SSH Agent Forwarding Hijack
If another user has SSH agent forwarding enabled, you can use their agent socket to authenticate as them to remote hosts.Find Active Agent Sockets
Identify Socket Owner
Hijack Agent
Automate Discovery
Writable SSH Config
/etc/ssh/sshd_config
~/.ssh/authorized_keys
If writable for another user:~/.ssh/config
If writable — inject ProxyCommand:Debian Weak Keys (CVE-2008-0166)
Debian OpenSSL bug generated only 32,768 possible keys.Check
Exploit
Download pre-generated keys:SSH Private Keys on Disk
Find Keys
Check Permissions (Readable?)
Use Found Key
Crack Passphrase
If key is encrypted:SSH Persistence
Add Key to Root
Generate Key Pair on Target
Quick Reference
| Technique | Requirement |
|---|---|
| Agent forwarding hijack | Active SSH agent socket accessible |
| Writable authorized_keys | Write access to ~/.ssh/ |
| Writable sshd_config | Write access to /etc/ssh/ |
| Debian weak keys | Debian Etch / Ubuntu 7-8 |
| Private key theft | Readable key files |