mirror of
				https://github.com/HackTricks-wiki/hacktricks.git
				synced 2025-10-10 18:36:50 +00:00 
			
		
		
		
	
		
			
				
	
	
		
			378 lines
		
	
	
		
			22 KiB
		
	
	
	
		
			Markdown
		
	
	
	
	
	
			
		
		
	
	
			378 lines
		
	
	
		
			22 KiB
		
	
	
	
		
			Markdown
		
	
	
	
	
	
| # 22 - Pentesting SSH/SFTP
 | ||
| 
 | ||
| {% hint style="success" %}
 | ||
| Learn & practice AWS Hacking:<img src="../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../.gitbook/assets/arte.png" alt="" data-size="line">\
 | ||
| Learn & practice GCP Hacking: <img src="../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
 | ||
| 
 | ||
| <details>
 | ||
| 
 | ||
| <summary>Support HackTricks</summary>
 | ||
| 
 | ||
| * Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
 | ||
| * **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
 | ||
| * **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
 | ||
| 
 | ||
| </details>
 | ||
| {% endhint %}
 | ||
| 
 | ||
| <figure><img src="../.gitbook/assets/i3.png" alt=""><figcaption></figcaption></figure>
 | ||
| 
 | ||
| **Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
 | ||
| 
 | ||
| {% embed url="https://go.intigriti.com/hacktricks" %}
 | ||
| 
 | ||
| ## Basic Information
 | ||
| 
 | ||
| **SSH (Secure Shell or Secure Socket Shell)** is a network protocol that enables a secure connection to a computer over an unsecured network. It is essential for maintaining the confidentiality and integrity of data when accessing remote systems.
 | ||
| 
 | ||
| **Default port:** 22
 | ||
| 
 | ||
| ```
 | ||
| 22/tcp open  ssh     syn-ack
 | ||
| ```
 | ||
| 
 | ||
| **SSH servers:**
 | ||
| 
 | ||
| * [openSSH](http://www.openssh.org) – OpenBSD SSH, shipped in BSD, Linux distributions and Windows since Windows 10
 | ||
| * [Dropbear](https://matt.ucc.asn.au/dropbear/dropbear.html) – SSH implementation for environments with low memory and processor resources, shipped in OpenWrt
 | ||
| * [PuTTY](https://www.chiark.greenend.org.uk/~sgtatham/putty/) – SSH implementation for Windows, the client is commonly used but the use of the server is rarer
 | ||
| * [CopSSH](https://www.itefix.net/copssh) – implementation of OpenSSH for Windows
 | ||
| 
 | ||
| **SSH libraries (implementing server-side):**
 | ||
| 
 | ||
| * [libssh](https://www.libssh.org) – multiplatform C library implementing the SSHv2 protocol with bindings in [Python](https://github.com/ParallelSSH/ssh-python), [Perl](https://github.com/garnier-quentin/perl-libssh/) and [R](https://github.com/ropensci/ssh); it’s used by KDE for sftp and by GitHub for the git SSH infrastructure
 | ||
| * [wolfSSH](https://www.wolfssl.com/products/wolfssh/) – SSHv2 server library written in ANSI C and targeted for embedded, RTOS, and resource-constrained environments
 | ||
| * [Apache MINA SSHD](https://mina.apache.org/sshd-project/index.html) – Apache SSHD java library is based on Apache MINA
 | ||
| * [paramiko](https://github.com/paramiko/paramiko) – Python SSHv2 protocol library
 | ||
| 
 | ||
| ## Enumeration
 | ||
| 
 | ||
| ### Banner Grabbing
 | ||
| 
 | ||
| ```bash
 | ||
| nc -vn <IP> 22
 | ||
| ```
 | ||
| 
 | ||
| ### Automated ssh-audit
 | ||
| 
 | ||
| ssh-audit is a tool for ssh server & client configuration auditing.
 | ||
| 
 | ||
| [https://github.com/jtesta/ssh-audit](https://github.com/jtesta/ssh-audit) is an updated fork from [https://github.com/arthepsy/ssh-audit/](https://github.com/arthepsy/ssh-audit/)
 | ||
| 
 | ||
| **Features:**
 | ||
| 
 | ||
| * SSH1 and SSH2 protocol server support;
 | ||
| * analyze SSH client configuration;
 | ||
| * grab banner, recognize device or software and operating system, detect compression;
 | ||
| * gather key-exchange, host-key, encryption and message authentication code algorithms;
 | ||
| * output algorithm information (available since, removed/disabled, unsafe/weak/legacy, etc);
 | ||
| * output algorithm recommendations (append or remove based on recognized software version);
 | ||
| * output security information (related issues, assigned CVE list, etc);
 | ||
| * analyze SSH version compatibility based on algorithm information;
 | ||
| * historical information from OpenSSH, Dropbear SSH and libssh;
 | ||
| * runs on Linux and Windows;
 | ||
| * no dependencies
 | ||
| 
 | ||
| ```bash
 | ||
| usage: ssh-audit.py [-1246pbcnjvlt] <host>
 | ||
| 
 | ||
|    -1,  --ssh1             force ssh version 1 only
 | ||
|    -2,  --ssh2             force ssh version 2 only
 | ||
|    -4,  --ipv4             enable IPv4 (order of precedence)
 | ||
|    -6,  --ipv6             enable IPv6 (order of precedence)
 | ||
|    -p,  --port=<port>      port to connect
 | ||
|    -b,  --batch            batch output
 | ||
|    -c,  --client-audit     starts a server on port 2222 to audit client
 | ||
|                                software config (use -p to change port;
 | ||
|                                use -t to change timeout)
 | ||
|    -n,  --no-colors        disable colors
 | ||
|    -j,  --json             JSON output
 | ||
|    -v,  --verbose          verbose output
 | ||
|    -l,  --level=<level>    minimum output level (info|warn|fail)
 | ||
|    -t,  --timeout=<secs>   timeout (in seconds) for connection and reading
 | ||
|                                (default: 5)
 | ||
| $ python3 ssh-audit <IP>
 | ||
| ```
 | ||
| 
 | ||
| [See it in action (Asciinema)](https://asciinema.org/a/96ejZKxpbuupTK9j7h8BdClzp)
 | ||
| 
 | ||
| ### Public SSH key of server
 | ||
| 
 | ||
| ```bash
 | ||
| ssh-keyscan -t rsa <IP> -p <PORT>
 | ||
| ```
 | ||
| 
 | ||
| ### Weak Cipher Algorithms
 | ||
| 
 | ||
| This is discovered by default by **nmap**. But you can also use **sslcan** or **sslyze**.
 | ||
| 
 | ||
| ### Nmap scripts
 | ||
| 
 | ||
| ```bash
 | ||
| nmap -p22 <ip> -sC # Send default nmap scripts for SSH
 | ||
| nmap -p22 <ip> -sV # Retrieve version
 | ||
| nmap -p22 <ip> --script ssh2-enum-algos # Retrieve supported algorythms 
 | ||
| nmap -p22 <ip> --script ssh-hostkey --script-args ssh_hostkey=full # Retrieve weak keys
 | ||
| nmap -p22 <ip> --script ssh-auth-methods --script-args="ssh.user=root" # Check authentication methods
 | ||
| ```
 | ||
| 
 | ||
| ### Shodan
 | ||
| 
 | ||
| * `ssh`
 | ||
| 
 | ||
| ## Brute force usernames, passwords and private keys
 | ||
| 
 | ||
| ### Username Enumeration
 | ||
| 
 | ||
| In some versions of OpenSSH you can make a timing attack to enumerate users. You can use a metasploit module in order to exploit this:
 | ||
| 
 | ||
| ```
 | ||
| msf> use scanner/ssh/ssh_enumusers
 | ||
| ```
 | ||
| 
 | ||
| ### [Brute force](../generic-hacking/brute-force.md#ssh)
 | ||
| 
 | ||
| Some common ssh credentials [here ](https://github.com/danielmiessler/SecLists/blob/master/Passwords/Default-Credentials/ssh-betterdefaultpasslist.txt)and [here](https://github.com/danielmiessler/SecLists/blob/master/Passwords/Common-Credentials/top-20-common-SSH-passwords.txt) and below.
 | ||
| 
 | ||
| ### Private Key Brute Force
 | ||
| 
 | ||
| If you know some ssh private keys that could be used... let's try it. You can use the nmap script:
 | ||
| 
 | ||
| ```
 | ||
| https://nmap.org/nsedoc/scripts/ssh-publickey-acceptance.html
 | ||
| ```
 | ||
| 
 | ||
| Or the MSF auxiliary module:
 | ||
| 
 | ||
| ```
 | ||
| msf> use scanner/ssh/ssh_identify_pubkeys
 | ||
| ```
 | ||
| 
 | ||
| Or use `ssh-keybrute.py` (native python3, lightweight and has legacy algorithms enabled): [snowdroppe/ssh-keybrute](https://github.com/snowdroppe/ssh-keybrute).
 | ||
| 
 | ||
| #### Known badkeys can be found here:
 | ||
| 
 | ||
| {% embed url="https://github.com/rapid7/ssh-badkeys/tree/master/authorized" %}
 | ||
| 
 | ||
| #### Weak SSH keys / Debian predictable PRNG
 | ||
| 
 | ||
| Some systems have known flaws in the random seed used to generate cryptographic material. This can result in a dramatically reduced keyspace which can be bruteforced. Pre-generated sets of keys generated on Debian systems affected by weak PRNG are available here: [g0tmi1k/debian-ssh](https://github.com/g0tmi1k/debian-ssh).
 | ||
| 
 | ||
| You should look here in order to search for valid keys for the victim machine.
 | ||
| 
 | ||
| ### Kerberos
 | ||
| 
 | ||
| **crackmapexec** using the `ssh` protocol can use the option `--kerberos` to **authenticate via kerberos**.\
 | ||
| For more info run `crackmapexec ssh --help`.
 | ||
| 
 | ||
| ## Default Credentials
 | ||
| 
 | ||
| | **Vendor** | **Usernames**                                                                                               | **Passwords**                                                                                                                                                                                              |
 | ||
| | ---------- | ----------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
 | ||
| | APC        | apc, device                                                                                                 | apc                                                                                                                                                                                                        |
 | ||
| | Brocade    | admin                                                                                                       | admin123, password, brocade, fibranne                                                                                                                                                                      |
 | ||
| | Cisco      | admin, cisco, enable, hsa, pix, pnadmin, ripeop, root, shelladmin                                           | admin, Admin123, default, password, secur4u, cisco, Cisco, \_Cisco, cisco123, C1sco!23, Cisco123, Cisco1234, TANDBERG, change\_it, 12345, ipics, pnadmin, diamond, hsadb, c, cc, attack, blender, changeme |
 | ||
| | Citrix     | root, nsroot, nsmaint, vdiadmin, kvm, cli, admin                                                            | C1trix321, nsroot, nsmaint, kaviza, kaviza123, freebsd, public, rootadmin, wanscaler                                                                                                                       |
 | ||
| | D-Link     | admin, user                                                                                                 | private, admin, user                                                                                                                                                                                       |
 | ||
| | Dell       | root, user1, admin, vkernel, cli                                                                            | calvin, 123456, password, vkernel, Stor@ge!, admin                                                                                                                                                         |
 | ||
| | EMC        | admin, root, sysadmin                                                                                       | EMCPMAdm7n, Password#1, Password123#, sysadmin, changeme, emc                                                                                                                                              |
 | ||
| | HP/3Com    | admin, root, vcx, app, spvar, manage, hpsupport, opc\_op                                                    | admin, password, hpinvent, iMC123, pvadmin, passw0rd, besgroup, vcx, nice, access, config, 3V@rpar, 3V#rpar, procurve, badg3r5, OpC\_op, !manage, !admin                                                   |
 | ||
| | Huawei     | admin, root                                                                                                 | 123456, admin, root, Admin123, Admin@storage, Huawei12#$, HwDec@01, hwosta2.0, HuaWei123, fsp200@HW, huawei123                                                                                             |
 | ||
| | IBM        | USERID, admin, manager, mqm, db2inst1, db2fenc1, dausr1, db2admin, iadmin, system, device, ufmcli, customer | PASSW0RD, passw0rd, admin, password, Passw8rd, iadmin, apc, 123456, cust0mer                                                                                                                               |
 | ||
| | Juniper    | netscreen                                                                                                   | netscreen                                                                                                                                                                                                  |
 | ||
| | NetApp     | admin                                                                                                       | netapp123                                                                                                                                                                                                  |
 | ||
| | Oracle     | root, oracle, oravis, applvis, ilom-admin, ilom-operator, nm2user                                           | changeme, ilom-admin, ilom-operator, welcome1, oracle                                                                                                                                                      |
 | ||
| | VMware     | vi-admin, root, hqadmin, vmware, admin                                                                      | vmware, vmw@re, hqadmin, default                                                                                                                                                                           |
 | ||
| 
 | ||
| ## SSH-MitM
 | ||
| 
 | ||
| If you are in the local network as the victim which is going to connect to the SSH server using username and password you could try to **perform a MitM attack to steal those credentials:**
 | ||
| 
 | ||
| **Attack path:**
 | ||
| 
 | ||
| * **Traffic Redirection:** The attacker **diverts** the victim's traffic to their machine, effectively **intercepting** the connection attempt to the SSH server.
 | ||
| * **Interception and Logging:** The attacker's machine acts as a **proxy**, **capturing** the user's login details by pretending to be the legitimate SSH server.
 | ||
| * **Command Execution and Relay:** Finally, the attacker's server **logs the user's credentials**, **forwards the commands** to the real SSH server, **executes** them, and **sends the results back** to the user, making the process appear seamless and legitimate.
 | ||
| 
 | ||
| [**SSH MITM**](https://github.com/jtesta/ssh-mitm) does exactly what is described above.
 | ||
| 
 | ||
| In order to capture perform the actual MitM you could use techniques like ARP spoofing, DNS spoofin or others described in the [**Network Spoofing attacks**](../generic-methodologies-and-resources/pentesting-network/#spoofing).
 | ||
| 
 | ||
| ## SSH-Snake
 | ||
| 
 | ||
| If you want to traverse a network using discovered SSH private keys on systems, utilizing each private key on each system for new hosts, then [**SSH-Snake**](https://github.com/MegaManSec/SSH-Snake) is what you need.
 | ||
| 
 | ||
| SSH-Snake performs the following tasks automatically and recursively:
 | ||
| 
 | ||
| 1. On the current system, find any SSH private keys,
 | ||
| 2. On the current system, find any hosts or destinations (user@host) that the private keys may be accepted,
 | ||
| 3. Attempt to SSH into all of the destinations using all of the private keys discovered,
 | ||
| 4. If a destination is successfully connected to, repeats steps #1 - #4 on the connected-to system.
 | ||
| 
 | ||
| It's completely self-replicating and self-propagating -- and completely fileless.
 | ||
| 
 | ||
| ## Config Misconfigurations
 | ||
| 
 | ||
| ### Root login
 | ||
| 
 | ||
| It's common for SSH servers to allow root user login by default, which poses a significant security risk. **Disabling root login** is a critical step in securing the server. Unauthorized access with administrative privileges and brute force attacks can be mitigated by making this change.
 | ||
| 
 | ||
| **To Disable Root Login in OpenSSH:**
 | ||
| 
 | ||
| 1. **Edit the SSH config file** with: `sudoedit /etc/ssh/sshd_config`
 | ||
| 2. **Change the setting** from `#PermitRootLogin yes` to **`PermitRootLogin no`**.
 | ||
| 3. **Reload the configuration** using: `sudo systemctl daemon-reload`
 | ||
| 4. **Restart the SSH server** to apply changes: `sudo systemctl restart sshd`
 | ||
| 
 | ||
| ### SFTP Brute Force
 | ||
| 
 | ||
| * [**SFTP Brute Force**](../generic-hacking/brute-force.md#sftp)
 | ||
| 
 | ||
| ### SFTP command execution
 | ||
| 
 | ||
| There is a common oversight occurs with SFTP setups, where administrators intend for users to exchange files without enabling remote shell access. Despite setting users with non-interactive shells (e.g., `/usr/bin/nologin`) and confining them to a specific directory, a security loophole remains. **Users can circumvent these restrictions** by requesting the execution of a command (like `/bin/bash`) immediately after logging in, before their designated non-interactive shell takes over. This allows for unauthorized command execution, undermining the intended security measures.
 | ||
| 
 | ||
| [Example from here](https://community.turgensec.com/ssh-hacking-guide/):
 | ||
| 
 | ||
| ```bash
 | ||
| ssh -v noraj@192.168.1.94 id
 | ||
| ...
 | ||
| Password:
 | ||
| debug1: Authentication succeeded (keyboard-interactive).
 | ||
| Authenticated to 192.168.1.94 ([192.168.1.94]:22).
 | ||
| debug1: channel 0: new [client-session]
 | ||
| debug1: Requesting no-more-sessions@openssh.com
 | ||
| debug1: Entering interactive session.
 | ||
| debug1: pledge: network
 | ||
| debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
 | ||
| debug1: Sending command: id
 | ||
| debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
 | ||
| debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
 | ||
| uid=1000(noraj) gid=100(users) groups=100(users)
 | ||
| debug1: channel 0: free: client-session, nchannels 1
 | ||
| Transferred: sent 2412, received 2480 bytes, in 0.1 seconds
 | ||
| Bytes per second: sent 43133.4, received 44349.5
 | ||
| debug1: Exit status 0
 | ||
| 
 | ||
| $ ssh noraj@192.168.1.94 /bin/bash
 | ||
| ```
 | ||
| 
 | ||
| Here is an example of secure SFTP configuration (`/etc/ssh/sshd_config` – openSSH) for the user `noraj`:
 | ||
| 
 | ||
| ```
 | ||
| Match User noraj
 | ||
|         ChrootDirectory %h
 | ||
|         ForceCommand internal-sftp
 | ||
|         AllowTcpForwarding no
 | ||
|         PermitTunnel no
 | ||
|         X11Forwarding no
 | ||
|         PermitTTY no
 | ||
| ```
 | ||
| 
 | ||
| This configuration will allow only SFTP: disabling shell access by forcing the start command and disabling TTY access but also disabling all kind of port forwarding or tunneling.
 | ||
| 
 | ||
| ### SFTP Tunneling
 | ||
| 
 | ||
| If you have access to a SFTP server you can also tunnel your traffic through this for example using the common port forwarding:
 | ||
| 
 | ||
| ```bash
 | ||
| sudo ssh -L <local_port>:<remote_host>:<remote_port> -N -f <username>@<ip_compromised>
 | ||
| ```
 | ||
| 
 | ||
| ### SFTP Symlink
 | ||
| 
 | ||
| The **sftp** have the command "**symlink**". Therefor, if you have **writable rights** in some folder, you can create **symlinks** of **other folders/files**. As you are probably **trapped** inside a chroot this **won't be specially useful** for you, but, if you can **access** the created **symlink** from a **no-chroot** **service** (for example, if you can access the symlink from the web), you could **open the symlinked files through the web**.
 | ||
| 
 | ||
| For example, to create a **symlink** from a new file **"**_**froot**_**" to "**_**/**_**"**:
 | ||
| 
 | ||
| ```bash
 | ||
| sftp> symlink / froot
 | ||
| ```
 | ||
| 
 | ||
| If you can access the file "_froot_" via web, you will be able to list the root ("/") folder of the system.
 | ||
| 
 | ||
| ### Authentication methods
 | ||
| 
 | ||
| On high security environment it’s a common practice to enable only key-based or two factor authentication rather than the simple factor password based authentication. But often the stronger authentication methods are enabled without disabling the weaker ones. A frequent case is enabling `publickey` on openSSH configuration and setting it as the default method but not disabling `password`. So by using the verbose mode of the SSH client an attacker can see that a weaker method is enabled:
 | ||
| 
 | ||
| ```bash
 | ||
| ssh -v 192.168.1.94
 | ||
| OpenSSH_8.1p1, OpenSSL 1.1.1d  10 Sep 2019
 | ||
| ...
 | ||
| debug1: Authentications that can continue: publickey,password,keyboard-interactive
 | ||
| ```
 | ||
| 
 | ||
| For example if an authentication failure limit is set and you never get the chance to reach the password method, you can use the `PreferredAuthentications` option to force to use this method.
 | ||
| 
 | ||
| ```bash
 | ||
| ssh -v 192.168.1.94 -o PreferredAuthentications=password
 | ||
| ...
 | ||
| debug1: Next authentication method: password
 | ||
| ```
 | ||
| 
 | ||
| Review the SSH server configuration is necessary to check that only expected\
 | ||
| methods are authorized. Using the verbose mode on the client can help to see\
 | ||
| the effectiveness of the configuration.
 | ||
| 
 | ||
| ### Config files
 | ||
| 
 | ||
| ```bash
 | ||
| ssh_config
 | ||
| sshd_config
 | ||
| authorized_keys
 | ||
| ssh_known_hosts
 | ||
| known_hosts
 | ||
| id_rsa
 | ||
| ```
 | ||
| 
 | ||
| ## Fuzzing
 | ||
| 
 | ||
| * [https://packetstormsecurity.com/files/download/71252/sshfuzz.txt](https://packetstormsecurity.com/files/download/71252/sshfuzz.txt)
 | ||
| * [https://www.rapid7.com/db/modules/auxiliary/fuzzers/ssh/ssh\_version\_2](https://www.rapid7.com/db/modules/auxiliary/fuzzers/ssh/ssh_version_2)
 | ||
| 
 | ||
| ## References
 | ||
| 
 | ||
| * You can find interesting guides on how to harden SSH in [https://www.ssh-audit.com/hardening\_guides.html](https://www.ssh-audit.com/hardening_guides.html)
 | ||
| * [https://community.turgensec.com/ssh-hacking-guide](https://community.turgensec.com/ssh-hacking-guide)
 | ||
| 
 | ||
| <figure><img src="../.gitbook/assets/i3.png" alt=""><figcaption></figcaption></figure>
 | ||
| 
 | ||
| **Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
 | ||
| 
 | ||
| {% embed url="https://go.intigriti.com/hacktricks" %}
 | ||
| 
 | ||
| ## HackTricks Automatic Commands
 | ||
| 
 | ||
| ```
 | ||
| Protocol_Name: SSH
 | ||
| Port_Number: 22
 | ||
| Protocol_Description: Secure Shell Hardening
 | ||
| 
 | ||
| Entry_1:
 | ||
|   Name: Hydra Brute Force
 | ||
|   Description: Need Username
 | ||
|   Command: hydra -v -V -u -l {Username} -P {Big_Passwordlist} -t 1 {IP} ssh
 | ||
|    
 | ||
| Entry_2:
 | ||
|   Name: consolesless mfs enumeration
 | ||
|   Description: SSH enumeration without the need to run msfconsole
 | ||
|   Note: sourced from https://github.com/carlospolop/legion
 | ||
|   Command: msfconsole -q -x 'use auxiliary/scanner/ssh/ssh_version; set RHOSTS {IP}; set RPORT 22; run; exit' && msfconsole -q -x 'use scanner/ssh/ssh_enumusers; set RHOSTS {IP}; set RPORT 22; run; exit' && msfconsole -q -x 'use auxiliary/scanner/ssh/juniper_backdoor; set RHOSTS {IP}; set RPORT 22; run; exit'
 | ||
|    
 | ||
| ```
 | ||
| 
 | ||
| {% hint style="success" %}
 | ||
| Learn & practice AWS Hacking:<img src="../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../.gitbook/assets/arte.png" alt="" data-size="line">\
 | ||
| Learn & practice GCP Hacking: <img src="../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
 | ||
| 
 | ||
| <details>
 | ||
| 
 | ||
| <summary>Support HackTricks</summary>
 | ||
| 
 | ||
| * Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
 | ||
| * **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
 | ||
| * **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
 | ||
| 
 | ||
| </details>
 | ||
| {% endhint %}
 |