SSH Enumeration

SSH Banner Grabbing

# Using netcat
nc target.com 22

# Using telnet
telnet target.com 22

# Using nmap
nmap -sV -p 22 target.com

Nmap SSH Scripts

# SSH enumeration
nmap --script ssh-* -p 22 target.com

# SSH auth methods
nmap --script ssh-auth-methods -p 22 target.com

# SSH host key
nmap --script ssh-hostkey -p 22 target.com

# SSH brute force
nmap --script ssh-brute -p 22 target.com

SSH Connection

# Basic connection
ssh user@target.com

# Specific port
ssh user@target.com -p 2222

# With key
ssh -i private_key user@target.com

# Verbose mode
ssh -v user@target.com

# X11 forwarding
ssh -X user@target.com

# Dynamic port forwarding (SOCKS proxy)
ssh -D 8080 user@target.com

# Local port forwarding
ssh -L 8080:localhost:80 user@target.com

# Remote port forwarding
ssh -R 8080:localhost:80 user@target.com

SSH Tunneling

# Local port forwarding
ssh -L local_port:remote_host:remote_port user@ssh_server

# Remote port forwarding
ssh -R remote_port:local_host:local_port user@ssh_server

# Dynamic port forwarding
ssh -D local_port user@ssh_server

Hydra - SSH Brute Force

# Single user
hydra -l username -P /usr/share/wordlists/rockyou.txt ssh://target.com

# Multiple users
hydra -L users.txt -P /usr/share/wordlists/rockyou.txt ssh://target.com

# With specific port
hydra -l username -P passwords.txt ssh://target.com:2222

# Faster (16 threads)
hydra -l username -P passwords.txt -t 16 ssh://target.com

SSH Key Generation

# Generate RSA key
ssh-keygen -t rsa -b 4096

# Generate ED25519 key
ssh-keygen -t ed25519

# Generate with specific filename
ssh-keygen -t rsa -f my_key

SSH Config

# Location: ~/.ssh/config

Host myserver
    HostName target.com
    User username
    Port 2222
    IdentityFile ~/.ssh/private_key