22 - Pentesting SSH/SFTP

Basic Information

SSH or Secure Shell or Secure Socket Shell, is a network protocol that gives users a secure way to access a computer over an unsecured network.

Default port: 22

22/tcp open ssh syn-ack


nc -vn <IP> 22

Automated ssh-audit

ssh-audit is a tool for ssh server & client configuration auditing. is an updated fork from


  • SSH1 and SSH2 protocol server support;

  • analyze SSH client configuration;

  • grab banner, recognize device or software and operating system, detect compression;

  • gather key-exchange, host-key, encryption and message authentication code algorithms;

  • output algorithm information (available since, removed/disabled, unsafe/weak/legacy, etc);

  • output algorithm recommendations (append or remove based on recognized software version);

  • output security information (related issues, assigned CVE list, etc);

  • analyze SSH version compatibility based on algorithm information;

  • historical information from OpenSSH, Dropbear SSH and libssh;

  • runs on Linux and Windows;

  • no dependencies

usage: [-1246pbcnjvlt] <host>
-1, --ssh1 force ssh version 1 only
-2, --ssh2 force ssh version 2 only
-4, --ipv4 enable IPv4 (order of precedence)
-6, --ipv6 enable IPv6 (order of precedence)
-p, --port=<port> port to connect
-b, --batch batch output
-c, --client-audit starts a server on port 2222 to audit client
software config (use -p to change port;
use -t to change timeout)
-n, --no-colors disable colors
-j, --json JSON output
-v, --verbose verbose output
-l, --level=<level> minimum output level (info|warn|fail)
-t, --timeout=<secs> timeout (in seconds) for connection and reading
(default: 5)
$ python3 ssh-audit <IP>

See it in action (Asciinema)

Public SSH key of server

ssh-keyscan -t rsa <IP> -p <PORT>

Weak Cipher Algorithms

This is discovered by default by nmap. But you can also use sslcan or sslyze.


  • ssh

Brute force usernames, passwords and private keys

Username Enumeration

In some versions of OpenSSH you can make a timing attack to enumerate users. You can use a metasploit module in order to exploit this:

msf> use scanner/ssh/ssh_enumusers

Some common ssh credentials here and here and below.

Private/Public Keys BF

If you know some ssh private key that could be used... lets try it. You can use the nmap script:

Or the MSF auxiliary module:

msf> use scanner/ssh/ssh_identify_pubkeys

Known badkeys can be found here:

You should look here in order to search for valid keys for the victim machine.


crackmapexec using the ssh protocol can use the option --kerberos to authenticate via kerberos. For more info run crackmapexec ssh --help.

Default Credentials





apc, device




admin123, password, brocade, fibranne


admin, cisco, enable, hsa, pix, pnadmin, ripeop, root, shelladmin

admin, Admin123, default, password, secur4u, cisco, Cisco, _Cisco, cisco123, C1sco!23, Cisco123, Cisco1234, TANDBERG, change_it, 12345, ipics, pnadmin, diamond, hsadb, c, cc, attack, blender, changeme


root, nsroot, nsmaint, vdiadmin, kvm, cli, admin

C1trix321, nsroot, nsmaint, kaviza, kaviza123, freebsd, public, rootadmin, wanscaler


admin, user

private, admin, user


root, user1, admin, vkernel, cli

calvin, 123456, password, vkernel, Stor@ge!, admin


admin, root, sysadmin

EMCPMAdm7n, Password#1, Password123#, sysadmin, changeme, emc


admin, root, vcx, app, spvar, manage, hpsupport, opc_op

admin, password, hpinvent, iMC123, pvadmin, passw0rd, besgroup, vcx, nice, access, config, 3V@rpar, 3V#rpar, procurve, badg3r5, OpC_op, !manage, !admin


admin, root

123456, admin, root, Admin123, Admin@storage, Huawei12#$, HwDec@01, hwosta2.0, HuaWei123, fsp200@HW, huawei123


USERID, admin, manager, mqm, db2inst1, db2fenc1, dausr1, db2admin, iadmin, system, device, ufmcli, customer

PASSW0RD, passw0rd, admin, password, Passw8rd, iadmin, apc, 123456, cust0mer








root, oracle, oravis, applvis, ilom-admin, ilom-operator, nm2user

changeme, ilom-admin, ilom-operator, welcome1, oracle


vi-admin, root, hqadmin, vmware, admin

vmware, vmw@re, hqadmin, default

Config files


Hardening SSH

You can find interesting guides on how to harden SSH in


You can configure SSH to behave as a SFTP server. So, some users will connect to SFTP service (in port 22) instead of to the SSH service.

You can even set a chroot to the SFTP users. A configuration example of SFTP users inside the file /etc/ssh/sshd_config can be seen in the following images.

All the ots-* users will be jailed inside a chroot.

SFTP Tunneling

If you have access to a SFTP server you can also tunnel your traffic through this for example using the common port forwarding:

sudo ssh -L <local_port>:<remote_host>:<remote_port> -N -f <username>@<ip_compromised>

The sftp have the command "symlink". Therefor, if you have writable rights in some folder, you can create symlinks of other folders/files. As you are probably trapped inside a chroot this won't be specially useful for you, but, if you can access the created symlink from a no-chroot service (for example, if you can access the symlink from the web), you could open the symlinked files through the web.

For example, to create a symlink from a new file "froot" to "/":

sftp> symlink / froot

If you can access the file "froot" via web, you will be able to list the root ("/") folder of the system.