SSH Agent Hijacking - Hacking technique for Linux and macOS explained

SSH Agent Hijacking is a powerful post-exploitation technique that an adversary might use to leverage SSH private keys stored in an SSH Agent. This video explains at a high level on how SSH Agent forwarding works, and what commands an attacker might perform to gain control of the SSH Agent of another user (using the SSH_AUTH_SOCK environment variable).

For Blue Teamers this video will be useful to identify detection opportunities and hunt for this specific TTP. Learn the hacks, stop the attacks.

And at a design level, always remember: Sharing machines with many users is bad design, and should generally be avoided!

The problem: How to protect SSH keys 0:05
Why SSH Agent and Agent Forwarding is so common 1:00
Hands-on Demonstration of SSH Agent Hijacking 3:52
Using gcore to dump process memory 5:50