Welcome to a new post where we are going to be talking about the well known file «known_hosts» related to the SSH service. However, the post will not be focused on the service itself, the post is going to be focused on Offensive Forensics on Known Hosts to be able to discover which are the hosts that had communication through SSH with the server being audited.
Let’s start!
Let’s start with some background about the file and how OpenSSH works. Mainly OpenSSH clients uses the file «known_hosts» to save the SSH fingerprints from previous SSH servers connections. This is very helpful to mitigate and detect man in the middle attacks over SSH.
Once, we know the utility of this file, we are going to think on a scenario, where we have access to a Linux server, but we could not get any further host enumerated on the same network. After performing a basic internal enumeration we notice that the server has a big known_hosts file with a lot of fingerprints.
However, all the fingerprints are encrypted because of the option «HashKnownHosts». This option most of the time is enabled by default and allows the system to hash all the fingerprints to not trace back the IPs:
Time to attack!
Nevertheless, thanks to our brute force advanced techniques and tools we can try to crack the hashes and discover all the SSH fingerprints and revealing all the IPs.
To be able to do brute force, the first thing we will need to do is, download the file or copy the output. Once, we have the fingerprints, we are going to use the following tool to transform the hash to a readable hash for hashcat:
known_hosts-hashcat by chris408 – github
We are going to convert the hashes like:
python3 kh-converter.py your_known_hosts_file > output.hashesThen, with hashcat we will be able to run over the hashes and get the IPs:
- the file «ipv4_hcmask.txt» is inside the github repository mentioned before. This hashcat brute force is based on mask attacks that are more efficient than the traditional brute force method. The file includes all the mask (patterns) to be able to brute force all the IPv4 addresses (this method will allow us to not generate a file with all the IPv4 addresses):
hashcat -m 160 --quiet --hex-salt your_known_hosts_file -a 3 ipv4_hcmask.txt -vFinally, after some time we will be able to gather the IPs from the known_hosts file, and start enumerating them:
I hope you liked the post! That allows us to perform Offensive Forensics on Known Hosts!
Based on: https://github.com/chris408/known_hosts-hashcat
If you are looking for more interesting posts about Offensive Security, remember that always you can check the blog section:
Happy Hacking!