In the realm of penetration testing, particularly for certifications like OSCP, understanding how to leverage SSH keys for post-exploitation and lateral movement is crucial. SSH keys offer a powerful, often stealthy, method to authenticate and gain access to systems without relying on traditional passwords. This module will delve into the mechanics of SSH key exploitation.

SSH (Secure Shell) keys are a pair of cryptographic keys used to authenticate a user to an SSH server. They consist of a private key (kept secret by the user) and a public key (shared with the server). When a connection is attempted, the server uses the public key to verify the identity of the user presenting the corresponding private key. This process is more secure than password-based authentication as it's less susceptible to brute-force attacks.

SSH key exploitation typically occurs in two main scenarios:

1. Finding Private Keys on Compromised Systems: If an attacker gains initial access to a system, they will often search for private SSH keys that might grant them access to other systems on the network. These keys are commonly found in user home directories, specifically within the .ssh/ subdirectory.

2. Leveraging Public Keys for Unauthorized Access: If an attacker can place their own public key onto a target system's authorized_keys file (e.g., ~/.ssh/authorized_keys), they can then use their corresponding private key to log in without needing a password. This is often achieved through privilege escalation or by exploiting misconfigurations.

On a compromised Linux or macOS system, attackers will systematically search for private keys. Common locations include:

• /home/<user>/.ssh/id_rsa (and other id_* files like id_dsa, id_ecdsa)
• /root/.ssh/id_rsa
• /var/www/.ssh/id_rsa (if a web server user has shell access)
• Configuration files of applications that might store SSH credentials.

Once a private key is found, the attacker can attempt to use it with the ssh command. If the key is not passphrase-protected, the connection will be immediate. If it is protected, tools like ssh2john and John the Ripper or hashcat can be used to attempt to crack the passphrase.

A more proactive approach for an attacker is to add their own public SSH key to a target system's authorized_keys file. This allows them to establish a persistent backdoor. This can be achieved if the attacker has write permissions to the target user's .ssh directory or can exploit a vulnerability that allows them to modify this file.

Several tools and techniques are vital for SSH key exploitation:

• ssh command: The fundamental tool for connecting via SSH. Used with the -i flag to specify a private key file.
• ssh-keygen: Used to generate SSH key pairs.
• ssh2john.py: Converts SSH private key files into a format usable by password cracking tools.
• John the Ripper / hashcat: Powerful password cracking tools.
• find command: Used to locate potential SSH key files on a system.
• grep command: Useful for searching within files for specific patterns, like public keys in authorized_keys.

For defenders, securing SSH is paramount. This includes:

• Disabling password authentication entirely and relying solely on SSH keys.
• Enforcing strong passphrases for all private keys.
• Regularly auditing authorized_keys files for unauthorized entries.
• Restricting SSH access to only necessary users and IP addresses.
• Using SSH agent forwarding cautiously and disabling it when not needed.
• Keeping SSH server software updated.