0% found this document useful (0 votes)
240 views1 page

SSH Pentest - Cheat Sheet

This document provides instructions to perform a penetration test of an SSH service running on a remote host. It describes steps to identify the SSH version, banner, encryption algorithms, host key, authentication methods, and scripts. It then provides directions to search exploit databases and Metasploit for known exploits against the identified SSH software and version. Finally, it discusses using SSH port forwarding and tunneling for pivoting during the pentest.

Uploaded by

register Name
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
240 views1 page

SSH Pentest - Cheat Sheet

This document provides instructions to perform a penetration test of an SSH service running on a remote host. It describes steps to identify the SSH version, banner, encryption algorithms, host key, authentication methods, and scripts. It then provides directions to search exploit databases and Metasploit for known exploits against the identified SSH software and version. Finally, it discusses using SSH port forwarding and tunneling for pivoting during the pentest.

Uploaded by

register Name
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 1

Identify if SSH is using an older version of a

protocol such as v1

Identify if SSH service uses any non-standard SSH


nmap 192.168.1.5 -p22 -sV software (E.g. other than Openssh, etc.)
Identify SSH version
Identify if the SSH service used is outdated
or obsolete

Identify if a custom banner is displayed to all remote users with a


security warning message for using SSH service

nc 192.168.1.5 22
Banner grabbing If the default SSH banner is displayed, identify what software package
it uses and does it have any publicly known vulnerabilities and exploits

Identify if a custom banner discloses any sensitive information such as login


ssh [email protected] method, default username, contact support email or person name, etc.
Fetch pre-login banner

nmap -p22 192.168.1.5 -- Identify if any weak encryption and hashing


script ssh2-enum-algos algorithms are used
Encryption algorithms supported by SSH

Identify if weak SSH keys are used for the


integrity check
nmap -p22 192.168.1.5 --script ssh-hostkey --
script-args ssh_hostkey=full Reference: https://www.pentestpartners.
SSH hostkey Try abusing weak keys by compromising clients (applicable com/security-blog/how-to-abuse-ssh-
for only specific scenarios and not for all remote pentest) keys/

Identify which authentication methods are


being utilised for found usernames
nmap -p22 192.168.1.5 --script ssh-auth-
methods --script-args="ssh.user=admin"
Determine weak authentication methods and
related vulnerabilities and exploits

Authentication methods Note: ssh.user=admin can be any username for which


you are trying to identify authentication methods

SSH pentest hydra -l admin -P /usr/share/wordlists/


rockyou.txt 192.40.231.3 ssh

Dictionary attack Note: l requires username for bruteforcing and rockyou.txt contains
the list of passwords to bruteforce

Identify output for each Nmap script and determine weaknesses/related vulnerabilities and
nmap -p22 192.168.1.5 --script ssh* exploits and also information that can help to narrow down further attacks on the SSH server

NSE Scripts Note: SSH* will run all SSH scripts on the
target server

Once SSH software package name and


version is identified, search within the exploit-
db Google search: libssh 8.0.3 exploit-db

1. Find exploit

Compilation may require to solve some


coding error

2. Compile exploit
Search in Exploit-DB We may need to add our target IP address
manually within the code before compiling

3. Run the exploit

Monitor Wireshark packages for detailed review if an


4. Observe the result exploit does not provide any output on the screen

Once SSH software package name and Check all auxiliaries and exploits and identify
version is identified, search within the the specific one that alings with your SSH
Search Metasploit auxiliary and Metasploit search libssh version before running
exploits

On the compromised system/server, perform SSH tunneling and SSH Reference: https://guide.offsecnewbie.com/
port forwarding where required in order to perform pivoting port-forwarding-ssh-tunneling
Port Forwarding / SSH Tunneling

You might also like