Found DSA and RSA private keys hard-coded in a file during penetration testing. How to use them for SSH authentication?

Question

We are performing a penetration test as part of a study where the hardware unit listens for connection over FTP, SSH, and Telnet. All of these are password-protected. The hardware unit must first be loaded with a small 4 MB "utility" that tells the hardware to listen on a specific IP address over these services.

We have hex-dumped this utility and found a lot of configuration type files on there. We also discovered the RSA private key and the DSA private key. We should be able to login using these keys instead of the password as shown here:

https://debian-administration.org/article/530/SSH_with_authentication_key_instead_of_password

However, we are unsure how do we go about doing this? Usually the server has the public key encoded in it and the client provides the private key. We found the private key on the "utility" that is supposed to be loaded on the hardware unit. And we don't have the corresponding public key. Any ideas how we could proceed?

Do do you know that what you found is a private key? what format is it in? — Peter Green, Aug 08 '16 at 21:46
It says in the beginning '---Begin RSA private key---' and at the end '----end RSA private key----' — whoami, Aug 08 '16 at 21:59

score 3 · Answer 1 · answered Aug 08 '16 at 18:28

3

If there are configuration files for ssh server, they are probably server host keys and you are not able to log in with then anywhere. Only to perform Man in The Middle attack, if you would be able to spoof DNS/DHCP.

answered Aug 08 '16 at 18:28

Jakuje

5,229
16
31

score 1 · Answer 2 · answered Aug 09 '16 at 10:17

1

If they are in fact private keys with the corresponding public keys on the server setup for a user for SSH access, then you should be able to SSH presuming that public key access is enabled.

If you wish to use the private key directly then you would use the -i parameter to specify this:

ssh -i private_key_file root@192.0.2.102

The above assumes you know, or discover that the username is root.

answered Aug 09 '16 at 10:17

SilverlightFox

33,408
6
67
178

I did that and it asks me for a password next. I guess they have password + keys set up -- which means I would still need a password? – whoami Aug 09 '16 at 17:25
`ssh -v 192.0.2.102` and look for the first "Authentications that can continue" line. See if it mentions `publickey`. Also, as said make sure you're using the correct username for the key. – SilverlightFox Aug 09 '16 at 19:16

score 0 · Answer 3 · answered Aug 08 '16 at 21:36

0

If you have the private key you can use it to generate the public key as long as you either have the password or it's a password-less private key. The procedure is academic and very google-able.

answered Aug 08 '16 at 21:36

Neil Davis

282
1
4

Found DSA and RSA private keys hard-coded in a file during penetration testing. How to use them for SSH authentication?

3 Answers3