Fleet logo
Menu An icon indicating that interacting with this button will open the navigation menu.
Fleet logo An 'X' icon indicating that this can be interacted with to close the navigation menu.
Device management + MDM Orchestration + monitoring Software management + CVEs, usage, app library Integrations
Get started Guides Vitals Queries Policies Software Data tables API SUPPORT Chat Contribute Release notes "Why is Fleet on my computer?" Get your license
Stories
What people are saying News Ask around Take a tour Meetups COMPANY Origins   (Fleet & osquery) The handbook Logos/artwork Why open source?
Pricing Try it yourself
Get unencrypted SSH keys for local accounts

Get unencrypted SSH keys for local accounts

Identify SSH keys created without a passphrase which can be used in Lateral Movement (MITRE. TA0008)

To learn more about queries, check this guide

SELECT uid, username, description, path, encrypted FROM users CROSS JOIN user_ssh_keys using (uid) WHERE encrypted=0;
$results = @()

# Get a list of user directories in C:\Users
$usersDirs = Get-ChildItem "C:\Users" -Directory -ErrorAction SilentlyContinue

foreach ($userDir in $usersDirs) {
    $username = $userDir.Name
    $sshFolder = Join-Path $userDir.FullName ".ssh"
    if (Test-Path $sshFolder) {
        # Attempt to retrieve local user information; if not found, leave empty
        $localUser = Get-LocalUser -Name $username -ErrorAction SilentlyContinue
        $uid = if ($localUser) { $localUser.SID.Value } else { "" }
        $description = if ($localUser) { $localUser.Description } else { "" }

        # Get all files in the .ssh folder that are not public-key files
        $keyFiles = Get-ChildItem -Path $sshFolder -File | Where-Object { $_.Extension -ne ".pub" }
        foreach ($key in $keyFiles) {
            # Read the key file; if it contains "ENCRYPTED" assume it is encrypted
            $content = Get-Content $key.FullName -ErrorAction SilentlyContinue
            if ($content -match "ENCRYPTED") {
                $enc = 1
            }
            else {
                $enc = 0
            }
            if ($enc -eq 0) {
                $results += [pscustomobject]@{
                    uid         = $uid
                    username    = $username
                    description = $description
                    path        = $key.FullName
                    encrypted   = $enc
                }
            }
        }
    }
}

$results | Format-Table -AutoSize
An icon indicating that this section has important information

PowerShell commands are currently work in progress, contributions welcome.

Platform

macOS Windows Linux ChromeOS
Suggest an editEdit