SANS Penetration Testing

Using the SSH "Konami Code" (SSH Control Sequences)

By Jeff McJunkin

Are you familiar with the Konami code? The one popularized by the Contra video game?

Pictured above: Tangentially related to SSH

If not, let me fill you in. This code is a sequence of control actions for some video games that'll let you jump forward in the game (some call it a "cheat," but I'd rather not judge.). The code itself is a series of button presses as follows (from Wikipedia):


For me, learning about SSH control sequences felt like finding SSH's Konami code. First I learned how to kill an SSH client that wasn't responsive, which was convenient. Then, finding out about changing SSH's options *after I had established the connection* felt like cheating. Adding SOCKS proxies or local and remote port forwards after I've already connected to an SSH server is very useful, and far less annoying than typing my SSH key passphrase again.

So, how do you start a control sequence? First, make sure "Enter" was the last key you pressed, as the SSH client won't notice the control sequence otherwise. Next, press the tilde character (shift + backtick) followed by another character.

What are the support escape sequences, you ask? Well, press "?" as your second character, and your SSH client will tell you:

Supported escape sequences:
~. - terminate connection (and any multiplexed sessions)
~B - send a BREAK to the remote system
~C - open a command line
~R - request rekey
~V/v - decrease/increase verbosity (LogLevel)
~^Z - suspend ssh
~# - list forwarded connections
~& - background ssh (when waiting for connections to terminate)
~? - this message
~~ - send the escape character by typing it twice
(Note that escapes are only recognized immediately after newline.)

Of these, I use "~." to kill stubborn SSH clients, "~C" to use additional SSH options (like "-D 8080" to start up a new SOCKS proxy), and rarely "~#" to see what forwards I've created.

Here's an example of me connecting to an SSH server (I set up the alias in my ~/.ssh/config file) and using an SSH control sequence to add a SOCKS proxy on port 9001 retroactively:

Jeff 1

An example of using an SSH escape sequence

Note the line beginning with "whoami". We were interacting with the SSH client itself at the line beginning with "ssh>", but when we finished that by pressing Enter, we didn't get a new prompt from the remote server. The input was still accepted, though, which is why the "whoami" command I typed returned "jeff" in the next line, followed by another newline and the SSH server's prompt.
Gosh, this is useful stuff.

Thanks for reading along! I hope you find as much use for the SSH Konami Code as I have.

- Jeff McJunkin


Upcoming SANS Special Event - 2018 Holiday Hack Challenge


SANS Holiday Hack Challenge - KringleCon 2018

  • Free SANS Online Capture-the-Flag Challenge
  • Our annual gift to the entire Information Security Industry
  • Designed for novice to advanced InfoSec professionals
  • Fun for the whole family!!
  • Build and hone your skills in a fun and festive roleplaying like video game, by the makers of SANS NetWars
  • Learn more:
  • Play previous versions from free 24/7/365:

Player Feedback!

  • "On to level 4 of the #holidayhackchallenge. Thanks again @edskoudis / @SANSPenTest team." - @mikehodges
  • "#SANSHolidayHack Confession — I have never used python or scapy before. I got started with both today because of this game! Yay!" - @tww2b
  • "Happiness is watching my 12 yo meet @edskoudis at the end of #SANSHolidayHack quest. Now the gnomes #ProudHackerPapa" - @dnlongen

Post a Comment


* Indicates a required field.