SSH (Secure Shell) is the primary protocol for securely managing Unix-like systems remotely. However, weak credentials and permissive SSH configurations remain common vulnerabilities that attackers exploit to gain unauthorized access. In penetration testing (pentesting), the goal is to demonstrate the potential impact of these weaknesses by simulating a real-world attack path. This includes credential exposure, reconnaissance, and file transfer capabilities, all while ensuring that actions are auditable and reversible within the test’s scope.

Table of Content

• High-level attack overview & MITRE ATT&CK mapping
• Prerequisites
• Enumeration & Exploitation
• Mitigation
• Conclusion

High-level attack overview & MITRE ATT&CK mapping

SSH is crucial for remote management but can be exploited if misconfigured or if weak credentials are used. As pentesters, we simulate attacker behavior using the MITRE ATT&CK framework to identify vulnerabilities.

Credential enumeration:

• MITRE ATT&CK Technique: Valid Accounts — T1078
• Description: Using known/guessed credentials to log in. More Info

Credential validation:

• MITRE ATT&CK Technique: Valid Accounts — T1078
• Description: Confirming credentials work. More Info

Remote command execution:

• MITRE ATT&CK Technique: Remote Services: SSH — T1021.004
• Description: Execute commands remotely over SSH. More Info

File upload:

• MITRE ATT&CK Technique: Ingress Tool Transfer — T1105
• Description: Deliver tools/files to a target system. More Info

File download:

• MITRE ATT&CK Technique: Data from Local System / Exfiltration — T1005
• Description: Demonstrates an exfiltration channel. More Info

These steps allow us to simulate an attacker’s approach, testing the system’s defenses at each stage. Using the MITRE ATT&CK framework, we can map these actions to specific adversary behaviors, helping to identify vulnerabilities and strengthen security.

Prerequisite

• Kali Linux packed with tools
• Tools: Netexec

Enumeration & Exploitation

We first enumerate valid credentials (e.g., via brute-forcing) and then exploit them to gain access, run commands, or exfiltrate data, demonstrating how weak credentials can lead to full system compromise.

Credential Enumeration

This is a password spraying / brute force activity. Any discovered credential should be flagged as sensitive evidence and logged immediately.

nxc ssh 192.168.1.52 -u user.txt -p pass.txt

Attempting SSH authentication lists helps identify weak or default credentials, as password reuse and legacy accounts in enterprise environments often expose SSH to unauthorized access.

Validate Credential Authentication

Moving from credential discovery to confirmed access. This is where attackers shift from reconnaissance to initial foothold.

nxc ssh 192.168.1.52 -u ignite -p 123

A single-login attempt using a discovered credential (e.g., example:123) establishes an interactive or scripted session, removing false positives from automated scans and validating that a working access vector exists.

Remote Command Execution

Minimal recon to understand target environment post-compromise.

nxc ssh 192.168.1.52 -u ignite -p 123 -x ifconfig

Executing ifconfig (or ip a) remotely helps enumerate networking interfaces and IP configuration, providing valuable information for follow-on steps, such as identifying local IPs, internal targets, evidence of virtualization, or insights into network segmentation.

Put file (Exfiltration Test)

The core idea of this step is to prove that the authenticated channel is writable, allowing us to introduce arbitrary payloads into the target environment. This enables us to execute malicious code, establish persistence, or collect sensitive data.

nxc ssh 192.168.1.52 -u ignite -p 123 --put-file file.txt /tmp/file.txt

Uploading a file to the remote host allows us to deploy tools or payloads via SSH’s file transfer capabilities (SCP/SFTP). This gives us increased flexibility and speeds up the attack, enabling us to stage and execute malicious code efficiently. Defenders may detect this by spotting unexpected files in volatile paths like /tmp, especially if linked to new authentication sources.

Get File (Ingress Tool Transfer)

The core idea is to confirm that our attacker-controlled session can be used to exfiltrate data from the host. If we can retrieve /etc/passwd, other readable files are likely accessible as well, expanding our potential for further exploitation.

nxc ssh 192.168.1.52 -ignite -p 123 --get-file /etc/passwd passwd

Exfiltration is about moving data discreetly while bypassing detection. SSH offers a reliable, encrypted channel often allowed in environments, making it ideal for covert data transfers. By retrieving files like /etc/passwd, we demonstrate the ability to extract useful information without triggering alarms, proving that low-sensitivity data can be exfiltrated. This step exposes weaknesses in confidentiality controls and emphasizes the need for improved egress monitoring and data protection strategies.

Mitigation

• Enforce key-based SSH auth; disable PasswordAuthentication where possible.
• Require MFA for privileged SSH access and bastion hosts.
• Implement fail2ban / rate-limiting and adaptive lockouts to block spraying.
• Restrict access with AllowUsers/AllowGroups and IP-based controls (jump/bastion).
• Centralize and forward SSH logs to SIEM; enable session recording for high-risk accounts.
• Harden sudoers — remove NOPASSWD: ALL and apply least-privilege rules.

Conclusion

Weak or reused SSH credentials are an easy entry point, and once a single account is validated, it opens doors for reconnaissance, file uploads, and data exfiltration. Proper evidence hygiene, like timestamps and encryption, can make it harder for defenders to trace actions. To avoid detection, we focus on exploiting identity controls and stealthy exfiltration methods. While demonstrating impact is crucial, we aim to maintain control without causing destruction, all while leaving as little trace as possible to evade detection.

Want to dive deep into Red Teaming? Hit this link.

Author: MD Aslam drives security excellence and mentors teams to strengthen security across products, networks, and organizations as a dynamic Information Security leader. Contact here

Related posts:

MSSQL for Pentester: NetExec Active Directory Pentesting Using Netexec Tool