👾 Overview
SSH private keys can be used to access a system as the user associated with the key, but you generally need the username in order to connect. So what do you do if you don’t know who a key belongs to?
You can use ssh-keygen to generate a public key from a private key, which will contain the associated username/host entry for the key. If it’s password protected, you’ll need to obtain or crack the password.
📌 Exploitation
The following command can be used to recover the public key from a private key:
ssh-keygen -y -f [private key] > public-key.pubIf the file is password protected, it’ll prompt for credentials. ssh2john can be used to grab a hash from a private key if you need to crack it.
# Grabbing a hash
python3 ssh2john.py [private key] > ssh.hash
# Running a dictionary attack
john --wordlist=/tools/rockyou.txt ./ssh.hash
# Grabbing the password
./john --show ./ssh.hash
[private key]:[password]
1 password hash cracked, 0 left✨ Post-Exploitation
Once you’ve generated public-key.pub, cat out the file and look for a user@hostname at the tail end of the file. You can then use it to access your target with ssh [user]@[host] -i [private key].
📝 Resources
| 🔗 Hyperlink | ℹ️ Info |
|---|---|
| SSH2John | John script to grab crackable hashes from SSH private key files |