SSH
Overviewβ
SSH (Secure Shell) provides encrypted remote command execution, file transfer, and tunneling. On Linux operators stations, ssh is the primary method for connecting to Linux targets and β with OpenSSH installed β Windows targets as well.
All SSH examples below assume the operator is working from a Linux host unless noted.
Basic Connectionβ
# Password authentication
ssh username@<TARGET_IP>
# Specify port (if non-default)
ssh -p 2222 username@<TARGET_IP>
# Run a single command without interactive shell
ssh username@<TARGET_IP> "whoami; id; hostname"
# Force pseudo-TTY allocation (needed for interactive commands, sudo, etc.)
ssh -t username@<TARGET_IP> "sudo bash"
Domain Accounts (Windows Targets)β
# Domain account β use DOMAIN\user or user@domain format
ssh DOMAIN\\username@<TARGET_IP>
ssh username@domain.local@<TARGET_IP>
Key-Based Authenticationβ
Prefer key-based auth over passwords β avoids typing credentials, reduces shell history exposure.
Generate a Key Pairβ
# Ed25519 (preferred β smaller, faster, more secure than RSA)
ssh-keygen -t ed25519 -C "operator-key" -f ~/.ssh/id_ed25519
# RSA (use if target requires it)
ssh-keygen -t rsa -b 4096 -C "operator-key" -f ~/.ssh/id_rsa
Deploy Public Key to Targetβ
# Automated (requires password auth to be enabled on target)
ssh-copy-id -i ~/.ssh/id_ed25519.pub username@<TARGET_IP>
# Manual β append public key to authorized_keys
cat ~/.ssh/id_ed25519.pub | ssh username@<TARGET_IP> "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"
Connect with Keyβ
ssh -i ~/.ssh/id_ed25519 username@<TARGET_IP>
File Transferβ
SCP (Secure Copy)β
SCP is the simplest method for one-off file transfers.
# Copy local file TO remote
scp /path/to/local/file username@<TARGET_IP>:/remote/destination/
# Copy remote file FROM target
scp username@<TARGET_IP>:/remote/path/file /local/destination/
# Recursive directory copy
scp -r /local/directory/ username@<TARGET_IP>:/remote/path/
# Specify port
scp -P 2222 username@<TARGET_IP>:/remote/file /local/destination/
# Use identity file
scp -i ~/.ssh/id_ed25519 username@<TARGET_IP>:/remote/file /local/destination/
SFTP (Interactive)β
SFTP provides an interactive session for browsing and transferring multiple files.
sftp username@<TARGET_IP>
# Common SFTP commands:
sftp> ls # List remote directory
sftp> lls # List local directory
sftp> cd /remote/path # Change remote directory
sftp> lcd /local/path # Change local directory
sftp> get remote_file # Download file
sftp> get -r remote_directory/ # Recursive download
sftp> put local_file # Upload file
sftp> put -r local_directory/ # Recursive upload
sftp> pwd # Print remote working directory
sftp> exit # Close session
SSH Tunnelingβ
SSH tunnels forward TCP traffic through an encrypted SSH connection. Useful for accessing services on remote networks not directly reachable from the operator station.
Local Port Forwardingβ
Bind a local port and forward traffic to a destination reachable from the SSH server. Operator connects to localhost:<LOCAL_PORT> and traffic exits at the remote end.
ssh -L <LOCAL_PORT>:<DEST_HOST>:<DEST_PORT> username@<SSH_SERVER>
# Example: Access RDP on an internal host via a jump server
ssh -L 13389:192.168.10.50:3389 username@<JUMP_HOST_IP>
# Then: rdesktop/xfreerdp localhost:13389
# Example: Access a web service on a remote internal network
ssh -L 8080:10.10.10.100:80 username@<JUMP_HOST_IP>
# Then: curl http://localhost:8080
# Keep-alive flags (useful for long-standing tunnels)
ssh -L 13389:192.168.10.50:3389 -N -f username@<JUMP_HOST_IP>
# -N: no remote command (tunnel only)
# -f: background after authentication
Remote Port Forwardingβ
Bind a port on the SSH server and forward traffic back to the operator's local machine or network. Useful for reaching back to operator-controlled services from a target.
ssh -R <REMOTE_PORT>:<LOCAL_HOST>:<LOCAL_PORT> username@<SSH_SERVER>
# Example: Expose operator's local web server on the remote host's port 8080
ssh -R 8080:localhost:80 username@<TARGET_IP>
# On target: curl http://localhost:8080 β hits operator's machine
Dynamic Port Forwarding (SOCKS Proxy)β
Creates a SOCKS proxy on a local port. Route any application through the proxy to access the remote network.
ssh -D <LOCAL_SOCKS_PORT> -N -f username@<JUMP_HOST_IP>
# Example: SOCKS5 proxy on local port 1080
ssh -D 1080 -N -f username@<JUMP_HOST_IP>
# Use with proxychains
# Edit /etc/proxychains4.conf: socks5 127.0.0.1 1080
proxychains nmap -sT -Pn 10.10.10.0/24
proxychains impacket-psexec domain/user:password@10.10.10.50
ProxyJump (Multi-Hop SSH)β
Connect through one or more intermediate hosts in a single command.
# Single hop: connect to TARGET through JUMP_HOST
ssh -J username@<JUMP_HOST_IP> username@<TARGET_IP>
# Multiple hops
ssh -J user@<HOP1>,user@<HOP2> user@<TARGET_IP>
# ProxyJump with SCP
scp -J username@<JUMP_HOST_IP> username@<TARGET_IP>:/remote/file /local/path/
~/.ssh/config Entry for Repeat Useβ
Host jumphost
HostName <JUMP_HOST_IP>
User username
IdentityFile ~/.ssh/id_ed25519
Host target
HostName <TARGET_IP>
User username
ProxyJump jumphost
IdentityFile ~/.ssh/id_ed25519
# With config in place:
ssh target
scp target:/remote/file /local/path/
SSH to Windows (OpenSSH)β
Windows 10/Server 2019+ ships with an optional OpenSSH server component. When installed, SSH access works identically to Linux.
Verify OpenSSH is Running (on Windows target)β
Get-Service -Name sshd
# Should show: Running
Connect from Linuxβ
# Local account
ssh localuser@<WINDOWS_IP>
# Domain account
ssh DOMAIN\\domainuser@<WINDOWS_IP>
Default Shell on Windows SSHβ
By default, Windows SSH drops into cmd.exe. To get PowerShell:
ssh username@<WINDOWS_IP> "powershell -Command 'Get-Process'"
# Or change the default shell (requires admin on Windows target)
# New-ItemProperty -Path "HKLM:\SOFTWARE\OpenSSH" -Name DefaultShell -Value "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
OPSEC β Cleanupβ
# Remove known_hosts entry for target after mission
ssh-keygen -R <TARGET_IP>
# Clear bash history entries related to SSH session
history | grep ssh
# Remove specific lines or clear history:
history -d <LINE_NUMBER>
# If credentials were passed via sshpass (avoid where possible):
# sshpass writes the password to the process environment β visible in /proc/<pid>/environ briefly
# Prefer key-based auth or interactive prompts
sshpass and ssh commands with inline passwords expose credentials in shell history and process listings. Use key-based authentication or interactive password prompts (ssh user@host without -p) whenever possible.