SSH Cheat Sheet

SSH has several features that are useful during pentesting and auditing.  This page aims to remind us of the syntax for the most useful features. NB: This page does not attempt to replace the man page for pentesters, only to supplement it with some pertinent examples. SOCKS Proxy Set up a SOCKS proxy on that lets […]

Metasploit Release Database of Weak SSH Keys for Debian OpenSSL Vuln

The metasploit guys have released a database of all 1024-bit DSA and 2048-bit RSA SSH public/private keypairs that could have been generated by x86 Debian/Ubuntu hosts vulnerable to the OpenSSL Predictable Random Number Generator flaw. This opens up the possibility of two practical attacks against weak SSH keys during pentests: If you can read a […]

Tool for Cracking Passphrases on Encrypted SSH Keys

Phrasen|drescher is a tool for those pentests when you’re having trouble owning those last few *nix boxes.  It was released in 2007 but I hadn’t had cause to try it out until recently. If you’ve already gained access to a few *nix boxes, but can’t get into the rest you’ll naturally start trying to enumerate […]

Using SSH Without A TTY

I recently received a mail asking how to get SSH to work from within a reverse shell (see php-reverse-shell , php-findsock-shell and perl-reverse-shell ).  I thought I’d write a brief description of the problems I’ve seen and how to work round them. I’d be very interested if anyone has any better solutions.  Drop me a […]

Stealing Usernames and Passwords from SSHD

I just read a really cool blog post by Sebastian Krahmer. He discusses a post-exploitation technique to snoop on incomming SSH sessions – including the username and password used to authenticate.