When you SSH into a server for whatever reason Linux systems store the machine name/IP address and the private key. It does this so if you get prompted for the public key again then either you are compromised and are part of a man in the middle attack, or the private key on the server has changed. This information is stored in your user profile under .ssh/known_hosts

For an pentester this information could be useful. If your password is compromised an attacker can look at this file and see what machines you have ssh’ed into, would they be able to get into using the same username and password? Possibly. SSH has a new feature where it will hash each entry. To do so put ‘HashKnownHosts yes’ in .ssh/config or in /etc/ssh/ssh_config (for all users). Then run ‘ssh-keygen -H’ to hash your current entries.

The ‘|’ are separators, everything between them represent a value. The first is the hash_magic, i’m not really sure what that is for. the 2nd is the salt which is encoded in base 64, the 3rd is the hashed IP/Hostname, and the last is the private key for the host. The Hostname/IP is encoded using SHA1 and the salt, then encoded in base 64.

https://vitalvector.com/blog/2009/02/ssh-tip-hash-known-hosts.html
http://blog.rootshell.be/2010/11/03/bruteforcing-ssh-known_hosts-files/

Advertisements