ssh-pentesting

Best for Penetration testersWorks with GitHubHigh risk

#ssh #sftp #22端口 #密钥认证 #隧道 #端口转发 #openssh

⌘source

author: @wgpsec
repo: wgpsec/AboutSecurity
language: Python

✦overview.md

Key Features

·Identifies SSH service and version on port 22
·Enumerates authentication methods and usernames
·Performs credential attacks (password/key brute force)
·Establishes SSH tunnels and port forwarding
·Steals and reuses SSH keys for lateral movement
·Exploits known SSH vulnerabilities

Use Cases

→Testing SSH authentication strength on a discovered open port 22
→Enumerating SSH users on a target system for credential attacks
→Establishing a tunnel through SSH for internal network access
→Stealing SSH keys from a compromised host to move laterally

Best for

✓Penetration testers
✓Red team engagements
✓Security assessments

Not ideal for

!General system administration
!Non-security-focused automation
!Production environment monitoring

FAQs

skills/exploit/network-service/ssh-pentesting/SKILL.md

name

ssh-pentesting

description

SSH 服务（22 端口）渗透测试方法论。涵盖 SSH 服务发现与版本识别、认证方式枚举、用户名枚举（CVE-2018-15473）、凭据爆破（密码/密钥）、SSH 隧道与端口转发、已知漏洞利用、SSH 密钥窃取与复用。当 Agent 扫描发现 22 端口开放、需要测试 SSH 认证强度、枚举 SSH 用户、或通过 SSH 建立隧道进行横向移动时，触发此 Skill。

metadata:{"tags":["ssh","sftp","22端口","密钥认证","隧道","端口转发","openssh"],"category":"exploit/network-service"}

SSH 渗透测试方法论 (22)

相关 skill: 凭据爆破 -> cred-spray; 横向移动 -> lateral-movement; AD 域攻击 -> ad-domain-attack

深入参考

SSH 枚举、爆破、隧道、密钥利用、漏洞详细命令 -> 读 references/ssh-techniques.md

整体决策树

发现 22 端口开放
├─ Phase 1: 服务发现与版本识别
│   ├─ Banner 抓取 -> 确定 SSH 实现 (OpenSSH / Dropbear / libssh / Erlang)
│   ├─ 版本号 -> 对照已知漏洞 (Phase 7)
│   └─ 算法审计 (ssh-audit) -> 标记弱密码套件
├─ Phase 2: 认证方式枚举
│   ├─ 支持 publickey + password -> 可尝试密码爆破 (Phase 4)
│   ├─ 仅 publickey -> 搜索泄露密钥 / 弱密钥 (Phase 4)
│   ├─ keyboard-interactive -> 可能存在 2FA / PAM
│   └─ gssapi-with-mic -> Kerberos SSO 环境
├─ Phase 3: 用户名枚举
│   ├─ OpenSSH < 7.7 -> CVE-2018-15473 时序枚举
│   └─ 已知用户名 -> 进入 Phase 4
├─ Phase 4: 凭据攻击
│   ├─ 密码爆破 (hydra / medusa / ncrack)
│   ├─ 私钥爆破 (已知密钥集 / Debian 弱 PRNG 密钥)
│   └─ 默认凭据 (设备厂商默认 SSH 密码)
├─ Phase 5: SSH 隧道与端口转发
│   ├─ 本地转发 (-L) -> 访问内网服务
│   ├─ 远程转发 (-R) -> 反向代理到攻击机
│   ├─ 动态转发 (-D) -> SOCKS 代理
│   └─ SFTP 隧道 -> 受限环境下数据传输
├─ Phase 6: 密钥窃取与复用
│   ├─ 目标主机 -> 搜集 id_rsa / id_ed25519 / authorized_keys
│   ├─ SSH-Snake -> 自动化密钥发现与横向移动
│   └─ ssh-agent 劫持 -> 复用内存中的密钥
└─ Phase 7: 已知漏洞
    ├─ CVE-2024-6387 (regreSSHion) — OpenSSH 8.5p1-9.7p1 pre-auth RCE

...

$install

1-click copy

npx skills add wgpsec/AboutSecurity --skill ssh-pentesting

Safety assessment

★

Clarity score

How clear and easy to understand the SKILL.md instructions are, rated from 1 to 5.

5/ 5

excellent

Very clear and well structured, with almost no room for misunderstanding.

◎

Actionability score

How directly an agent can act on the SKILL.md instructions, rated from 1 to 5.

5/ 5

very high

Highly actionable with clear, concrete steps that an agent can follow directly.

~community cookbook

~you might also like

view all →

healthcheck

★971

security#security

[✓]from @Bitterbot-AI

[✓]

Host security hardening and risk-tolerance configuration for Bitterbot deployments.

April 22, 2026

◧ Compare

1password

★971

devops#cli

[✓]from @Bitterbot-AI

[✓]

Set up and use 1Password CLI (op). Use when installing the CLI, enabling desktop app integration, signing in (single...

April 22, 2026

◧ Compare

vnc-pentesting

★1.2k

security#vnc

[✓]from @wgpsec

[✓]

Practical workflow pattern for agent-based automation tasks.

⚠ danger

April 22, 2026

◧ Compare

mysql-pentesting

★1.2k

security#mysql

[✓]from @wgpsec

[✓]

Practical workflow pattern for agent-based automation tasks.

⚠ danger

April 22, 2026

◧ Compare

voip-pentesting

★1.2k

security#voip

[✓]from @wgpsec

[✓]

Practical workflow pattern for agent-based automation tasks.

⚠ danger

April 22, 2026

◧ Compare

winrm-pentesting

★1.2k

security#winrm

[✓]from @wgpsec

[✓]

Practical workflow pattern for agent-based automation tasks.

⚠ danger

April 22, 2026

◧ Compare

SSH 渗透测试方法论 (22)

相关 skill: 凭据爆破 -> cred-spray; 横向移动 -> lateral-movement; AD 域攻击 -> ad-domain-attack

深入参考

SSH 枚举、爆破、隧道、密钥利用、漏洞详细命令 -> 读 references/ssh-techniques.md

整体决策树

发现 22 端口开放 ├─ Phase 1: 服务发现与版本识别 │ ├─ Banner 抓取 -> 确定 SSH 实现 (OpenSSH / Dropbear / libssh / Erlang) │ ├─ 版本号 -> 对照已知漏洞 (Phase 7) │ └─ 算法审计 (ssh-audit) -> 标记弱密码套件 ├─ Phase 2: 认证方式枚举 │ ├─ 支持 publickey + password -> 可尝试密码爆破 (Phase 4) │ ├─ 仅 publickey -> 搜索泄露密钥 / 弱密钥 (Phase 4) │ ├─ keyboard-interactive -> 可能存在 2FA / PAM │ └─ gssapi-with-mic -> Kerberos SSO 环境 ├─ Phase 3: 用户名枚举 │ ├─ OpenSSH < 7.7 -> CVE-2018-15473 时序枚举 │ └─ 已知用户名 -> 进入 Phase 4 ├─ Phase 4: 凭据攻击 │ ├─ 密码爆破 (hydra / medusa / ncrack) │ ├─ 私钥爆破 (已知密钥集 / Debian 弱 PRNG 密钥) │ └─ 默认凭据 (设备厂商默认 SSH 密码) ├─ Phase 5: SSH 隧道与端口转发 │ ├─ 本地转发 (-L) -> 访问内网服务 │ ├─ 远程转发 (-R) -> 反向代理到攻击机 │ ├─ 动态转发 (-D) -> SOCKS 代理 │ └─ SFTP 隧道 -> 受限环境下数据传输 ├─ Phase 6: 密钥窃取与复用 │ ├─ 目标主机 -> 搜集 id_rsa / id_ed25519 / authorized_keys │ ├─ SSH-Snake -> 自动化密钥发现与横向移动 │ └─ ssh-agent 劫持 -> 复用内存中的密钥 └─ Phase 7: 已知漏洞 ├─ CVE-2024-6387 (regreSSHion) — OpenSSH 8.5p1-9.7p1 pre-auth RCE

ssh-pentesting

Key Features

Use Cases

Best for

Not ideal for

FAQs

What does this skill do?

When should I use this skill?

What are the prerequisites?

Does this exploit vulnerabilities?

SSH 渗透测试方法论 (22)

深入参考

整体决策树

Safety assessment

Clarity score

Actionability score

~community cookbook

~you might also like

healthcheck

1password

vnc-pentesting

mysql-pentesting

voip-pentesting

winrm-pentesting

AI Skill Finder

ssh-pentesting

Key Features

Use Cases

Best for

Not ideal for

FAQs

What does this skill do?

When should I use this skill?

What are the prerequisites?

Does this exploit vulnerabilities?

SSH 渗透测试方法论 (22)

深入参考

整体决策树

Safety assessment

Clarity score

Actionability score

~community cookbook

~you might also like

healthcheck

1password

vnc-pentesting

mysql-pentesting

voip-pentesting

winrm-pentesting