Crack SSH Private Key with John the Ripper - Pentestmag

Crack SSH Private Key with John the Ripper

(4,120 views)

Crack SSH Private Key with John the Ripper

by Anastasis Vasileiadis


The SSH private key code should not be just a decoration. Unfortunately, some people think they will never lose their SSH private key and neglect to use a strong password.

In the guide 10 simple steps for a secure SSH we saw the SSH (from Secure Shell) protocol which is used for secure (encrypted) connections with remote computers / servers. It is used not only to execute commands in the server's terminal but also to transfer files to and from the server (e.g. with FileZilla to transfer files to the Server) or even to transfer audio via ssh.

So you understand from the above its “power” and how important it is to have a secure ssh. Unfortunately, some do not realize the seriousness of the issue and sufferers of the “will it happen to me?” syndrome. Servers become the pawns of the FritzFrog Botnet |Attacks on SSH servers by a sophisticated peer-to-peer (P2P) botnet that compromises SSH servers.

As for the SSH code and what a strong password is, you don't need to be educated, three or four simple words joined by punctuation marks is a good and secure model for passwords and passwords.

Password Strength
source: https://xkcd.com/936/

Just make sure you remember the password. So in the following scenario, we'll see what happens if you haven't dealt with it in the first 10 minutes on a new Server with Basic security settings, or you managed to lose your SSH private key to which you had put an easy code.

Install SSH2John on your computer

SSH2John is If you do not have the Jumbo version of John the Ripper installed, you will need to download ssh2john from GitHub, as it is not included on Kali Linux. If you don't have John the Ripper installed, you can learn how to install it from his GitHub.

We open a terminal and download it:

~# wget
https://raw.githubusercontent.com/magnumripper/JohnTh
eRipper/bleeding-jumbo/run/ssh2john.py
--2020-09-01 12:26:03--
https://raw.githubusercontent.com/magnumripper/JohnTh
eRipper/bleeding-jumbo/run/ssh2john.py
HTTP request sent, waiting for response... 200 OK
Length: 7825 (7.6K) [text/plain]
Saving to: 'ssh2john.py'
ssh2john.py 100%[=======================>] 7.64K --.-
KB/s in 0s

Now let's crack the SSH private Key.

Crack the private key

All we need to do is run the ssh2john tool against the private key and redirect the results to a new hash file using:

python ssh2john.py id_rsa > id_rsa.hash

Next, we'll use it John the ripper to crack the password. But first, we need a proper word list. For the purposes of this guide, we will use a small one that has 100 words to show how to do it in a simple way. Download it:

~# wget
https://raw.githubusercontent.com/danielmiessler/SecL
ists/master/Passwords/darkweb2017-top100.txt

Now run John on Kali Linux as usual, feeding it the wordlist and hash file:

john --wordlist=darkweb2017-top100.txt id_rsa.hash


Note: This format may emit false positives, so it
will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key
for status
1q2w3e4r5t (id_rsa)
Session completed

We can see that it recognized our password, but to be sure, let's use the command –show to verify it:

john --show id_rsa.hash
id_rsa:1q2w3e4r5t
1 password hash cracked, 0 lef

As you can see, even 1q2w3e4r5t what to the common eye may seem hard to crack...unfortunately for you who use it...is a matter of vocabulary.

SSH access to the victim

With the key broken, all that remains is to use it against the target for which the particular key is being used. Using the option -i in the SSH command, we can specify the private key to use for authentication:

ssh -i id_rsa [email protected]
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@
Permissions 0644 for 'id_rsa' are too open.
It is required that your private key files are NOT
accessible by others.
This private key will be ignored.
Load key "id_rsa": bad permissions
[email protected]'s password

It won't let us use the key if the permissions are too ... loose. So all we have to do is set some stricter permissions to use the private key:

chmod 400 id_rsa

Now we are able to connect. Then, we enter the password that we
have cracked, and the message shows that we are connected:

~# ssh -i id_rsa [email protected]
Enter passphrase for key 'id_rsa':
Last login: Tue Sep 1 15:20:16 2020 from 10.10.10.1
luser@target:~$

Epilogue

In this short guide, we have seen how one can crack SSH passwords.

In most cases these are done massively and automatically and SSH keys are broken like lettuce leaves if we do not pay attention to the overall security of our system, and we have the illusion that since we have a Linux Server we are safe. As you may have read in Enough with the FUD about Linux security holes, you will understand that security is not an end product but an ongoing process.

February 20, 2023
Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

3 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
fnaf12
fnaf12
1 year ago

In the video game The backrooms, your character will find yourself disoriented in an unfamiliar location filled with peculiar rooms and corridors. Because it has been so long since anyone has been there, everything is now extremely outdated and worn out. You’ll need to use your wits to find out the quickest way out of this building if you want to win the Backroom game that’s played online.

Robert
Robert
1 year ago

Ukraine is currently at war and thousands of innocent people are dying, who simply lived in their own country and did their usual things. Russia has declared war on Ukraine and is killing civilians. To read true information or help Ukraine go to the site Comeback Alive.
This fund provides assistance to the Ukrainian military and brings Ukraine’s victory over Russia closer.

funny shooter 2
1 year ago

It is not necessary to have a high level of education; a model consisting of three or four simple words connected by punctuation marks is considered to be both secure and effective.

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023