Comprehensive SSH Penetration Testing

Conduct thorough SSH security assessments including server enumeration, authentication testing, key analysis, configuration auditing, and post-exploitation via SSH tunneling. This skill covers SSH version detection, cipher audit, credential attacks, key-based authentication testing, and SSH tunnel pivoting for authorized penetration testing.

When to Use This Skill

Choose Comprehensive SSH Penetration Testing when you need to:

• Audit SSH server configurations for security weaknesses
• Test SSH authentication mechanisms (password, key, certificate)
• Identify weak ciphers, MACs, and key exchange algorithms
• Use SSH tunneling for pivoting during authorized penetration tests

Consider alternatives when:

• You need general network scanning (use scanning framework skills)
• You need to test other remote access services (use protocol-specific skills)
• You need to harden SSH configurations defensively (use CIS benchmarks)

Quick Start

Copy
# SSH version and algorithm enumeration
nmap -sV -p22 --script ssh2-enum-algos,ssh-auth-methods target.com

# SSH configuration audit
ssh-audit target.com

# Cipher and algorithm check
nmap -p22 --script ssh2-enum-algos target.com

Copy
import paramiko
import socket
from typing import List, Dict

class SSHSecurityAuditor:
    """Audit SSH server security configuration."""

    # Weak algorithms to flag
    WEAK_CIPHERS = {
        'arcfour', 'arcfour128', 'arcfour256',
        '3des-cbc', 'blowfish-cbc', 'cast128-cbc',
        'aes128-cbc', 'aes192-cbc', 'aes256-cbc',  # CBC mode
    }
    WEAK_MACS = {
        'hmac-md5', 'hmac-md5-96', 'hmac-sha1-96',
        '[email protected]',
    }
    WEAK_KEX = {
        'diffie-hellman-group1-sha1',
        'diffie-hellman-group14-sha1',
        'diffie-hellman-group-exchange-sha1',
    }

    def __init__(self, target, port=22):
        self.target = target
        self.port = port
        self.findings = []

    def banner_grab(self) -> str:
        """Grab SSH banner for version detection."""
        try:
            sock = socket.create_connection((self.target, self.port), timeout=10)
            banner = sock.recv(256).decode('utf-8', errors='ignore').strip()
            sock.close()
            print(f"SSH Banner: {banner}")

            # Check for old versions
            if 'SSH-1' in banner:
                self.findings.append({
                    'check': 'SSH Version',
                    'severity': 'CRITICAL',
                    'detail': 'SSHv1 supported — vulnerable to MITM attacks'
                })
            if 'OpenSSH' in banner:
                version = banner.split('OpenSSH_')[1].split(' ')[0] if 'OpenSSH_' in banner else 'unknown'
                print(f"  OpenSSH version: {version}")

            return banner
        except Exception as e:
            return f"Error: {e}"

    def check_algorithms(self):
        """Check for weak cryptographic algorithms."""
        try:
            transport = paramiko.Transport((self.target, self.port))
            transport.connect()

            # Get negotiated algorithms
            security_options = transport.get_security_options()

            # Check ciphers
            for cipher in security_options.ciphers:
                if cipher in self.WEAK_CIPHERS:
                    self.findings.append({
                        'check': 'Weak Cipher',
                        'severity': 'MEDIUM',
                        'detail': f'Weak cipher supported: {cipher}'
                    })

            # Check MACs
            for mac in security_options.digests:
                if mac in self.WEAK_MACS:
                    self.findings.append({
                        'check': 'Weak MAC',
                        'severity': 'MEDIUM',
                        'detail': f'Weak MAC supported: {mac}'
                    })

            # Check key exchange
            for kex in security_options.kex:
                if kex in self.WEAK_KEX:
                    self.findings.append({
                        'check': 'Weak KEX',
                        'severity': 'MEDIUM',
                        'detail': f'Weak key exchange: {kex}'
                    })

            transport.close()
            print(f"Ciphers: {list(security_options.ciphers)}")
            print(f"MACs: {list(security_options.digests)}")
            print(f"KEX: {list(security_options.kex)}")
        except Exception as e:
            print(f"Algorithm check failed: {e}")

    def check_auth_methods(self, username='root'):
        """Check available authentication methods."""
        try:
            transport = paramiko.Transport((self.target, self.port))
            transport.connect()
            try:
                transport.auth_none(username)
            except paramiko.BadAuthenticationType as e:
                methods = e.allowed_types
                print(f"Auth methods for '{username}': {methods}")

                if 'password' in methods:
                    self.findings.append({
                        'check': 'Password Auth',
                        'severity': 'LOW',
                        'detail': f'Password authentication enabled for {username}'
                    })
                if 'none' in methods:
                    self.findings.append({
                        'check': 'No Auth',
                        'severity': 'CRITICAL',
                        'detail': f'No authentication required for {username}!'
                    })
            transport.close()
        except Exception as e:
            print(f"Auth check failed: {e}")

    def report(self):
        print(f"\n=== SSH SECURITY AUDIT: {self.target}:{self.port} ===")
        if not self.findings:
            print("No significant issues found")
        for f in self.findings:
            print(f"[{f['severity']}] {f['check']}: {f['detail']}")

# auditor = SSHSecurityAuditor("target.com")
# auditor.banner_grab()
# auditor.check_algorithms()
# auditor.check_auth_methods()
# auditor.report()

Core Concepts

SSH Attack Surface

Vector	Description	Impact
Weak credentials	Default or guessable passwords	Server compromise
Key theft	Stolen private keys from compromised systems	Unauthorized access
Weak algorithms	Deprecated ciphers (3DES, RC4, CBC mode)	Traffic decryption
Agent forwarding abuse	Hijacking SSH agent on compromised host	Lateral movement
Known vulnerabilities	CVEs in specific SSH versions	RCE, auth bypass
Tunneling/pivoting	Using SSH as a proxy through compromised hosts	Network access

Configuration

Parameter	Description	Default
target	SSH server hostname or IP	Required
port	SSH port	22
username	Username for auth testing	"root"
key_file	Private key file for key-based auth testing	None
timeout	Connection timeout (seconds)	10
brute_force_delay	Delay between auth attempts	0.5s
max_attempts	Maximum authentication attempts	10
check_cves	Check for version-specific CVEs	true

Best Practices

1. Use ssh-audit for comprehensive algorithm analysis — ssh-audit provides color-coded output showing which algorithms are safe, deprecated, or broken. It's more thorough than manual Nmap scripts and includes version-specific CVE checks. Run it as the first step of any SSH assessment.

2. Test root login separately from regular user login — Many servers allow password authentication for regular users but disable it for root. Test both root and a known regular username to get the complete picture. PermitRootLogin settings affect only the root account.

3. Check for SSH agent forwarding abuse on compromised hosts — If a user connects to a compromised host with agent forwarding enabled (-A), the attacker can use their SSH agent to connect to other hosts. Check for SSH_AUTH_SOCK environment variables on compromised systems.

4. Verify key-based auth keys are not compromised or default — Check ~/.ssh/authorized_keys on target systems for keys that shouldn't be there. Compare key fingerprints against known compromised keys (Debian weak keys from 2008). Unauthorized keys in authorized_keys indicate a backdoor.

5. Document SSH tunneling capabilities for the report — If SSH access is obtained, demonstrate the impact by establishing tunnels to internal networks. This shows the client that SSH compromise extends beyond the single server to the entire internal network.

Common Issues

SSH server uses non-standard port — Scan with nmap -p- --min-rate 5000 to find SSH on non-standard ports. SSH on port 2222, 22222, or other ports is common. Banner grabbing on discovered ports helps identify SSH services: nmap -sV -p PORT target.

Paramiko connection fails with algorithm negotiation error — Paramiko may not support all algorithms offered by the server. Update paramiko to the latest version. For very old servers, you may need to explicitly enable legacy algorithms: transport.get_security_options().ciphers = ('aes128-cbc',).

Brute force attempts trigger account lockout or IP ban — SSH servers may use fail2ban or similar tools to ban IPs after failed attempts. Use slow, targeted credential testing with delays. Coordinate with the client to whitelist your testing IP if comprehensive credential testing is in scope.