search
All Gitbook

SSH

Public key is stored in the ~/.ssh/authorized_keys file of the server the user is connecting to.

Private key is typically stored in the ~/.ssh/ directory on the system the user is connecting from.

hashtag
Enumeration

Default: find /home/ -name "id_rsa"

View key to see if it is password protected: cat svuser.key

Check /etc/passwd to see if the key name is a user for the current machine, if not then the key is likely for connecting to other machine.

Then check ~/.ssh/known_hosts to find recently connected machine. Try SSH to any user found on the connected machine with the current session.

Check ~/.bash_history (tail) when the HashKnownHosts setting is enabled in /etc/ssh/ssh_config (that makes known_hosts not useful to read)

Determine IP address of the host name: host {hostname}

hashtag
Crack private key passphrase

python /usr/share/john/ssh2john.py svuser.key > svuser.hash
cat .hash / the key
$sshng$0$ stands for 3DES
$sshng$1$ stands for RSA, DSA keys using AES-128
$sshng$2$ stands for bcrypt PBKDF + AES-256-CBC / AES-256-CTR
$sshng$3$ stands for EC keys using AES-128
$sshng$4$ stands for RSA, DSA keys using AES-192
$sshng$5$ stands for RSA, DSA keys using AES-256

hashtag
JtR

hashtag
Hashcat

hashtag
Usage

circle-info

Require private keys to have permissions of 600 before being used to connect to a remote server. chmod 600 user.key

hashtag
Persistence

persisting ssh login with ssh-keygenchevron-right

Most Linux systems require 644 permissions on authorized_keys, which means that only the file owner and root can write to the file.

hashtag
Hijacking

The compromised user needs to have an active SSH connection to the intermediate server. If we've compromised an account with root level access on the intermediate server, we can leverage the victim user's open socket directly. (PDF p.535)

Check ~/.ssh/config, ~/.ssh/controlmaster, SSH if entry exists

Check SSH connections: ps aux | grep ssh

PreviousLinux Lateral MovementNextAnsible

Last updated