Tag Archive: profiles

SSH KnownHosts

When you SSH into a server for whatever reason Linux systems store the machine name/IP address and the private key. It does this so if you get prompted for the public key again then either you are compromised and are part of a man in the middle attack, or the private key on the server has changed. This information is stored in your user profile under .ssh/known_hosts

For an pentester this information could be useful. If your password is compromised an attacker can look at this file and see what machines you have ssh’ed into, would they be able to get into using the same username and password? Possibly. SSH has a new feature where it will hash each entry. To do so put ‘HashKnownHosts yes’ in .ssh/config or in /etc/ssh/ssh_config (for all users). Then run ‘ssh-keygen -H’ to hash your current entries.

The ‘|’ are separators, everything between them represent a value. The first is the hash_magic, i’m not really sure what that is for. the 2nd is the salt which is encoded in base 64, the 3rd is the hashed IP/Hostname, and the last is the private key for the host. The Hostname/IP is encoded using SHA1 and the salt, then encoded in base 64.



Firefox Profiles

There has been a lot of talk about firesheep; a firefox addon that shows some of the security issues with cookies that have been known for years. I’m not going to go into firesheep (possibly on a later post) but on firefox cookies. This is very basic stuff and i had some extra time last night (and was bored a little) and decided to copy firefox profiles to another computer and i was able to get into websites that the other user had logged into (because of cookies). For firefox i just copied the following files: cookies.sqlite, signons.sqlite, and sessionstore.js which are located on Windows XP at

C:Documents and SettingsUsersNameApplication DataMozillaFirefoxProfiles***.default

These files are pretty much self explanatory but… cookies.sqlite stores the users cookies, sigons.sqlite store the users login ids and passwords (if they choose to save them) and sessionstore.js saves the users session (ie the user saves the tabs when closing firefox). Copy these files to your profile and … you have the idea.

Told you, pretty basic stuff. So how do you prevent this? Well first of all you have to have administrative access to view other users profiles. That prevents a lot of people from doing this, but gaining administrative access isnt hard, epically if the user has physical access to the machine.

So we are assuming that someone has administrative access to the machine, either yourself or an IT department. If you are using a public/work computer consider everything that your doing public knowledge. Here are some things to try, keep in mind that nothing is perfect; anyone with enough time will be able to get the information that they are after.

1) Encrypt your hard drive. This doesnt prevent administrators from doing it, but it slows down everyone else
2) Clear cookies when you close firefox. You can set this by clicking Tools -> Options -> Privacy – set Firefox will “Use Custom settings for History” and there is an option to clear cookies on firefox close
3) Dont save passwords in firefox (or that matter any browser)
4) Set a password for firefox passwords

I’m sure there are other ways to prevent this and i’m sure that you can do something similar to with other browsers.