Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 2 Jul 2014 07:43:07 -0800
From: Royce Williams <royce@...ho.org>
To: john-users@...ts.openwall.com
Subject: Re: ssh known_hosts support?

On Wed, Jul 2, 2014 at 7:02 AM, Royce Williams <royce@...ho.org> wrote:
> On Wed, Jul 2, 2014 at 1:05 AM, Dhiru Kholia <dhiru.kholia@...il.com> wrote:
>> On Mon, 23 Jun 2014, Royce Williams wrote:
>>
>>> The 'HashKnownHosts' ssh config option enables hashing of IPs and
>>> hostnames in the ~/.known_hosts file. ...
>>>
>>> What would be the best path to using john for this purpose?
>>
>> Hi,
>>
>> The latest "bleeding-jumbo" version (from the following repository) now
>> supports cracking such hashes.
>>
>> https://github.com/magnumripper/JohnTheRipper
>>
>> $ cat hashes
>> $known_hosts$|1|pgjIzNM77FYsBHLfKvvG9aWpKAA=|XbHqTCXG1JAV6fb2h2HT8MT7kGU=
>> $known_hosts$|1|vAQX51f9EfXY33/j3upxFIlI1ds=|q+CzSLaa1EaSsAQzP/XRM/gaFQ4=
>>
>> $ ../run/john hashes --mask="192.30.252.?d?d?d"
>> Loaded 2 password hashes with 2 different salts (known_hosts, ...)
>> ....
>> 192.30.252.128   (?)
>> 192.30.252.130   (?)
>>
>> $ ../run/john --format=known_hosts --test  # i7-4750HQ CPU
>> Benchmarking: known_hosts, HashKnownHosts HMAC-SHA1 [SHA1 32/64]... DONE
>> Raw:    1836K c/s real, 1836K c/s virtual
>>
>> Later on, we might be able to use an existing format (or the dynamic
>> format) for cracking such hashes.
>
> Dhiru -
>
> Most excellent - works like a charm!
>
> A couple of notes for future researchers doing similar work.
>
> For IP address wordlists, it may be convenient to use nmap's 'list'
> option to generate IP addresses from multiple or large CIDR blocks, as
> in:
>
> nmap -sL -Pn -n 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 >ips.list

Too glib -- I forgot to note that this output alone is not clean
enough to generate a valid wordlist of IPs. The initial nmap output is
actually of the form:

[...]
Nmap scan report for 192.168.186.204
Nmap scan report for 192.168.186.205
Nmap scan report for 192.168.186.206
[...]

(It says 'scan report' even though no actual scanning is happening.)
So a bit more pre-processing is in order:

nmap -sL -Pn -n 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 | grep '^Nmap
scan report for' | cut -d\  -f5 >ips.list

I've drifted off-topic a bit, so we now return you to your regularly
scheduled john-users discussion. :-)

Though I'd be interested in discussion of native JtR ways to
efficiently generate IP addresses (and bare and fully-qualified
hostnames, for that matter).

Royce

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.