RatLabs
⭐ Premium Path · Protocol Exploitation

SSH Exploitation Mastery

Two modules. Banner grabbing to pivoting through internal networks. SSH is not just a shell — it's a tunneling platform. Learn both sides.

2Modules
5Machines
Premium
Get Started →

The SSH Attack Methodology

From service fingerprinting to pivoting through restricted networks.

Phase 1 — Fingerprint

Banner, version, and auth methods tell you the entire attack surface before touching a password.

nmap -sV -p 22 TARGET
nmap --script ssh-auth-methods \
  TARGET -p 22

Phase 2 — Credential Correlation

Brute-force is last resort. Check SNMP, SMB, FTP, and LDAP first — credentials almost always come from another service.

# Only after exhausting other services:
hydra -l USER -P rockyou.txt \
  ssh://TARGET -t 4

Phase 3 — Local Port Forward

Expose internal services through your attacker machine. One command — no proxy needed.

ssh -L LOCAL_PORT:INTERNAL:PORT \
  USER@PIVOT -N

Phase 4 — Dynamic Proxy / VPN

SOCKS proxy scans the entire internal network. sshuttle gives transparent VPN-like routing without root.

ssh -D 1080 USER@PIVOT -N
proxychains nmap INTERNAL_IP

sshuttle -r USER@PIVOT \
  INTERNAL_SUBNET/24

The Two Modules

Module 1 covers access techniques. Module 2 covers pivoting once you're in.

Module 1 · 🔐

SSH — Enumeration & Credential Attacks

SSH banners reveal OS and server version. Auth-method probing tells you what's enabled — password, publickey, keyboard-interactive. Brute-force with hydra is last resort; credential correlation from other services is the exam-winning move.

  • nmap -sV -p 22 TARGET (version + banner: OpenSSH, Dropbear, etc.)
  • nmap --script ssh-auth-methods TARGET (what auth methods are offered)
  • nmap --script ssh-hostkey TARGET (retrieve host key fingerprint)
  • Manual banner: nc -nv TARGET 22 / ssh -v TARGET (read SSH_MSG_KEXINIT)
  • SSH user enumeration: CVE-2018-15473 (OpenSSH < 7.7) — ssh-username-enum script
  • Hydra brute-force: hydra -l USER -P rockyou.txt ssh://TARGET -t 4
  • Medusa: medusa -h TARGET -u USER -P wordlist.txt -M ssh
  • Key file identification: find / -name id_rsa -o -name *.pem 2>/dev/null
  • SSH agent forwarding risks: who else is logged in via w / who / last
Tools: nmapsshhydramedusanc
Bindforge
🔒
Premium Content

Hands-on assignments for this module are available to Premium members.

⭐ Unlock Premium
Module 2 · 🔭

SSH — Tunneling & Port Forwarding

SSH is not just a remote shell — it's a full tunneling platform. Local forwards expose internal services through the attacker's machine. Dynamic (SOCKS) forwards turn SSH into a network proxy. Remote forwards push attacker listeners into restricted networks.

  • Local port forward: ssh -L 8080:INTERNAL_HOST:80 USER@PIVOT (browse internal HTTP from localhost)
  • Remote port forward: ssh -R 4444:localhost:4444 USER@PIVOT (push reverse shell listener in)
  • Dynamic SOCKS proxy: ssh -D 1080 USER@PIVOT + proxychains nmap (scan internal net)
  • ProxyJump one-liner: ssh -J USER@PIVOT USER@INTERNAL_HOST
  • SSH config file shortcuts: Host pivot + ProxyJump stacking for multi-hop
  • sshuttle: sshuttle -r USER@PIVOT NETWORK/CIDR (VPN-like tunnel, no root required)
  • chisel TCP tunneling (when SSH is not available): ./chisel server + ./chisel client
  • Identifying internal services: curl http://127.0.0.1:PORT after forward is established
Tools: sshproxychainssshuttlechisel
CORP-DC01
🔒
Premium Content

Hands-on assignments for this module are available to Premium members.

⭐ Unlock Premium