SSH for Penetration Testing

SSH stands for Secure shell and works on Port 22 . As penetration testers we are aware of the uses and power of SSH on remote access of systems . During Penetration testing SSH might come handy as a powerful tool .

This post will explain some of the techniques that can be used during a penetration test .

Local Forwarding using SSH

Sometimes we come across scenarios where we need the services on the remote host accessible to the host via Local Network . Root is required .

ssh -L user@




Remote Forwarding using SSH 

Well this technique is complete opposite of the previous one . Remote forwarding on using SSH comes to rescue in those penetration testing scenarios where we need the services on a local machine / Local Network accessible to remote host via a remote listener . This might sound odd … why would I want my machine accessible on a remote host , but lets face it , we all need to expose a service that lets us download our penetration testing tools.

For the practical information here is an example :

The SSH server will be able to access TCP port 80 on SSH client by connecting to on the SSH Server .

ssh -R




SOCKS Proxy using SSH

Here we set up a SOCKS Proxy on that lets you pivot through the Remote Host

 ssh -D




X11 Forwarding using SSH 

If your SSH client is also an X-Server then you can launch X-clients (e.g. Firefox) inside your SSH session and display them on your X-Server.  This works well with from Linux X-Servers and from cygwin‘s X-server on Windows.

SSH -Y # less secure alternative - but faster


ForwardX11 yes
ForwardX11Trusted yes # less secure alternative - but faster



SSH Authorized Keys : 

SSH stands for Secure Shell … well to be secure , its always advisable to use Keys for encrypting the SSH communication . This helps to avoid unwanted hosts to take advantage of the penetration test and keep the penetration testing secure .

That being said , it is a good practice to add an authorized_keys file that will allow you to log in using an SSH key .

Authorized_keys File : This file is present in the User’s Home Directory on the SSH server .  This file basically holds the public keys of the users allowed to login into that user account of SSH Server .

For this the first step is to Generate PUBLIC KEY / PRIVATE KEY pairs .

sh-keygen -f mysshkey
cat # to copy this to authorized_keys

To connect to the Remote host using the authorized key :

ssh -i mykey user@


Some Cool SSH Configuration Tweeks

Finally here are some cool modifications you can do to your SSH Client system , this will make it easier to use other penetration testing tools that are using SSH .


Port 2222
User ptm
ForwardX11 yes
RemoteForward 80
LocalForward 1521


#Please Share and Comment if you like this Post . 



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s