Skip to main content

SSH


Overview​

SSH (Secure Shell) provides encrypted remote command execution, file transfer, and tunneling. On Linux operators stations, ssh is the primary method for connecting to Linux targets and β€” with OpenSSH installed β€” Windows targets as well.

All SSH examples below assume the operator is working from a Linux host unless noted.


Basic Connection​

# Password authentication
ssh username@<TARGET_IP>

# Specify port (if non-default)
ssh -p 2222 username@<TARGET_IP>

# Run a single command without interactive shell
ssh username@<TARGET_IP> "whoami; id; hostname"

# Force pseudo-TTY allocation (needed for interactive commands, sudo, etc.)
ssh -t username@<TARGET_IP> "sudo bash"

Domain Accounts (Windows Targets)​

# Domain account β€” use DOMAIN\user or user@domain format
ssh DOMAIN\\username@<TARGET_IP>
ssh username@domain.local@<TARGET_IP>

Key-Based Authentication​

Prefer key-based auth over passwords β€” avoids typing credentials, reduces shell history exposure.

Generate a Key Pair​

# Ed25519 (preferred β€” smaller, faster, more secure than RSA)
ssh-keygen -t ed25519 -C "operator-key" -f ~/.ssh/id_ed25519

# RSA (use if target requires it)
ssh-keygen -t rsa -b 4096 -C "operator-key" -f ~/.ssh/id_rsa

Deploy Public Key to Target​

# Automated (requires password auth to be enabled on target)
ssh-copy-id -i ~/.ssh/id_ed25519.pub username@<TARGET_IP>

# Manual β€” append public key to authorized_keys
cat ~/.ssh/id_ed25519.pub | ssh username@<TARGET_IP> "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"

Connect with Key​

ssh -i ~/.ssh/id_ed25519 username@<TARGET_IP>

File Transfer​

SCP (Secure Copy)​

SCP is the simplest method for one-off file transfers.

# Copy local file TO remote
scp /path/to/local/file username@<TARGET_IP>:/remote/destination/

# Copy remote file FROM target
scp username@<TARGET_IP>:/remote/path/file /local/destination/

# Recursive directory copy
scp -r /local/directory/ username@<TARGET_IP>:/remote/path/

# Specify port
scp -P 2222 username@<TARGET_IP>:/remote/file /local/destination/

# Use identity file
scp -i ~/.ssh/id_ed25519 username@<TARGET_IP>:/remote/file /local/destination/

SFTP (Interactive)​

SFTP provides an interactive session for browsing and transferring multiple files.

sftp username@<TARGET_IP>

# Common SFTP commands:
sftp> ls # List remote directory
sftp> lls # List local directory
sftp> cd /remote/path # Change remote directory
sftp> lcd /local/path # Change local directory
sftp> get remote_file # Download file
sftp> get -r remote_directory/ # Recursive download
sftp> put local_file # Upload file
sftp> put -r local_directory/ # Recursive upload
sftp> pwd # Print remote working directory
sftp> exit # Close session

SSH Tunneling​

SSH tunnels forward TCP traffic through an encrypted SSH connection. Useful for accessing services on remote networks not directly reachable from the operator station.

Local Port Forwarding​

Bind a local port and forward traffic to a destination reachable from the SSH server. Operator connects to localhost:<LOCAL_PORT> and traffic exits at the remote end.

ssh -L <LOCAL_PORT>:<DEST_HOST>:<DEST_PORT> username@<SSH_SERVER>

# Example: Access RDP on an internal host via a jump server
ssh -L 13389:192.168.10.50:3389 username@<JUMP_HOST_IP>
# Then: rdesktop/xfreerdp localhost:13389

# Example: Access a web service on a remote internal network
ssh -L 8080:10.10.10.100:80 username@<JUMP_HOST_IP>
# Then: curl http://localhost:8080

# Keep-alive flags (useful for long-standing tunnels)
ssh -L 13389:192.168.10.50:3389 -N -f username@<JUMP_HOST_IP>
# -N: no remote command (tunnel only)
# -f: background after authentication

Remote Port Forwarding​

Bind a port on the SSH server and forward traffic back to the operator's local machine or network. Useful for reaching back to operator-controlled services from a target.

ssh -R <REMOTE_PORT>:<LOCAL_HOST>:<LOCAL_PORT> username@<SSH_SERVER>

# Example: Expose operator's local web server on the remote host's port 8080
ssh -R 8080:localhost:80 username@<TARGET_IP>
# On target: curl http://localhost:8080 β†’ hits operator's machine

Dynamic Port Forwarding (SOCKS Proxy)​

Creates a SOCKS proxy on a local port. Route any application through the proxy to access the remote network.

ssh -D <LOCAL_SOCKS_PORT> -N -f username@<JUMP_HOST_IP>

# Example: SOCKS5 proxy on local port 1080
ssh -D 1080 -N -f username@<JUMP_HOST_IP>

# Use with proxychains
# Edit /etc/proxychains4.conf: socks5 127.0.0.1 1080
proxychains nmap -sT -Pn 10.10.10.0/24
proxychains impacket-psexec domain/user:password@10.10.10.50

ProxyJump (Multi-Hop SSH)​

Connect through one or more intermediate hosts in a single command.

# Single hop: connect to TARGET through JUMP_HOST
ssh -J username@<JUMP_HOST_IP> username@<TARGET_IP>

# Multiple hops
ssh -J user@<HOP1>,user@<HOP2> user@<TARGET_IP>

# ProxyJump with SCP
scp -J username@<JUMP_HOST_IP> username@<TARGET_IP>:/remote/file /local/path/

~/.ssh/config Entry for Repeat Use​

Host jumphost
HostName <JUMP_HOST_IP>
User username
IdentityFile ~/.ssh/id_ed25519

Host target
HostName <TARGET_IP>
User username
ProxyJump jumphost
IdentityFile ~/.ssh/id_ed25519
# With config in place:
ssh target
scp target:/remote/file /local/path/

SSH to Windows (OpenSSH)​

Windows 10/Server 2019+ ships with an optional OpenSSH server component. When installed, SSH access works identically to Linux.

Verify OpenSSH is Running (on Windows target)​

Get-Service -Name sshd
# Should show: Running

Connect from Linux​

# Local account
ssh localuser@<WINDOWS_IP>

# Domain account
ssh DOMAIN\\domainuser@<WINDOWS_IP>

Default Shell on Windows SSH​

By default, Windows SSH drops into cmd.exe. To get PowerShell:

ssh username@<WINDOWS_IP> "powershell -Command 'Get-Process'"

# Or change the default shell (requires admin on Windows target)
# New-ItemProperty -Path "HKLM:\SOFTWARE\OpenSSH" -Name DefaultShell -Value "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

OPSEC β€” Cleanup​

# Remove known_hosts entry for target after mission
ssh-keygen -R <TARGET_IP>

# Clear bash history entries related to SSH session
history | grep ssh
# Remove specific lines or clear history:
history -d <LINE_NUMBER>

# If credentials were passed via sshpass (avoid where possible):
# sshpass writes the password to the process environment β€” visible in /proc/<pid>/environ briefly
# Prefer key-based auth or interactive prompts
Shell History

sshpass and ssh commands with inline passwords expose credentials in shell history and process listings. Use key-based authentication or interactive password prompts (ssh user@host without -p) whenever possible.