# SSH Private Keys

## Theory

We may search for SSH private key in publicly-exposed services (like webservers ore SMB shares) or in common directories if we gained access to the target.

## Practice

### Find Private Keys

{% tabs %}
{% tab title="UNIX-like" %}
We may find SSH keys in all `.ssh` directories using the find command.

```bash
find / -type d -name *.ssh -printf '%p\n' -exec ls -l {} \; 2>/dev/null
```

{% endtab %}

{% tab title="Windows" %}
We may find SSH keys in `C:\Users\(username)\.ssh\` directories.

```powershell
dir C:\Users\(username)\.ssh\
```

{% endtab %}
{% endtabs %}

### Brute-Force Private Keys

{% tabs %}
{% tab title="Brute-Force" %}
If an SSH private key is password protected, in order to crack it we need to format this key to make John recognize it.

```bash
ssh2john private_key.txt > hash.txt
# or
python2 /usr/share/john/ssh2john.py private_key.txt > hash.txt
```

Crack the password of the private key using the formatted text.

```bash
#John
john --wordlist=wordlist.txt hash.txt
```

{% endtab %}
{% endtabs %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://red.infiltr8.io/redteam/credentials/unsecured-credentials/ssh-private-keys.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.