OSCP Notes


Cracking ssh

Did you find a backup private key?
  1. 1.
    ssh2john private key to generate a hash
john --wordlist=/usr/share/wordlists/rockyou.txt hash
*use the directory you are storing rockyou.txt
Log in using the pass key along with the private key.
ssh -i id_rsa.bak [email protected]

use patator for Brute Forcing

If ssh is filtered, you may try this!
  • /proc/sched_debug is useful sometimes.
    • if "knockd" exists, it's a port knocking service --> which means some ports may have filters.
    • /etc/knockd.conf
it may look like this.
In this case, to access SSH, we need to access 7569, 8475,9842 in the correct order.
  • access these ports with nc and then try to ssh.