{"id":2066,"date":"2021-01-09T11:19:36","date_gmt":"2021-01-09T10:19:36","guid":{"rendered":"https:\/\/andreas-klingler.de\/infosec\/?p=2066"},"modified":"2021-01-09T11:33:40","modified_gmt":"2021-01-09T10:33:40","slug":"ssh-secure-shell","status":"publish","type":"post","link":"https:\/\/infosec.andreas-klingler.de\/?p=2066","title":{"rendered":"<span class=\"caps\">SSH<\/span> Secure Shell"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Notes<\/h2>\n\n\n\n<ul class=\"wp-block-list\"><li>If the serv\u00ader needs old cryp\u00adto, use <code>-oKexAlgorithms=+diffie-hellman-group1-sha1<\/code><\/li><li>OpenSSH 7.7. allows to enu\u00admer\u00adate exist\u00ading&nbsp;users.<\/li><li><a href=\"https:\/\/blog.ropnop.com\/extracting-ssh-private-keys-from-windows-10-ssh-agent\/\">It could be pos\u00adsi\u00adble on Win\u00addows 10 ssh-agent to extract the&nbsp;keys.<\/a><\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Keys<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Get fin\u00adger\u00adprints<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nmap -p22 --script ssh-hostkey $target<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Get hostkeys<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nmap -p22 --script ssh-hostkey --script-args ssh_hostkey=full $target<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Extract fin\u00adger\u00adprints from exist\u00ading key&nbsp;file:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">ssh-keygen -E md5 -lf \/tmp\/found_key<br>ssh-keygen -E sha1 -lf \/tmp\/found_key<br>ssh-keygen -E sha256 -lf \/tmp\/found_key<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Grab <span class=\"caps\">SSH<\/span> keys from a host&nbsp;range<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">for ip in $(cat hosts.txt); do<br> nmap -p22 --script ssh-hostkey $ip &gt; \/tmp\/$ip.keys<br>done;<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Test\u00ading a pri\u00advate key against a host&nbsp;range<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">for ip in $(cat hosts.txt); do<br> echo For ip $ip<br> ssh -oBatchMode=yes -i t root@$ip \"echo 'is valid'\"<br>done;<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Tools<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><a href=\"https:\/\/github.com\/arthepsy\/ssh-audit\">ssh-audit<\/a><ul><li>Remote analy\u00adsis of the ver\u00adsion and ciphers.<\/li><li>Usage:<br><code>git clone https:\/\/github.com\/arthepsy\/ssh-audit<br>cd ssh-audit<br>python ssh-audit.py $target_domain<\/code><\/li><\/ul><\/li><li><a href=\"https:\/\/github.com\/rapid7\/ssh-badkeys\">Try pub\u00adlicly known bad&nbsp;keys<\/a><\/li><li><a href=\"https:\/\/github.com\/galkan\/crowbar\">Crow\u00adbar<\/a> (brute force, also for pri\u00advate <span class=\"caps\">SSH<\/span>&nbsp;keys)<\/li><li><a href=\"https:\/\/github.com\/lanjelot\/patator\">Pata\u00adtor<\/a> (brute force)<\/li><\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Notes If the serv\u00ader needs old cryp\u00adto, use \u2011oKexAlgorithms=+diffie-hellman-group1-sha1 OpenSSH 7.7. allows to enu\u00admer\u00adate exist\u00ading&nbsp;users. It could be pos\u00adsi\u00adble on Win\u00addows 10 ssh-agent to extract the&nbsp;keys. Keys Get fin\u00adger\u00adprints nmap \u2011p22 \u2013script ssh-hostkey $tar\u00adget Get hostkeys nmap \u2011p22 \u2013script ssh-hostkey \u2013script-args ssh_hostkey=full $tar\u00adget Extract fin\u00adger\u00adprints from exist\u00ading key&nbsp;file: ssh-key\u00adgen \u2011E md5 \u2011lf \/tm\u00adp\/\u00adfound_keyssh-key\u00adgen \u2011E&nbsp;sha1&nbsp;[\u2026]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"footnotes":""},"categories":[323],"tags":[46],"class_list":["post-2066","post","type-post","status-publish","format-standard","hentry","category-protocol","tag-ssh"],"_links":{"self":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/2066","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2066"}],"version-history":[{"count":4,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/2066\/revisions"}],"predecessor-version":[{"id":2077,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/2066\/revisions\/2077"}],"wp:attachment":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2066"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2066"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2066"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}