What Files What A Hacker Look For — In Order to Breach Trust

What Files Might An Intruder Look For — In Order to Breach Trust

A breach of the trust infrastructure of an organization is one of the most expensive to fix. So, if an adversary has gained access to your systems, which files might they scan for so that they can breach the trust of your systems?

Well, there are often hidden files that you use to gain access to remote systems. One type of file is the OpenSSH private key. This magical little key makes the login to remote systems easy and secure, along with using it to authenticate a user into GitHub (without logging in).

A typical format is the OpenSSH key pair for RSA, ECDSA or Ed25519 signatures, and where we create a private key and a public key. The public key is placed on the remote system, and the private key on the host system. When a user logs in, they will sign the login with their private key and create a signature (either RSA, ECDSA or Ed25519). The remote system then checks the signature, and if it is okay, it will allow the user to log in.

We generate Ed25519 with:

$ ssh-keygen -t  ed25519 -C "[email protected]"

and for 4K RSA with:

$ ssh-keygen -t  -b 4096 rsa -C "[email protected]"

The system then puts the private key into the default folder (~/.ssh). These files can be id_rsa, id_ecdsa, id_ecdsa_sk, id_ed25519, or id_ed25519_sk. An intruder may thus search for these files on a system in order to reveal the secret logins.

There are also other formats for these files, including PEM and DER formats. For Ed25519, here are some examples:

https://asecuritysite.com/hazmat/openssh2

and for RSA:

https://asecuritysite.com/hazmat/openssh

Conclusions

Your private keys are you keys to the castle, so don’t lose them.