One of the most effective ways attackers move laterally inside a network is by abusing exposed SSH credentials. Unlike passwords, an SSH private key can silently provide persistent access, often with the ability to escalate to root. In this walkthrough, Pentest Copilot shows how it automatically detects a leaked SSH key, validates it against live hosts, and establishes full takeover with sudo privileges.
We begin with Pentest Copilot’s Internal Assessment Engine. A local agent is deployed to scan the subnet 192.168.1.0/24. This agent acts as the vantage point for enumeration and exploitation, running modules directly inside the target environment.
Pentest Copilot maps the subnet and detects live machines. In this case, a host at 34.47.230.139 was identified and added to the exploit graph. Every discovered node is automatically enriched with metadata like hostname, open ports, and privilege flags.
A service scan reveals multiple exposed endpoints including SSH (22), Kerberos (88), and SMB. Enumeration is a critical step because it determines potential entry points for credential testing and privilege escalation.
Caption: Service enumeration completed, seven new entities discovered.
The SSH authentication submodule is triggered against the identified SSH service. Pentest Copilot automatically cycles through available credentials and leaked keys. Here, it validates an exposed private key that provides successful login to the target machine.
Caption: SSH Auth submodule identified a valid SSH key.
Once access is established, Pentest Copilot spawns a new agent directly on the compromised host. The agent, named GOADPR in this case, signals full control with the ability to execute commands, escalate privileges, and continue the attack chain.
Caption: New agent connected to the exploit framework.
The exploit graph updates dynamically, showing how the compromise happened. Subnet → Host → Service → SSH Key → Vulnerability. This provides defenders with a clear view of how the exposed credential ties into overall attack paths.
Finally, Pentest Copilot generates a full attack path showing the pivot:
Subnet discovery
Host enumeration
SSH service identified
Leaked SSH key applied
Root-level access obtained
This attack path is tagged with CWE-266 (Improper Privilege Management) and CWE-522 (Insufficiently Protected Credentials).
SSH keys are often left unmanaged in enterprise networks. Once an attacker gets access to a single leaked key, they can bypass brute force protections, reuse trust relationships, and gain sudo privileges without triggering account lockouts.
Security teams should:
Regularly scan for orphaned or exposed keys.
Rotate and expire keys periodically.
Prefer short-lived SSH certificates instead of static keys.
Monitor for unusual login patterns across servers.
Enforce least-privilege and MFA where possible.
1. Why are SSH keys more dangerous than passwords?
SSH keys don’t expire by default, are rarely rotated, and often grant passwordless root or sudo access. If stolen, they bypass account lockout policies and brute-force protections.
2. How does Pentest Copilot detect leaked keys?
It runs the SSH authentication submodule against enumerated services, testing discovered or supplied keys automatically. Successful authentication is logged and a new agent is spawned on the compromised machine.
3. What happens once an agent is spawned on a host?
The agent provides remote code execution, privilege escalation, and post-exploitation capabilities. Pentest Copilot links it back into the exploit graph to visualize lateral movement paths.
4. Can defenders use Pentest Copilot to simulate SSH key compromise safely?
Yes. It can be run in controlled environments to test exposure, visualize attack paths, and validate whether leaked SSH credentials could result in privilege escalation.
5. How do I protect against this in production environments?
Audit all authorized_keys files, enforce key expiration policies, use SSH CA-signed certificates, monitor for unusual agent connections, and disable unused accounts. Defense is about reducing exposure and monitoring anomalies.
MITRE ATT&CK T1078: Valid Accounts
CWE-266: Improper Privilege Management
CWE-522: Insufficiently Protected Credentials
Pentest Copilot demonstrates how a single leaked SSH key can enable lateral movement and full host takeover in minutes. By automating the chain of discovery, validation, and exploitation, it provides both attackers and defenders with an accurate picture of real-world credential abuse. For defenders, this is a wake-up call to treat SSH keys with the same scrutiny as passwords, if not more.