pull down to refresh

I asked stackers in #703346 to crack an encrypted SSH key. It's been 24 hours with no one claiming the bounty so I thought I'd reveal the solution.
The solution is to use John the Ripper, a "password security auditing and password recovery tool" or in other words: a password cracker. Let me show you how.
First, we store the encrypted SSH key in a file named id_rsa (the default name for SSH RSA keys):
$ cat > id_rsa -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: AES-256-CBC,353B80CD6D6AE8B97C9489F71E12DA0A NU5iL4TPOyNHc5CD/wEEEl2HVv8NLQ6Gk+Ez4Ay8rKpGTWXwogtyhNxaaJBmAC4v UnWwdErjHkD7XtrKqFUdQ5U/G0aMAXVk4gzSX49AW6Z2haUBP9Q0h4JilSvpnoJ8 kIAZr7vdgjdw+mAgphaJeWQkvvbExOhA2k/g514+WDMeWeuNeqknEfuN9uXXfc/e xLF5axl/VfVNW1cS3tXNPJ3s19DPobJw5xjNh0bN0CKBDu0H62fw0XxxQMJoi9wC p6HBKQPK/y2r/UrjeCBunS/MRdJxsb99NBNoEPdGuEwLWJgIXchtKSsp6SQ/gWG4 EuH/esk9LmfhHXZftPc4iMsh4HQ8ispbn4XDl/VhOP9DNdmT3EtrHfkPlo9QvAKq 3pADA1tzzYIjMDo4UdRIFCACP5eTptOJaApPNMMd6v+pQVbyGCQ6YQWomtBLekQg Cs1LWl45NbuKQm5w4ZP1cca2W0Riv+YKa8ITFkwE4esD8UeGxkhcTy/M82lLWxii vwZPLIpmbUhHxmJeniMdMEkfVWOFbsmt2vjdD56dJfrYBAkAbS1vaQdJQFdpgGZx Z7J6CZcQhzxjyEbX8Xu7WSu7pwdT2Jorrx3YtXvVnysq0+YMoNdzMbfZYrSbsrxF nGfeIOYM9XwjHnzEwCAzhgmg+eDYd6tALzN+uu/mDCa51RoI9UL6Xl2kn7w6+QQQ HCG1zmYn+AtONdI5tMPM7OaPNNdrNI0kg9jO+pgQpvsBfD9dxbRzKcpCzgld1arL MucniUiQ5+0d1mqNba3PmN/5VreSHwXGALuRoC3bF8+FfUkkWJacvp+cuJUnCIkM Vh9SrRE+XKFZI3ty0dZQS27z4K/W6A1I9ZaZyo7/S0Mzy+/TOH+/EAF7IrKANlzh c+LhpGY1L/tUOv8g7ljURqyYMnHOFyMhk1sioi1EDB8vjfFPcvHWzOW5ls8FOK+x 1NnC4s1KybvG4N2vg+QP07AFJjEEIziaZHrwHb37jJEACYqSYTw5zTkwZx7Ki5iq aa0MUZGoq0SCxVSnfbd1tWj3KwALsUzdI/pir4uK55+KT2ym7BffeAEHfVAdaT6n pqT1qab6ba/YcNx/n8k0nXYOtJH99zt+4wf1q1dn4P/ZZ8F4lYjoaC91SagkM2te sAQTPagFnYF7YY+TkvyZYP2z7FDxaFEr+p5tWWNev1RuWYrXWJGjF+rf6Fq6IaqB 1vaNTZhLEONkgM4KGYy7sHSLDruRH0yrsvb96EMNEJh8RTKQUYnjW8IWQgWTVibq 9OsplFe9EZF9PJajEc00TS5KdP2J5rHITIzYnk17NLZYPa9cI1NlSh6QizlcUJYW Mwe22NjF0K7CfKLUVv1CFfCtfW8LY/iIAQ860AaruU8Mk/wwqssd2j8MOsG5E1uO KB03k66umHEoV0KormAC47O9yxDgvGY22zEniFmO9Qc2KfGGAw0O/dxO7tQMuDvU /d2t1+UekJ5FRZ9pj07zGZNYqNesZilvxBUXTZKXfbl/D4Xg8YXhJPd+RHe1j7o3 0T3co1gPnUZsPtOuh+ZyMoUyOqSWy4HUKyYbErlHCFi/5I/zuhRMnfoGex5jxJvt -----END RSA PRIVATE KEY----- ^D
^D means CTRL+D which will enter a end-of-file (EOF) character to close the stream.
Then, we run ssh2john. It usually comes bundled with the JtR executable john. It extracts the password hash from SSH keys into the format that JtR needs:
$ ssh2john id_rsa > hash $ cat hash id_rsa:$sshng$5$16$353B80CD6D6AE8B97C9489F71E12DA0A$1200$354e622f84cf3b2347739083ff0104125d8756ff0d2d0e8693e133e00cbcacaa464d65f0a20b7284dc5a689066002e2f5275b0744ae31e40fb5edacaa8551d43953f1b468c017564e20cd25f8f405ba67685a5013fd434878262952be99e827c908019afbbdd823770fa6020a61689796424bef6c4c4e840da4fe0e75e3e58331e59eb8d7aa92711fb8df6e5d77dcfdec4b1796b197f55f54d5b5712ded5cd3c9decd7d0cfa1b270e718cd8746cdd022810eed07eb67f0d17c7140c2688bdc02a7a1c12903caff2dabfd4ae378206e9d2fcc45d271b1bf7d34136810f746b84c0b5898085dc86d292b29e9243f8161b812e1ff7ac93d2e67e11d765fb4f73888cb21e0743c8aca5b9f85c397f56138ff4335d993dc4b6b1df90f968f50bc02aade9003035b73cd8223303a3851d4481420023f9793a6d389680a4f34c31deaffa94156f218243a6105a89ad04b7a44200acd4b5a5e3935bb8a426e70e193f571c6b65b4462bfe60a6bc213164c04e1eb03f14786c6485c4f2fccf3694b5b18a2bf064f2c8a666d4847c6625e9e231d30491f5563856ec9addaf8dd0f9e9d25fad80409006d2d6f69074940576980667167b27a099710873c63c846d7f17bbb592bbba70753d89a2baf1dd8b57bd59f2b2ad3e60ca0d77331b7d962b49bb2bc459c67de20e60cf57c231e7cc4c020338609a0f9e0d877ab402f337ebaefe60c26b9d51a08f542fa5e5da49fbc3af904101c21b5ce6627f80b4e35d239b4c3ccece68f34d76b348d2483d8cefa9810a6fb017c3f5dc5b47329ca42ce095dd5aacb32e727894890e7ed1dd66a8d6dadcf98dff956b7921f05c600bb91a02ddb17cf857d492458969cbe9f9cb8952708890c561f52ad113e5ca159237b72d1d6504b6ef3e0afd6e80d48f59699ca8eff4b4333cbefd3387fbf10017b22b280365ce173e2e1a466352ffb543aff20ee58d446ac983271ce172321935b22a22d440c1f2f8df14f72f1d6cce5b996cf0538afb1d4d9c2e2cd4ac9bbc6e0ddaf83e40fd3b00526310423389a647af01dbdfb8c9100098a92613c39cd3930671eca8b98aa69ad0c5191a8ab4482c554a77db775b568f72b000bb14cdd23fa62af8b8ae79f8a4f6ca6ec17df7801077d501d693ea7a6a4f5a9a6fa6dafd870dc7f9fc9349d760eb491fdf73b7ee307f5ab5767e0ffd967c1789588e8682f7549a824336b5eb004133da8059d817b618f9392fc9960fdb3ec50f168512bfa9e6d59635ebf546e598ad75891a317eadfe85aba21aa81d6f68d4d984b10e36480ce0a198cbbb0748b0ebb911f4cabb2f6fde8430d10987c4532905189e35bc2164205935626eaf4eb299457bd11917d3c96a311cd344d2e4a74fd89e6b1c84c8cd89e4d7b34b6583daf5c2353654a1e908b395c5096163307b6d8d8c5d0aec27ca2d456fd4215f0ad7d6f0b63f888010f3ad006abb94f0c93fc30aacb1dda3f0c3ac1b9135b8e281d3793aeae9871285742a8ae6002e3b3bdcb10e0bc6636db312788598ef5073629f186030d0efddc4eeed40cb83bd4fdddadd7e51e909e45459f698f4ef3199358a8d7ac66296fc415174d92977db97f0f85e0f185e124f77e4477b58fba37d13ddca3580f9d466c3ed3ae87e6723285323aa496cb81d42b261b12b9470858bfe48ff3ba144c9dfa067b1e63c49bed
It's usually a good idea to run a dictionary attack, and we will need a word list for this. A very common word list is rockyou.txt. It's a file that contains over 14 million passwords. It came out of a data breach in 2009. RockYou, a social media company that developed widgets for MySpace got hacked and stored the passwords of their users in plaintext. We can download this file from various sources but we will use the one in the Kali Linux repository:
$ $ wget https://gitlab.com/kalilinux/packages/wordlists/-/raw/kali/master/rockyou.txt.gz --2024-09-29 02:17:52-- https://gitlab.com/kalilinux/packages/wordlists/-/raw/kali/master/rockyou.txt.gz Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt' Resolving gitlab.com (gitlab.com)... 172.65.251.78, 2606:4700:90:0:f22e:fbec:5bed:a9b9 Connecting to gitlab.com (gitlab.com)|172.65.251.78|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 53357341 (51M) [application/octet-stream] Saving to: ‘rockyou.txt.gz’ rockyou.txt.gz 100%[=================url=====================================================================================>] 50.88M 304MB/s in 0.2s 2024-09-29 02:17:53 (304 MB/s) - ‘rockyou.txt.gz’ saved [53357341/53357341] $ gzip -d rockyou.txt.gz
Now, we can run john:
$ john --wordlist=rockyou.txt hash Using default input encoding: UTF-8 Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64]) Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes Cost 2 (iteration count) is 2 for all loaded hashes Will run 8 OpenMP threads Note: This format may emit false positives, so it will keep trying even after finding a possible candidate. Press 'q' or Ctrl-C to abort, almost any other key for status ****** (id_rsa) Warning: Only 2 candidates left, minimum 8 needed for performance. 1g 0:00:00:03 DONE (2024-09-28 21:27) 0.3300g/s 4733Kp/s 4733Kc/s 4733KC/sa6_123..*7¡Vamos! Session completed
A common mistake is to not use the = in --wordlist=rockyou.txt. It's required!
The output of john tells us that ****** is the password. Success!
Now go ahead and try to crack your own encrypted SSH keys using JtR and rockyou.txt. if you're successful, you should definitely use a stronger password.
Even if your exact password is not included in rockyou.txt, JtR might still find your password since it can mangle the passwords according to rules (see docs about JtR's cracking modes).
1347 sats \ 1 reply \ @nichro 29 Sep
Aww I was just starting to procrastinate by spinning up a Kali VM to take a crack at it and now I see it. Oh well, good timing! Good learning too. Next challenge maybe :P
Follow-up question: how long did it take you to brute-force this one (assuming you used GPU too)?
Edit: I don't normally use Kali but WSL was being a prick about building John The Ripper and i know Kali has John installed and ready to go so I figured... I despise dealing with end-of-line formatting shenanigans between Windows and Linux/WSL
reply
50 sats \ 0 replies \ @ek OP 29 Sep
Oh sorry, I guess I wasn’t patient enough haha. I zapped you the bounty here as the winner of hearts.
Next challenge maybe :P
I’m thinking about something using metasploit or other popular pentesting software. 🤔
how long did it take you to brute-force this one
Just a few seconds even without a GPU since I ran it on a cheap server.
reply
@ek are you a pentester or ethical hacker ?
reply
Isn’t that the same?
I’m a poser
reply
Jajaja ... I'm a wannabe
Started studying cybersecurity but so far I have been so disappointed on what I been taught. Wasted a bunch of money that would otherwise be better spent on a certification.
If you could give an advice, what cert might you recommend?
reply
10 sats \ 1 reply \ @ek OP 30 Sep
I would love to recommend you a cert but I really have no idea, I never did one (but I might at some point).
Most of my knowledge is from labs in university. I switched university after my Bachelor's degree because I was also disappointed in what they had to offer. They didn't even offer general computer science courses about compilers for example.
This might have been one of my best choices in life because the new university had so much more interesting courses available (which is why I picked it). They even had cybersecurity labs! I took the following three:
  1. Application security (reverse engineering, buffer overflows, ROP, use-after-free etc.)
  2. Cryptanalysis (linear cryptanalysis, side-channel attacks etc.)
  3. Penetration testing (gobuster, LinPEAS, metasploit, SQLi, JtR etc.)
I also played some CTFs with the university team which was fun but I wasn't really good since the challenges get really difficult really fast and I wasn't consistent in my practice. I already struggled with the challenges that were supposed to be easy during live CTFs but it also depends a lot on the CTF.
I can recommend playing CTFs though if you haven't already. Examples:
Is your university/college known for computer science and ideally even cybersecurity? If not, it might be wise to look for another one if you can. Not sure where you're from, but here in Europe it's mostly just a matter of applying successfully and being willing to move there since studying is mostly free here. I wish I made more use of that but I didn't really appreciate studying during my time, especially at the end. I dropped out before I finished my Master's degree (I was nowhere near finishing after 2 years) because I was offered to join SN.
reply
Thank you for your answer, it does provide some important points as to where to get hands on skills.
Sadly I'm studying in Canada as an international student, picked a college because of the "practical" labs, which nothing has been further from the truth. I have spent over 30k in this fucking scam of a college for things that are half ass explained and where I shit you not, a teacher literally give as YouTube videos instead of explaining.
I could have gotten a SANS certification for 9k instead of blowing my savings. Ohhh well.
reply
Thanks a lot for this practical guide. I have been using John the Ripper since 2016 and I haven’t scratched the surface. Your methodology is very interesting. I am glad that you posted this. Again, thank you.
reply
This looks good to try and learn.
reply
If you want to create a strong password... don't you just roll some dice and pick them from a wordlist?
The EFF long wordlist is 7776 words so.... roll 6 words with dice from toy store store and that's around 77 bits.
"A nation state actor like the NSA may be able to perform quadrillions/second. Conservatively assuming a professional adversary can guess passwords at the rate of a 1,000,000,000,000 keys/second (Edward Snowden suggests being prepared for a Trillion guesses per second), an exhaustive brute-force search on 50% of the total keyspace might take:
~110,536,959,860 seconds
~1,842,282,664 minutes
~30,704,711 hours
~1,279,363 days
~3,505 years"
That's a long time
reply