I asked stackers in #703346 to crack an encrypted SSH key. It's been 24 hours with no one claiming the bounty so I thought I'd reveal the solution.
The solution is to use John the Ripper, a "password security auditing and password recovery tool" or in other words: a password cracker. Let me show you how.
First, we store the encrypted SSH key in a file named id_rsa (the default name for SSH RSA keys):
$ cat > id_rsa -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: AES-256-CBC,353B80CD6D6AE8B97C9489F71E12DA0A NU5iL4TPOyNHc5CD/wEEEl2HVv8NLQ6Gk+Ez4Ay8rKpGTWXwogtyhNxaaJBmAC4v UnWwdErjHkD7XtrKqFUdQ5U/G0aMAXVk4gzSX49AW6Z2haUBP9Q0h4JilSvpnoJ8 kIAZr7vdgjdw+mAgphaJeWQkvvbExOhA2k/g514+WDMeWeuNeqknEfuN9uXXfc/e xLF5axl/VfVNW1cS3tXNPJ3s19DPobJw5xjNh0bN0CKBDu0H62fw0XxxQMJoi9wC p6HBKQPK/y2r/UrjeCBunS/MRdJxsb99NBNoEPdGuEwLWJgIXchtKSsp6SQ/gWG4 EuH/esk9LmfhHXZftPc4iMsh4HQ8ispbn4XDl/VhOP9DNdmT3EtrHfkPlo9QvAKq 3pADA1tzzYIjMDo4UdRIFCACP5eTptOJaApPNMMd6v+pQVbyGCQ6YQWomtBLekQg Cs1LWl45NbuKQm5w4ZP1cca2W0Riv+YKa8ITFkwE4esD8UeGxkhcTy/M82lLWxii vwZPLIpmbUhHxmJeniMdMEkfVWOFbsmt2vjdD56dJfrYBAkAbS1vaQdJQFdpgGZx Z7J6CZcQhzxjyEbX8Xu7WSu7pwdT2Jorrx3YtXvVnysq0+YMoNdzMbfZYrSbsrxF nGfeIOYM9XwjHnzEwCAzhgmg+eDYd6tALzN+uu/mDCa51RoI9UL6Xl2kn7w6+QQQ HCG1zmYn+AtONdI5tMPM7OaPNNdrNI0kg9jO+pgQpvsBfD9dxbRzKcpCzgld1arL MucniUiQ5+0d1mqNba3PmN/5VreSHwXGALuRoC3bF8+FfUkkWJacvp+cuJUnCIkM Vh9SrRE+XKFZI3ty0dZQS27z4K/W6A1I9ZaZyo7/S0Mzy+/TOH+/EAF7IrKANlzh c+LhpGY1L/tUOv8g7ljURqyYMnHOFyMhk1sioi1EDB8vjfFPcvHWzOW5ls8FOK+x 1NnC4s1KybvG4N2vg+QP07AFJjEEIziaZHrwHb37jJEACYqSYTw5zTkwZx7Ki5iq aa0MUZGoq0SCxVSnfbd1tWj3KwALsUzdI/pir4uK55+KT2ym7BffeAEHfVAdaT6n pqT1qab6ba/YcNx/n8k0nXYOtJH99zt+4wf1q1dn4P/ZZ8F4lYjoaC91SagkM2te sAQTPagFnYF7YY+TkvyZYP2z7FDxaFEr+p5tWWNev1RuWYrXWJGjF+rf6Fq6IaqB 1vaNTZhLEONkgM4KGYy7sHSLDruRH0yrsvb96EMNEJh8RTKQUYnjW8IWQgWTVibq 9OsplFe9EZF9PJajEc00TS5KdP2J5rHITIzYnk17NLZYPa9cI1NlSh6QizlcUJYW Mwe22NjF0K7CfKLUVv1CFfCtfW8LY/iIAQ860AaruU8Mk/wwqssd2j8MOsG5E1uO KB03k66umHEoV0KormAC47O9yxDgvGY22zEniFmO9Qc2KfGGAw0O/dxO7tQMuDvU /d2t1+UekJ5FRZ9pj07zGZNYqNesZilvxBUXTZKXfbl/D4Xg8YXhJPd+RHe1j7o3 0T3co1gPnUZsPtOuh+ZyMoUyOqSWy4HUKyYbErlHCFi/5I/zuhRMnfoGex5jxJvt -----END RSA PRIVATE KEY----- ^D
^D
means CTRL+D which will enter a end-of-file (EOF) character to close the stream.Then, we run
ssh2john
. It usually comes bundled with the JtR executable john
. It extracts the password hash from SSH keys into the format that JtR needs:$ ssh2john id_rsa > hash $ cat hash id_rsa:$sshng$5$16$353B80CD6D6AE8B97C9489F71E12DA0A$1200$354e622f84cf3b2347739083ff0104125d8756ff0d2d0e8693e133e00cbcacaa464d65f0a20b7284dc5a689066002e2f5275b0744ae31e40fb5edacaa8551d43953f1b468c017564e20cd25f8f405ba67685a5013fd434878262952be99e827c908019afbbdd823770fa6020a61689796424bef6c4c4e840da4fe0e75e3e58331e59eb8d7aa92711fb8df6e5d77dcfdec4b1796b197f55f54d5b5712ded5cd3c9decd7d0cfa1b270e718cd8746cdd022810eed07eb67f0d17c7140c2688bdc02a7a1c12903caff2dabfd4ae378206e9d2fcc45d271b1bf7d34136810f746b84c0b5898085dc86d292b29e9243f8161b812e1ff7ac93d2e67e11d765fb4f73888cb21e0743c8aca5b9f85c397f56138ff4335d993dc4b6b1df90f968f50bc02aade9003035b73cd8223303a3851d4481420023f9793a6d389680a4f34c31deaffa94156f218243a6105a89ad04b7a44200acd4b5a5e3935bb8a426e70e193f571c6b65b4462bfe60a6bc213164c04e1eb03f14786c6485c4f2fccf3694b5b18a2bf064f2c8a666d4847c6625e9e231d30491f5563856ec9addaf8dd0f9e9d25fad80409006d2d6f69074940576980667167b27a099710873c63c846d7f17bbb592bbba70753d89a2baf1dd8b57bd59f2b2ad3e60ca0d77331b7d962b49bb2bc459c67de20e60cf57c231e7cc4c020338609a0f9e0d877ab402f337ebaefe60c26b9d51a08f542fa5e5da49fbc3af904101c21b5ce6627f80b4e35d239b4c3ccece68f34d76b348d2483d8cefa9810a6fb017c3f5dc5b47329ca42ce095dd5aacb32e727894890e7ed1dd66a8d6dadcf98dff956b7921f05c600bb91a02ddb17cf857d492458969cbe9f9cb8952708890c561f52ad113e5ca159237b72d1d6504b6ef3e0afd6e80d48f59699ca8eff4b4333cbefd3387fbf10017b22b280365ce173e2e1a466352ffb543aff20ee58d446ac983271ce172321935b22a22d440c1f2f8df14f72f1d6cce5b996cf0538afb1d4d9c2e2cd4ac9bbc6e0ddaf83e40fd3b00526310423389a647af01dbdfb8c9100098a92613c39cd3930671eca8b98aa69ad0c5191a8ab4482c554a77db775b568f72b000bb14cdd23fa62af8b8ae79f8a4f6ca6ec17df7801077d501d693ea7a6a4f5a9a6fa6dafd870dc7f9fc9349d760eb491fdf73b7ee307f5ab5767e0ffd967c1789588e8682f7549a824336b5eb004133da8059d817b618f9392fc9960fdb3ec50f168512bfa9e6d59635ebf546e598ad75891a317eadfe85aba21aa81d6f68d4d984b10e36480ce0a198cbbb0748b0ebb911f4cabb2f6fde8430d10987c4532905189e35bc2164205935626eaf4eb299457bd11917d3c96a311cd344d2e4a74fd89e6b1c84c8cd89e4d7b34b6583daf5c2353654a1e908b395c5096163307b6d8d8c5d0aec27ca2d456fd4215f0ad7d6f0b63f888010f3ad006abb94f0c93fc30aacb1dda3f0c3ac1b9135b8e281d3793aeae9871285742a8ae6002e3b3bdcb10e0bc6636db312788598ef5073629f186030d0efddc4eeed40cb83bd4fdddadd7e51e909e45459f698f4ef3199358a8d7ac66296fc415174d92977db97f0f85e0f185e124f77e4477b58fba37d13ddca3580f9d466c3ed3ae87e6723285323aa496cb81d42b261b12b9470858bfe48ff3ba144c9dfa067b1e63c49bed
It's usually a good idea to run a dictionary attack, and we will need a word list for this. A very common word list is rockyou.txt. It's a file that contains over 14 million passwords. It came out of a data breach in 2009. RockYou, a social media company that developed widgets for MySpace got hacked and stored the passwords of their users in plaintext. We can download this file from various sources but we will use the one in the Kali Linux repository:
$ $ wget https://gitlab.com/kalilinux/packages/wordlists/-/raw/kali/master/rockyou.txt.gz --2024-09-29 02:17:52-- https://gitlab.com/kalilinux/packages/wordlists/-/raw/kali/master/rockyou.txt.gz Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt' Resolving gitlab.com (gitlab.com)... 172.65.251.78, 2606:4700:90:0:f22e:fbec:5bed:a9b9 Connecting to gitlab.com (gitlab.com)|172.65.251.78|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 53357341 (51M) [application/octet-stream] Saving to: ‘rockyou.txt.gz’ rockyou.txt.gz 100%[=================url=====================================================================================>] 50.88M 304MB/s in 0.2s 2024-09-29 02:17:53 (304 MB/s) - ‘rockyou.txt.gz’ saved [53357341/53357341] $ gzip -d rockyou.txt.gz
Now, we can run
john
:$ john --wordlist=rockyou.txt hash Using default input encoding: UTF-8 Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64]) Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes Cost 2 (iteration count) is 2 for all loaded hashes Will run 8 OpenMP threads Note: This format may emit false positives, so it will keep trying even after finding a possible candidate. Press 'q' or Ctrl-C to abort, almost any other key for status ****** (id_rsa) Warning: Only 2 candidates left, minimum 8 needed for performance. 1g 0:00:00:03 DONE (2024-09-28 21:27) 0.3300g/s 4733Kp/s 4733Kc/s 4733KC/sa6_123..*7¡Vamos! Session completed
A common mistake is to not use the
=
in --wordlist=rockyou.txt
. It's required!The output of
john
tells us that ******
is the password. Success!Now go ahead and try to crack your own encrypted SSH keys using JtR and rockyou.txt. if you're successful, you should definitely use a stronger password.
Even if your exact password is not included in rockyou.txt, JtR might still find your password since it can mangle the passwords according to rules (see docs about JtR's cracking modes).