"
+description: "Enumeration, exploitation and post-exploitation techniques for SSH servers."
+tags: ["ssh", "network", "service"]
+publishDate: 2026-05-04
+---
+
+## Overview
+
+SSH runs on **port 22** and provides an encrypted remote shell.
+Common implementations: OpenSSH, Dropbear, Bitvise.
+
+## Enumeration
+
+### Banner grabbing
+
+```bash
+nc -nv $IP 22
+ssh $IP
+```
+
+The banner reveals the software and version (e.g. `OpenSSH_9.2`).
+
+### Nmap
+
+```bash
+nmap -sV -p 22 $IP
+nmap -p 22 --script ssh-* $IP
+```
+
+Key scripts:
+
+- `ssh-hostkey`: retrieves the server's public key
+- `ssh-auth-methods`: lists accepted authentication methods
+- `ssh-brute`: brute-force credentials
+
+## Connect
+
+```bash
+ssh $user@$IP
+ssh -p 2222 $user@$IP
+ssh -i id_rsa $user@$IP
+```
+
+## Brute Force
+
+```bash
+hydra -l $user -P ~/wordlists/rockyou.txt ssh://$IP
+medusa -h $IP -u $user -P ~/wordlists/rockyou.txt -M ssh
+```
+
+Only viable if password auth is enabled. Check with:
+
+```bash
+ssh -v $user@$IP
+```
+
+Look for `publickey,password` in the output.
+
+## Key-Based Auth
+
+If you find a private key (`id_rsa`), set permissions and connect:
+
+```bash
+chmod 600 id_rsa
+ssh -i id_rsa $user@$IP
+```
+
+If the key is encrypted, crack the passphrase:
+
+```bash
+ssh2john id_rsa > hash.txt
+john hash.txt --wordlist=~/wordlists/rockyou.txt
+hashcat -m 22921 hash.txt ~/wordlists/rockyou.txt
+```