mirror of
https://github.com/anotherhadi/blog.git
synced 2026-05-20 05:32:32 +02:00
Hadi
1.3 KiB
1.3 KiB
title, description, tags, publishDate
| title | description | tags | publishDate | |||
|---|---|---|---|---|---|---|
| SSH | Enumeration, exploitation and post-exploitation techniques for SSH servers. |
|
2026-05-04 |
Overview
SSH runs on port 22 and provides an encrypted remote shell. Common implementations: OpenSSH, Dropbear, Bitvise.
Enumeration
Banner grabbing
nc -nv $IP 22
ssh $IP
The banner reveals the software and version (e.g. OpenSSH_9.2).
Nmap
nmap -sV -p 22 $IP
nmap -p 22 --script ssh-* $IP
Key scripts:
ssh-hostkey: retrieves the server's public keyssh-auth-methods: lists accepted authentication methodsssh-brute: brute-force credentials
Connect
ssh $user@$IP
ssh -p 2222 $user@$IP
ssh -i id_rsa $user@$IP
Brute Force
hydra -l $user -P ~/wordlists/rockyou.txt ssh://$IP
medusa -h $IP -u $user -P ~/wordlists/rockyou.txt -M ssh
Only viable if password auth is enabled. Check with:
ssh -v $user@$IP
Look for publickey,password in the output.
Key-Based Auth
If you find a private key (id_rsa), set permissions and connect:
chmod 600 id_rsa
ssh -i id_rsa $user@$IP
If the key is encrypted, crack the passphrase:
ssh2john id_rsa > hash.txt
john hash.txt --wordlist=~/wordlists/rockyou.txt
hashcat -m 22921 hash.txt ~/wordlists/rockyou.txt