It’s well known that the Secure Shell (SSH) is a network protocol that allows users have remote secure terminal access to devices on a network. The SSH over the years have come in to account for the security short-comings of the Telnet protocol. SSH uses encryption and authentication to provide secure connections.
The SSH works like so:
SSH uses public-key cryptography to authenticate the remote computer and the user.
SSH uses public and private key pairs to encrypt the network connection.
A password is used to authenticate the user.
However, an SSH private key can easily be exploited if found on a device. Despite the fact that the private key can be exploited, it might require a little bit of trial and error. You can check the key file to confirm if it’s actually a private key as SSH private keys typically starts with
-----BEGIN OPENSSH PRIVATE KEY----- or -----BEGIN RSA PRIVATE KEY-----
Printing the content of the file to the terminal helps to confirm that.
Moving on, we assume a valid user and a corresponding SSH private key file is found(and you have read access to the file), such that the following steps can be used to exploit this key if found:
Ensure the private key file (usually id_rsa, id_dsa or id_ed25519) has correct/strict permission using the command
chmod 600 <private_key_file>Next, try connecting to the remote device with the ssh command
ssh -i <private_key_file> user@target_ipIf after running this command, you get an error saying access is denied and a passphrase/password is needed, you then proceed to crack the password using either johntheripper or hashcat. We suggest using johntheripper as hashcat is GPU intensive.
Using johntheripper, first extract the hash of the private key to a file, say private_key_hash.txt with the command
ssh2john <private_key_file> > private_key_hash.txtThen, with a wordlist of your choice, you crack the password like so
john —wordlist=<path_to_wordlist> private_key_hash.txtHere’s where the trial and error comes into play as you might have to use different wordlists or even create a custom wordlist to crack the password. Common wordlists include rockyou, seclists, fasttrack,etc.
Once the cracking process is done, if the password was found, it might be displayed on the terminal. However, if it does not display the password but says a password was found(loaded), use the command to display the password
john private_key_hash.txt --showjohn private_key_hash.txt —showNow you have the password, run the command to get remote access
ssh -i <private_key_file> user@target_ipand if prompted to enter the passphrase/password, enter the password cracked to get remote access.
We can see how relatively easy it is to exploit SSH private key (if key file and a valid user have been identified during recon and enumeration) with just a few commands. A practical scenario is in the Empire: LupinOne CTF. Check it out.
Until we meet again, feliz piratería.
Disclaimer: This content is provided solely for educational and informational purposes. It is intended to demonstrate the use of cybersecurity tools and techniques for ethical hacking and penetration testing within a controlled and authorized environment. Any unauthorized use of this information is strictly prohibited and may result in legal consequences.