SSH Key Attacks

SSH key authentication is more secure than passwords, but keys can be compromised through theft, weak passphrases, or poor key management. This lesson covers attacks targeting SSH keys.

Finding SSH Keys

Keys might exist in various locations including default user locations like .ssh/id_rsa, system-wide host keys, backup locations, NAS shares, and git repositories.

Search for exposed keys by finding files named id_rsa or id_dsa, and searching for BEGIN PRIVATE KEY content.

Passphrase Cracking

Encrypted private keys have passphrases. The header indicates encryption type and cipher info.

Using John the Ripper

Convert key to crackable format with ssh2john, crack with wordlist, then show cracked passphrase.

Using Hashcat

SSH key mode 22931 for RSA keys supports GPU-accelerated cracking.

Key Reuse Attacks

Organizations often reuse keys across systems. Found keys should be tested against same user on other hosts, root account, service accounts, git servers, and backup systems.

Authorized Keys Manipulation

With write access, add your own key. Generate an attack key, append public key to authorized_keys, then connect with your private key.

Weak Key Vulnerabilities

Historical issues include Debian OpenSSL bug (2008) causing predictable keys, default keys in appliances, and small key sizes. Key attacks bypass password-based defenses entirely.