← Back to search

SSH (22)

enumerationports

Summary

SSH itself rarely has a direct exploit on OSCP — it's a place to spray recovered creds and to reconnect with looted private keys. Note the banner for the OS/version.

Walkthrough

SSH (port 22) is mostly a credential target, not an exploit target.

What to do

  1. Reuse creds — any username/password you found elsewhere, try it here

first.

  1. Brute force — limited userlists with hydra (-t 4 to avoid lockouts /

throttling). Don't blindly rockyou a whole domain — it's slow and noisy.

  1. Private keys — if you loot an id_rsa, chmod 600 it and log in. If it's

passphrase-protected, crack it with ssh2john → john.

  1. Banner — the version string leaks the distro; old OpenSSH may allow

username enumeration.

> If you only get old-algorithm errors, see "Old SSH Algorithms" for the extra > -o flags.

Commands

bash

# Brute force a single user
hydra -l <USER> -P /usr/share/wordlists/rockyou.txt ssh://<IP> -t 4 -vV

bash

# Spray a user list
hydra -L users.txt -P passwords.txt ssh://<IP> -t 4 -vV

bash

# Login with a recovered private key
chmod 600 id_rsa
ssh -i id_rsa <USER>@<IP>