SSH – 22 – TCP

Network Attack

Basic Information

SSH or Secure Shell or Secure Socket Shell, is a network protocol that gives users a secure way to access a computer over an unsecured network.Default port: 22

# nmap Scan Result showing SSH is running
22/tcp open  ssh     syn-ack

SSH servers:

  • openSSH – OpenBSD SSH, shipped in BSD, Linux distributions and Windows since Windows 10
  • Dropbear – SSH implementation for environments with low memory and processor resources, shipped in OpenWrt
  • PuTTY – SSH implementation for Windows, the client is commonly used but the use of the server is rarer
  • CopSSH – implementation of OpenSSH for Windows

SSH libraries (implementing server-side):

  • libssh – multiplatform C library implementing the SSHv2 protocol with bindings in Python, Perl and R; it’s used by KDE for sftp and by GitHub for the git SSH infrastructure
  • wolfSSH – SSHv2 server library written in ANSI C and targeted for embedded, RTOS, and resource-constrained environments
  • Apache MINA SSHD – Apache SSHD java library is based on Apache MINA
  • paramiko – Python SSHv2 protocol library


nc -vn <IP> 22

Automated ssh-audit

ssh-audit is a tool for ssh server & client configuration auditing. is an updated fork from


  • SSH1 and SSH2 protocol server support;
  • analyze SSH client configuration;
  • grab banner, recognize device or software and operating system, detect compression;
  • gather key-exchange, host-key, encryption and message authentication code algorithms;
  • output algorithm information (available since, removed/disabled, unsafe/weak/legacy, etc);
  • output algorithm recommendations (append or remove based on recognized software version);
  • output security information (related issues, assigned CVE list, etc);
  • analyze SSH version compatibility based on algorithm information;
  • historical information from OpenSSH, Dropbear SSH and libssh;
  • runs on Linux and Windows;
  • no dependencies
usage: [-1246pbcnjvlt] <host>

   -1,  --ssh1             force ssh version 1 only
   -2,  --ssh2             force ssh version 2 only
   -4,  --ipv4             enable IPv4 (order of precedence)
   -6,  --ipv6             enable IPv6 (order of precedence)
   -p,  --port=<port>      port to connect
   -b,  --batch            batch output
   -c,  --client-audit     starts a server on port 2222 to audit client
                               software config (use -p to change port;
                               use -t to change timeout)
   -n,  --no-colors        disable colors
   -j,  --json             JSON output
   -v,  --verbose          verbose output
   -l,  --level=<level>    minimum output level (info|warn|fail)
   -t,  --timeout=<secs>   timeout (in seconds) for connection and reading
                               (default: 5)
$ python3 ssh-audit <IP>

See it in action (Asciinema)

Public SSH key of server

ssh-keyscan -t rsa <IP> -p <PORT>

Weak Cipher Algorithms

This is discovered by default by nmap. But you can also use sslcan or sslyze.

Nmap scripts

# Send default nmap scripts for SSH
nmap -p22 <ip> -sC 

# Retrieve version
nmap -p22 <ip> -sV

# Retrieve supported algorythms 
nmap -p22 <ip> --script ssh2-enum-algos 

# Retrieve weak keys
nmap -p22 <ip> --script ssh-hostkey --script-args ssh_hostkey=full 

# Check authentication methods
nmap -p22 <ip> --script ssh-auth-methods --script-args="ssh.user=root" 


  • ssh

Brute force usernames, passwords and private keys

Username Enumeration

In some versions of OpenSSH you can make a timing attack to enumerate users. You can use a metasploit module in order to exploit this:

# Metasploi
msf> use scanner/ssh/ssh_enumusers

Brute force

Some common ssh credentials here and here and below.

Private/Public Keys BF

If you know some ssh private key that could be used… lets try it. You can use the nmap script:

Or the MSF auxiliary module:

# Metasploit
msf> use scanner/ssh/ssh_identify_pubkeys

Known badkeys can be found here:

You should look here in order to search for valid keys for the victim machine.


crackmapexec using the ssh protocol can use the option --kerberos to authenticate via kerberos. For more info run crackmapexec ssh --help.

Default Credentials

APCapc, deviceapc
Brocadeadminadmin123, password, brocade, fibranne
Ciscoadmin, cisco, enable, hsa, pix, pnadmin, ripeop, root, shelladminadmin, Admin123, default, password, secur4u, cisco, Cisco, _Cisco, cisco123, C1sco!23, Cisco123, Cisco1234, TANDBERG, change_it, 12345, ipics, pnadmin, diamond, hsadb, c, cc, attack, blender, changeme
Citrixroot, nsroot, nsmaint, vdiadmin, kvm, cli, adminC1trix321, nsroot, nsmaint, kaviza, kaviza123, freebsd, public, rootadmin, wanscaler
D-Linkadmin, userprivate, admin, user
Dellroot, user1, admin, vkernel, clicalvin, 123456, password, vkernel, Stor@ge!, admin
EMCadmin, root, sysadminEMCPMAdm7n, Password#1, Password123#, sysadmin, changeme, emc
HP/3Comadmin, root, vcx, app, spvar, manage, hpsupport, opc_opadmin, password, hpinvent, iMC123, pvadmin, passw0rd, besgroup, vcx, nice, access, config, 3V@rpar, 3V#rpar, procurve, badg3r5, OpC_op, !manage, !admin
Huaweiadmin, root123456, admin, root, Admin123, Admin@storage, Huawei12#$, HwDec@01, hwosta2.0, HuaWei123, fsp200@HW, huawei123
IBMUSERID, admin, manager, mqm, db2inst1, db2fenc1, dausr1, db2admin, iadmin, system, device, ufmcli, customerPASSW0RD, passw0rd, admin, password, Passw8rd, iadmin, apc, 123456, cust0mer
Oracleroot, oracle, oravis, applvis, ilom-admin, ilom-operator, nm2userchangeme, ilom-admin, ilom-operator, welcome1, oracle
VMwarevi-admin, root, hqadmin, vmware, adminvmware, vmw@re, hqadmin, default


If you are in the local network as the victim which is going to connect to the SSH server using username and password you could try to perform a MitM attack to steal those credentials:

Attack path:

  • user traffic is redirected to the attacking machine
  • the attacker monitors attempts to connect to the SSH server and redirects them to its SSH server
  • the attacker’s SSH server is configured, firstly, to log all entered data, including the user’s password, and, secondly, send commands to the legitimate SSH server to which the user wants to connect, to execute them, and then return the results to the legitimate user

****SSH MITM **** does exactly what is described above.

In order to capture perform the actual MitM you could use techniques like ARP spoofing, DNS spoofin or others described in the Network Spoofing attacks.

Config Misconfigurations

Root login

By default most SSH server implementation will allow root login, it is advised to disable it because if the credentials of this accounts leaks, attackers will get administrative privileges directly and this will also allow attackers to conduct bruteforce attacks on this account.How to disable root login for openSSH:

  1. 1.Edit SSH server configuration sudoedit /etc/ssh/sshd_config
  2. 2.Change #PermitRootLogin yes into PermitRootLogin no
  3. 3.Take into account configuration changes: sudo systemctl daemon-reload
  4. 4.Restart the SSH server sudo systemctl restart sshd

SFTP command execution

Another common SSH misconfiguration is often seen in SFTP configuration. Most of the time when creating a SFTP server the administrator want users to have a SFTP access to share files but not to get a remote shell on the machine. So they think that creating a user, attributing him a placeholder shell (like /usr/bin/nologin or /usr/bin/false) and chrooting him in a jail is enough to avoid a shell access or abuse on the whole file system. But they are wrong, a user can ask to execute a command right after authentication before it’s default command or shell is executed. So to bypass the placeholder shell that will deny shell access, one only has to ask to execute a command (eg. /bin/bash) before, just by doing:

$ ssh -v noraj@ id
debug1: Authentication succeeded (keyboard-interactive).
Authenticated to ([]:22).
debug1: channel 0: new [client-session]
debug1: Requesting
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype want_reply 0
debug1: Sending command: id
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype reply 0
uid=1000(noraj) gid=100(users) groups=100(users)
debug1: channel 0: free: client-session, nchannels 1
Transferred: sent 2412, received 2480 bytes, in 0.1 seconds
Bytes per second: sent 43133.4, received 44349.5
debug1: Exit status 0

$ ssh noraj@ /bin/bash

Here is an example of secure SFTP configuration (/etc/ssh/sshd_config – openSSH) for the user noraj:

Match User noraj
        ChrootDirectory %h
        ForceCommand internal-sftp
        AllowTcpForwarding no
        PermitTunnel no
        X11Forwarding no
        PermitTTY no

SFTP Tunneling

If you have access to a SFTP server you can also tunnel your traffic through this for example using the common port forwarding:

sudo ssh -L <local_port>:<remote_host>:<remote_port> -N -f <username>@<ip_compromised>

The sftp have the command “symlink“. Therefor, if you have writable rights in some folder, you can create symlinks of other folders/files. As you are probably trapped inside a chroot this won’t be specially useful for you, but, if you can access the created symlink from a no-chroot service (for example, if you can access the symlink from the web), you could open the symlinked files through the web.For example, to create a symlink from a new file froot” to “/:

sftp> symlink / froot

If you can access the file “froot” via web, you will be able to list the root (“/”) folder of the system.

Authentication methods

On high security environment it’s a common practice to enable only key-based or two factor authentication rather than the simple factor password based authentication. But often the stronger authentication methods are enabled without disabling the weaker ones. A frequent case is enabling publickey on openSSH configuration and setting it as the default method but not disabling password. So by using the verbose mode of the SSH client an attacker can see that a weaker method is enabled:

$ ssh -v
OpenSSH_8.1p1, OpenSSL 1.1.1d  10 Sep 2019
debug1: Authentications that can continue: publickey,password,keyboard-interactive

For example if an authentication failure limit is set and you never get the chance to reach the password method, you can use the PreferredAuthentications option to force to use this method.

$ ssh -v -o PreferredAuthentications=password
debug1: Next authentication method: password

Review the SSH server configuration is necessary to check that only expected methods are authorized. Using the verbose mode on the client can help to see the effectiveness of the configuration.

Config files




Leave a Reply

Your email address will not be published. Required fields are marked *