General

The public key is stored in the ~/.ssh/authorized_keys file

The private key is typically stored in the ~/.ssh/ directory

Find SSH private keys

find /home/ -name "id_rsa"

Found a key, one approach is to read the user’s ~/.ssh/known_hosts file to find machines that have been connected to recently. Or read ~/.bash_history.

Crack SSH private key passphrase

python /usr/share/john/ssh2john.py svuser.key > svuser.hash
sudo john --wordlist=/usr/share/wordlists/rockyou.txt ./svuser.hash

SSH clients typically require private keys to have permissions of 600 before being used to connect to a remote server

ssh -i ./svuser.key svuser@controller

Generic tips

Check /home/mark/.ssh/known_hosts and .bash_history file to check ssh connection data.

Attempt to ssh as all possible users to other machines, due to controlmaster.

Last updated 1 year ago