Key exchange negotiation failed #353
Comments
|
What encryption and version is the key? Also a key with no passphrase o_O is that correct?
|
|
No passphrase, how to i check the encryption?
…On Tue, Nov 3, 2020, 11:52 AM Carlos Perez ***@***.***> wrote:
What encryption and version is the key? Also a key with no passphrase o_O
is that correct?
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#353 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ANRVKHI5BP5VHNM3VGESK4DSOAYNFANCNFSM4TI7ORCA>
.
|
|
I don’t think the library supports no passphrase keys. Never done that, even in lab environments
ssh-keygen -l -f ~/.ssh/id_rsa.pub
|
|
So I believe that it is RSA 2048
…On Tue, Nov 3, 2020 at 12:25 PM Carlos Perez ***@***.***> wrote:
I don’t think the library supports no passphrase keys. Never done that,
even in lab environments
ssh-keygen -l -f ~/.ssh/id_rsa.pub
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#353 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ANRVKHO4P2CCGDJQVLN5MWTSOA4IZANCNFSM4TI7ORCA>
.
|
|
The library does not support the new format RSA, it does the old one and the new elliptical keys. Wonder if it could be that. They have an issue open for it
sshnet/SSH.NET#614 (review) <sshnet/SSH.NET#614 (review)>
… On Nov 3, 2020, at 2:32 PM, benchisler ***@***.***> wrote:
So I believe that it is RSA 2048
On Tue, Nov 3, 2020 at 12:25 PM Carlos Perez ***@***.***>
wrote:
> I don’t think the library supports no passphrase keys. Never done that,
> even in lab environments
>
> ssh-keygen -l -f ~/.ssh/id_rsa.pub
>
> —
> You are receiving this because you authored the thread.
> Reply to this email directly, view it on GitHub
> <#353 (comment)>,
> or unsubscribe
> <https://github.com/notifications/unsubscribe-auth/ANRVKHO4P2CCGDJQVLN5MWTSOA4IZANCNFSM4TI7ORCA>
> .
>
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub <#353 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAD7IHXV6D4M5PEZBHZVIRLSOBECHANCNFSM4TI7ORCA>.
|
|
Carlos,
Thanks for looking into this I will redo the key and see if that fixes the
problem. One question is why would the encryption only be an issue when
running as a scheduled task but not when running interactively through
PowerShell ise?
On Tue, Nov 3, 2020 at 6:25 PM Carlos Perez <notifications@github.com>
wrote:
… The library does not support the new format RSA, it does the old one and
the new elliptical keys. Wonder if it could be that. They have an issue
open for it
sshnet/SSH.NET#614 (review) <
sshnet/SSH.NET#614 (review)>
> On Nov 3, 2020, at 2:32 PM, benchisler ***@***.***> wrote:
>
>
> So I believe that it is RSA 2048
>
> On Tue, Nov 3, 2020 at 12:25 PM Carlos Perez ***@***.***>
> wrote:
>
> > I don’t think the library supports no passphrase keys. Never done that,
> > even in lab environments
> >
> > ssh-keygen -l -f ~/.ssh/id_rsa.pub
> >
> > —
> > You are receiving this because you authored the thread.
> > Reply to this email directly, view it on GitHub
> > <
#353 (comment)
>,
> > or unsubscribe
> > <
https://github.com/notifications/unsubscribe-auth/ANRVKHO4P2CCGDJQVLN5MWTSOA4IZANCNFSM4TI7ORCA
>
> > .
> >
> —
> You are receiving this because you commented.
> Reply to this email directly, view it on GitHub <
#353 (comment)>,
or unsubscribe <
https://github.com/notifications/unsubscribe-auth/AAD7IHXV6D4M5PEZBHZVIRLSOBECHANCNFSM4TI7ORCA
>.
>
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#353 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ANRVKHJYGIIEKB2G26YVK7LSOCGMXANCNFSM4TI7ORCA>
.
|
|
Are you running the scheduled task as the same user you are running the ISE
under? If not, do they have different keys?
Michael M. Minor
…On Wed, Nov 4, 2020 at 10:08 AM benchisler ***@***.***> wrote:
Carlos,
Thanks for looking into this I will redo the key and see if that fixes the
problem. One question is why would the encryption only be an issue when
running as a scheduled task but not when running interactively through
PowerShell ise?
On Tue, Nov 3, 2020 at 6:25 PM Carlos Perez ***@***.***>
wrote:
> The library does not support the new format RSA, it does the old one and
> the new elliptical keys. Wonder if it could be that. They have an issue
> open for it
>
> sshnet/SSH.NET#614 (review) <
> sshnet/SSH.NET#614 (review)>
>
>
> > On Nov 3, 2020, at 2:32 PM, benchisler ***@***.***>
wrote:
> >
> >
> > So I believe that it is RSA 2048
> >
> > On Tue, Nov 3, 2020 at 12:25 PM Carlos Perez ***@***.***
>
> > wrote:
> >
> > > I don’t think the library supports no passphrase keys. Never done
that,
> > > even in lab environments
> > >
> > > ssh-keygen -l -f ~/.ssh/id_rsa.pub
> > >
> > > —
> > > You are receiving this because you authored the thread.
> > > Reply to this email directly, view it on GitHub
> > > <
>
#353 (comment)
> >,
> > > or unsubscribe
> > > <
>
https://github.com/notifications/unsubscribe-auth/ANRVKHO4P2CCGDJQVLN5MWTSOA4IZANCNFSM4TI7ORCA
> >
> > > .
> > >
> > —
> > You are receiving this because you commented.
> > Reply to this email directly, view it on GitHub <
>
#353 (comment)
>,
> or unsubscribe <
>
https://github.com/notifications/unsubscribe-auth/AAD7IHXV6D4M5PEZBHZVIRLSOBECHANCNFSM4TI7ORCA
> >.
> >
>
> —
> You are receiving this because you authored the thread.
> Reply to this email directly, view it on GitHub
> <
#353 (comment)
>,
> or unsubscribe
> <
https://github.com/notifications/unsubscribe-auth/ANRVKHJYGIIEKB2G26YVK7LSOCGMXANCNFSM4TI7ORCA
>
> .
>
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#353 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ACTBQGZYZRJSEJ5VKNVSWSDSOFU55ANCNFSM4TI7ORCA>
.
|
|
As someone who’s day job is writing offensive tooling some of the capabilities of our implants are to enumerate schedules tasks, if we see that we will go after that key and use it for lateral movement. A way to protect it is to store the key protected with a password, then the credential file is protected with a certificate stored in the system certificate store and the taks ran as system, that way is an attacker gets in he would need to provilege escalate to system which is a lot more consuming and then get to the certificate store and pull out the cert to decrypt the credential file which is various levels more complex and would affect greatly an attacker tempo. I would avoid DPAPI since there is a ton of tools to abuse it and that is what exporting a pscredential object uses.
|
|
I want to thank you for your help. I have been able to resolve this
temporarily with the -force switch. So I think the issue may be host
key validation. Where does Posh-ssh look to validate keys so I can add the
fingerprint.? We appear to be running version 1.0. Would thins be fixed by
moving to 2.1 and using the New-SSHTrustedHost.md
<https://github.com/darkoperator/Posh-SSH/blob/master/docs/New-SSHTrustedHost.md>.
Again, thank you for all of your help
…On Thu, Nov 12, 2020 at 2:16 PM Carlos Perez ***@***.***> wrote:
As someone who’s day job is writing offensive tooling some of the
capabilities of our implants are to enumerate schedules tasks, if we see
that we will go after that key and use it for lateral movement. A way to
protect it is to store the key protected with a password, then the
credential file is protected with a certificate stored in the system
certificate store and the taks ran as system, that way is an attacker gets
in he would need to provilege escalate to system which is a lot more
consuming and then get to the certificate store and pull out the cert to
decrypt the credential file which is various levels more complex and would
affect greatly an attacker tempo. I would avoid DPAPI since there is a ton
of tools to abuse it and that is what exporting a pscredential object uses.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#353 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ANRVKHN47GKKHARTRPFKQ2DSPQYBJANCNFSM4TI7ORCA>
.
|
|
Yes there are functions to list, remove and add fingerprints
…Sent from my iPhone
On Jan 11, 2021, at 12:37 PM, benchisler ***@***.***> wrote:
I want to thank you for your help. I have been able to resolve this
temporarily with the -force switch. So I think the issue may be host
key validation. Where does Posh-ssh look to validate keys so I can add the
fingerprint.? We appear to be running version 1.0. Would thins be fixed by
moving to 2.1 and using the New-SSHTrustedHost.md
<https://github.com/darkoperator/Posh-SSH/blob/master/docs/New-SSHTrustedHost.md>.
Again, thank you for all of your help
On Thu, Nov 12, 2020 at 2:16 PM Carlos Perez ***@***.***>
wrote:
> As someone who’s day job is writing offensive tooling some of the
> capabilities of our implants are to enumerate schedules tasks, if we see
> that we will go after that key and use it for lateral movement. A way to
> protect it is to store the key protected with a password, then the
> credential file is protected with a certificate stored in the system
> certificate store and the taks ran as system, that way is an attacker gets
> in he would need to provilege escalate to system which is a lot more
> consuming and then get to the certificate store and pull out the cert to
> decrypt the credential file which is various levels more complex and would
> affect greatly an attacker tempo. I would avoid DPAPI since there is a ton
> of tools to abuse it and that is what exporting a pscredential object uses.
>
> —
> You are receiving this because you authored the thread.
> Reply to this email directly, view it on GitHub
> <#353 (comment)>,
> or unsubscribe
> <https://github.com/notifications/unsubscribe-auth/ANRVKHN47GKKHARTRPFKQ2DSPQYBJANCNFSM4TI7ORCA>
> .
>
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or unsubscribe.
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When running this script in interactive mode in PowerShell ide it connects and transfers files. When using the same user as a scheduled task I get the "Key exchange negotiation failed"
Define Serve Name
$ComputerName = "where.my.server.is"
Define UserName
$UserName = "user.name"
#Define the Private Key file path
$KeyFile = "C;\helpdesk.txt"
$nopasswd = new-object System.Security.SecureString
#Set Credetials to connect to server
$Credential = New-Object System.Management.Automation.PSCredential ($UserName, $nopasswd)
Set local file path, SFTP path, and the backup location path which I assume is an SMB path
$FilePath = "$SharePath"
$SftpPath = '.'
Establish the SFTP session
$SFTPSession = New-SFTPSession -ComputerName $ComputerName -Credential $Credential -KeyFile $KeyFile -Port 22 -AcceptKey
Upload the file to the SFTP path
Set-SFTPFile -SessionId $SFTPSession.SessionID -LocalFile $FilePath -RemotePath $SftpPath -Overwrite
Disconnect SFTP session
$SFTPSession.Disconnect()
any suggestions?
The text was updated successfully, but these errors were encountered: