SSH
SSHSecure ShellOpenSSH
SSH (Secure Shell) provides encrypted remote access. Weak key exchange algorithms, default credentials, and private key exposure are common attack vectors.
Ports
| Port | Protocol | Description |
|---|---|---|
| 22 | tcp | SSH |
Fingerprints
| Banner / Probe | Expected Response |
|---|---|
nmap -sV -p <port> <target> | Service banner and version info |
nc -nv <target> <port> | Raw banner grab |
Key Files
| Path | Description |
|---|---|
/etc/passwd | List of system users |
/etc/shadow | Password hashes for local users |
/etc/ssh/sshd_config | SSH server configuration |
~/.ssh/id_rsa | SSH private key |
Default Credentials
| Username | Password | Context |
|---|---|---|
admin | admin | Generic admin account |
root | root | Generic root account |
Known CVEs
| Identifier | Type | Description |
|---|---|---|
CVE-2024-6387 | RCE | regreSSHion — OpenSSH signal handler race |
CVE-2023-38408 | RCE | OpenSSH forwarded SSH agent RCE |
Exploitation Primitives
| Technique | Tool / Command | Result |
|---|---|---|
| Password Brute Force | hydra -l root -P /usr/share/wordlists/rockyou.txt ssh://<target> | SSH credential guessing |
| Key Auth Abuse | ssh -i id_rsa user@<target> | Use stolen private key |
Notes
Check for weak key exchange algorithms: `nmap --script ssh2-enum-algos -p22 <target>`.
Default credentials are shockingly common on IoT and network devices.
Private keys without passphrases in `~/.ssh/` are instant wins.
regreSSHion (CVE-2024-6387) affects OpenSSH < 4.4p1 and 8.5p1–9.7p1 on glibc.
Seen on
ShodanCensysFOFAZoomEye
References