Andrew Case · Nov 2, 2015 · 7:45 PM UTC

Andrew Case @attrc

2 Nov 2015

How many #DFIR people are encountering hashed known_hosts files in the wild? Makes tracking lateral movement much more painful @hal_pomeranz

Hal Pomeranz · Nov 2, 2015 · 8:23 PM UTC

Hal Pomeranz · Nov 2, 2015 · 8:23 PM UTC

Hal Pomeranz @hal_pomeranz

2 Nov 2015

Replying to @attrc

@attrc Still uncommon in my cases. Btw, have you seen the "known hosts bruteforcer" script? See my github-- I contributed a bit of code.

Nov 2, 2015 · 8:23 PM UTC

Royce Williams (@tychotithonus@infosec.exchange) · Nov 3, 2015 · 2:16 AM UTC

Royce Williams (@tychotithonus@infosec.exchange) @TychoTithonus

3 Nov 2015

@hal_pomeranz @attrc John the Ripper has known_hosts support as well - convert first with included known_hosts2john.py [fixed typo]