SSH Hacking question...

[Scrag]

Im taking a security course where we need to hack into a number of lab machines. Lots of them are running ssh. I can get key information by the following nmap command:

# nmap -p 22 --script ssh-hostkey -v 192.168.xxx.xxx

Starting Nmap 6.46 ( http://nmap.org ) at 2014-12-08 11:36 EST
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
Initiating ARP Ping Scan at 11:36
Scanning 192.168.xxx.xxx [1 port]
Completed ARP Ping Scan at 11:36, 0.09s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 11:36
Completed Parallel DNS resolution of 1 host. at 11:36, 4.04s elapsed
Initiating SYN Stealth Scan at 11:36
Scanning 192.168.xxx.xxx [1 port]
Discovered open port 22/tcp on 192.168.xxx.xxx
Completed SYN Stealth Scan at 11:36, 0.18s elapsed (1 total ports)
NSE: Script scanning 192.168.xxx.xxx.
Initiating NSE at 11:36
Completed NSE at 11:36, 2.08s elapsed
Nmap scan report for 192.168.xxx.xxx
Host is up (0.100s latency).
PORT STATE SERVICE
22/tcp open ssh

ssh-hostkey:
I	1024 65:63:69:c9:8b:96:b1:fb:be:d5:5c:f8:1e:7b:de:8f (DSA)
ssh-dss AAAAB3NzaC1kc3MAAACBAPgR1A-JiiKTtPRghjaMR4nHJ2qK9+bfehVJw5fhPu3gsLxPe+dOi9gfpOrM4pVo0OR ZkiOn/9Hn6pVX0qpnXPtgGhGsnQYkPR6QdiBI4WeGGZ3tsDuj1u0X6DrSEy4eVuaAGV9h2413TzgFcZ8o690pDWcKGB8krHHg i0SWnj3xQ1AAAAFQDzMDuRv4XwObvME88LK1VQ28xagQAAAIEAmNnhKZCSEnOhyW5+h5U1870DbfM7WMW/ferRugS7no4Gx EbDBUlDp3IovMAOKPt/ZSajiyueew1o4IXq+3qVf1sjtUDOvtptv7aGUpK9ZCeY/JOXEL/52677D02b1/aVimy4xGFKdIPEd qwindgIAbvxjuBrlTkIMnKzxYpFIAAACABExZb99rpjo3h+6ypzywL+QZLO1tVb8I5wuTtRfGTL3619Tv0PHXZ74DR8qE2K Ogx9WapTKUcFgGwDQZ2fh+EZd2/xx/jOn/gCrfdtHAKW1LivYYJg3nAR2XeYj/5c+c9WUTloY+4E08Lwb5Uibr9vNxm05/wiJ MauAMS/Q4EYAm=
I	2048 28:99:c0:51:20:96:31:e1:a4:fb:9a:17:46:52:cf:fc (RSA)
I_ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAwLyVtTmZ588dtDeYaMXwwMpQIteepzUL7RR9WsiTibncf19LOnci/Ov1wQz 9mx6Tty23t4ZD2w1ZQdIHhKpm/cGKFuxueSnCQRHIi93RvXWCTMRvrAe0OSNYLM8NjIEFNPGHyUPmkDQELUpI97i9+ht1brw z/OEBEr4f1rOAC/CTWKDk4WvKwy7n63GvU/Q5hCSOWPrj37VS7Y53xThdKWKQs3bkU2C+n0h1XDzx0x19e4FINDa9SzvE6q vIKBobzY0czT9RcL1npS+wmignR1os/fPteXhDe37Kmed6Tx+/52YvAdQPTly7yoDP8pAWf80+yM6MIjXT8DRz3LvraQ==

MAC Address: 00:00:00:00:00:00 (VMware)
NSE: Script Post-scanning.
Initiating NSE at 11:36
Completed NSE at 11:36, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 6.49 seconds Raw packets sent: 2 (72B) I Rcvd: 2 (72B)

Is this information something I can use to break into the system? Ive tried reading up on ssh but most of it with keys etc doesnt make a lot of sense to me.

Any thoughts on this would be appreciated!

Thanks.

[sud0nick]

If the version is vulnerable you can use compromised keys to authenticate. You can use Metasploit to scan for the SSH version. I think it only works with version 2 or 3 so most SSH instances in the wild have been updated from that. You should be able to find the list of compromised keys on exploit-db. I don't think you can use the keys you grabbed with nmap but don't quote me on that...I'm a little rusty on this stuff. Good luck!

Edited December 8, 2014 by sud0nick

[Sitwon]

What you're seeing there is the public half of the host key. It won't help you with logging in, it's just there to allow clients to authenticate that they're connecting to the SSH server that they intended to. Even if you cracked the private key, all that would allow you to do would be to impersonate that SSH server to other clients. It wouldn't help you with logging in.

[cooper]

The only thing that springs to mind is the potential to notice key reuse.

It's a massive no-no but I wouldn't be surprised when installs based on pre-built images carry the same keys because someone failed to replace them with unique copies. If you see key reuse and you get on one of the machines using them, you can steal the associated private key and use it to snoop in on traffic between the other machine(s) and anybody/anything connecting to it, likely showing passwords and other sensitive data that you can use to further your attack.

Edited December 9, 2014 by Cooper

[Scrag]

Got it. Thanks for the replies!