{"id":5779,"date":"2024-04-03T14:55:00","date_gmt":"2024-04-03T19:55:00","guid":{"rendered":"https:\/\/www.incredigeek.com\/home\/?p=5779"},"modified":"2024-06-19T22:59:43","modified_gmt":"2024-06-20T03:59:43","slug":"hacking-hashed-ssh-known_hosts-file","status":"publish","type":"post","link":"https:\/\/www.incredigeek.com\/home\/hacking-hashed-ssh-known_hosts-file\/","title":{"rendered":"Hacking Hashed SSH known_hosts file"},"content":{"rendered":"\n

On Ubuntu, by default, the hosts in .ssh\/known_hosts are hashed. This can theoretically help with security. If an attacker compromises a host, they will not be able to tell the IP addresses of other hosts in the known_hosts file.<\/p>\n\n\n\n

https:\/\/security.stackexchange.com\/questions\/56268\/ssh-benefits-of-using-hashed-known-hosts<\/a><\/p>\n\n\n\n

Anatomy of the hashed known_hosts<\/h2>\n\n\n\n

Here is an example of a hashed entry in the known_hosts file. <\/p>\n\n\n\n

|1|ma8KL2XrNYkNnknf68N4IuZ+c+I=|PmR+n2i0\/epUGZZh2S+LB6OaowQ= ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEjqG8\/el8c669FxcvEw5mMfDRTDxsjgLiz44dCTtchs<\/code><\/pre>\n\n\n\n
There are three main parts. <\/p>\n\n\n\n
The first part ma8KL2XrNYkNnknf68N4IuZ+c+I=<\/code> is the salt to use.<\/p>\n\n\n\n
PmR+n2i0\/epUGZZh2S+LB6OaowQ=<\/code> This is our hashed IP address\/hostname<\/p>\n\n\n\n
ssh-ed25519 <\/code>is the key type<\/p>\n\n\n\n
AAAAC3NzaC1lZDI1NTE5AAAAIEjqG8\/el8c669FxcvEw5mMfDRTDxsjgLiz44dCTtchs<\/code> Is the public SSH key of the remote host.<\/p>\n\n\n\n
SSH-KEYSCAN<\/h2>\n\n\n\n
We can use ssh-keyscan to check the keys of hosts.  The -t ssh-ed25519 option only shows ed25519 keys.  Remove or change to show all key types e.g. RSA\/DSA<\/em><\/p>\n\n\n\n
For example:<\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327flocalhost)-[~]
\u2514\u2500$ ssh-keyscan -t ssh-ed25519 localhost
# localhost:22 SSH-2.0-OpenSSH_9.6p1 Debian-3
localhost ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEjqG8\/el8c669FxcvEw5mMfDRTDxsjgLiz44dCTtchs<\/code><\/pre>\n\n\n\n
We can compare the SSH public key with the one in our known_hosts file to verify we have the correct host.<\/p>\n\n\n\n
As a side note, we can also use the -H option to show us a hashed version.  The salt changes each time it is run, so it is not useful for comparing the hashed IP address. <\/p>\n\n\n\n
Example:<\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327flocalhost)-[~]
\u2514\u2500$ ssh-keyscan -H -t ssh-ed25519 localhost
# localhost:22 SSH-2.0-OpenSSH_9.6p1 Debian-3
|1|j2j9iv\/GkPfnG9Yv4WzJsy\/L1pc=|wethKgsGBH0Mi+rFW3zSNSWiGso= ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEjqG8\/el8c669FxcvEw5mMfDRTDxsjgLiz44dCTtchs<\/code><\/pre>\n\n\n\n
<\/p>\n\n\n\n
Hacking known_hosts hashes<\/h2>\n\n\n\n
There are a few different techniques that can be used to identify known hosts IP addresses even if they are hashed.  <\/p>\n\n\n\n
https:\/\/stackoverflow.com\/questions\/427979\/how-do-you-extract-ip-addresses-from-files-using-a-regex-in-a-linux-shell<\/a><\/p>\n\n\n\n
Search through bash history<\/h2>\n\n\n\n
history | egrep '([0-9]{1,3}\\.){3}[0-9]{1,3}'<\/code><\/pre>\n\n\n\n
Example output<\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327flocalhost)-[~]
\u2514\u2500$ history | egrep '([0-9]{1,3}\\.){3}[0-9]{1,3}' | head -n2
  1   ssh kali@127.0.0.1<\/code><\/pre>\n\n\n\n
Check if SSH Public Key is on Shodan<\/h2>\n\n\n\n
Since the SSH public key is um, well, public, we can search for it on Shodan to see if it’s a known public server.  https:\/\/www.shodan.io<\/a><\/p>\n\n\n\n
Copy the public ssh key from the known_hosts file.  It is the last portion of the line i.e.
AAAAC3NzaC1lZDI1NTE5AAAAIEjqG8\/el8c669FxcvEw5mMfDRTDxsjgLiz44dCTtchs<\/code><\/p>\n\n\n\n
|1|ma8KL2XrNYkNnknf68N4IuZ+c+I=|PmR+n2i0\/epUGZZh2S+LB6OaowQ= ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEjqG8\/el8c669FxcvEw5mMfDRTDxsjgLiz44dCTtchs<\/code><\/pre>\n\n\n\n
<\/p>\n\n\n\n
Brute force<\/h2>\n\n\n\n
Since the address space for IPv4 is fairly small, and the private IP address space even smaller, brute forcing all the addresses is perfectly feasible.<\/p>\n\n\n\n
Here is a quick example on how you would hash an IP address.  Commands are taken from the above Stack Exchange link.<\/p>\n\n\n\n
Take the salt and put it into a variable<\/p>\n\n\n\n
key=`echo j2j9iv\/GkPfnG9Yv4WzJsy\/L1pc= | base64 -d | xxd -p`<\/code><\/pre>\n\n\n\n
Next we can run the following command to hash the result.  The IP (127.0.0.1) is where we would want to enumerate the IP address.<\/p>\n\n\n\n
echo -n \"127.0.0.1\" | openssl sha1 -mac HMAC -macopt hexkey:$key|awk '{print $2}' | xxd -r -p | base64<\/code><\/pre>\n\n\n\n
The output is PmR+n2i0\/epUGZZh2S+LB6OaowQ=<\/code> which is the correct hash.<\/p>\n\n\n\n
Automating should be fairly simple.<\/p>\n\n\n\n
A note on SSH ports.  If the host is using a non standard ssh port, you will need to update the above command with the port, but the address needs to be wrapped in square brackets []<\/p>\n\n\n\n
echo -n \"[127.0.0.1]:2222\" | openssl sha1 -mac HMAC -macopt hexkey:$key|awk '{print $2}' | xxd -r -p | base64<\/code><\/pre>\n\n\n\n
<\/p>\n\n\n\n
Use ssh-keyscan<\/h2>\n\n\n\n
A final way we can discover known-hosts, is by using ssh-keyscan.  The man page says the following<\/p>\n\n\n\n
ssh-keyscan is a utility for gathering the public SSH host keys of a number of hosts. It was designed to aid in building and verifying ssh_known_hosts files

ssh-keyscan  uses  non-blocking  socket  I\/O to contact as many hosts as possible in parallel, so it is very efficient.  The keys from a domain of 1,000 hosts can be collected in tens of seconds, even when some of those hosts are down or do not run sshd(8).  For scanning, one does not need login access to the machines that are being scanned, nor does  the scanning process involve any encryption.

Hosts  to  be scanned may be specified by hostname, address or by CIDR network range (e.g. 192.168.16\/28).  If a network range is specified, then all addresses in that range will be scanned.<\/code><\/pre>\n\n\n\n
This makes it super convenient to do a network scan using ssh-keyscan and then compare the public ssh keys with those in the known_hosts file.<\/p>\n\n\n\n
Example:<\/p>\n\n\n\n
ssh-keyscan 192.168.0.0\/16<\/code><\/pre>\n\n\n\n
To scan all private IP ranges (RFC1912), we just run the scan with all three IP ranges<\/p>\n\n\n\n
ssh-keyscan 192.168.0.0\/16
ssh-keyscan 172.12.0.0\/12
ssh-keyscan 10.0.0.0\/8<\/code><\/pre>\n\n\n\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
On Ubuntu, by default, the hosts in .ssh\/known_hosts are hashed. This can theoretically help with security. If an attacker compromises a host, they will not be able to tell the IP addresses of other hosts in the known_hosts file. https:\/\/security.stackexchange.com\/questions\/56268\/ssh-benefits-of-using-hashed-known-hosts … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[420,3,573],"tags":[1675,1674,421,1673,390,221,1672],"class_list":["post-5779","post","type-post","status-publish","format-standard","hentry","category-hacking","category-linux","category-security","tag-discover","tag-discovery","tag-hacking","tag-known_hosts","tag-openssl","tag-ssh","tag-ssh-keyscan"],"_links":{"self":[{"href":"https:\/\/www.incredigeek.com\/home\/wp-json\/wp\/v2\/posts\/5779","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.incredigeek.com\/home\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.incredigeek.com\/home\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.incredigeek.com\/home\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.incredigeek.com\/home\/wp-json\/wp\/v2\/comments?post=5779"}],"version-history":[{"count":18,"href":"https:\/\/www.incredigeek.com\/home\/wp-json\/wp\/v2\/posts\/5779\/revisions"}],"predecessor-version":[{"id":5823,"href":"https:\/\/www.incredigeek.com\/home\/wp-json\/wp\/v2\/posts\/5779\/revisions\/5823"}],"wp:attachment":[{"href":"https:\/\/www.incredigeek.com\/home\/wp-json\/wp\/v2\/media?parent=5779"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.incredigeek.com\/home\/wp-json\/wp\/v2\/categories?post=5779"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.incredigeek.com\/home\/wp-json\/wp\/v2\/tags?post=5779"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}