SSH (22)
enumerationports
Summary
SSH itself rarely has a direct exploit on OSCP — it's a place to spray recovered creds and to reconnect with looted private keys. Note the banner for the OS/version.
Walkthrough
SSH (port 22) is mostly a credential target, not an exploit target.
What to do
- Reuse creds — any username/password you found elsewhere, try it here
first.
- Brute force — limited userlists with hydra (
-t 4to avoid lockouts /
throttling). Don't blindly rockyou a whole domain — it's slow and noisy.
- Private keys — if you loot an
id_rsa,chmod 600it and log in. If it's
passphrase-protected, crack it with ssh2john → john.
- Banner — the version string leaks the distro; old OpenSSH may allow
username enumeration.
> If you only get old-algorithm errors, see "Old SSH Algorithms" for the extra > -o flags.
Commands
bash
# Brute force a single user hydra -l <USER> -P /usr/share/wordlists/rockyou.txt ssh://<IP> -t 4 -vV
bash
# Spray a user list hydra -L users.txt -P passwords.txt ssh://<IP> -t 4 -vV
bash
# Login with a recovered private key chmod 600 id_rsa ssh -i id_rsa <USER>@<IP>