How to Crack SSH Private Key With John the Ripper - 2023

Although finding your private key is a bad thing, you can try to take it further - come up with a private key password and log in with it. This is something you may need to do in CTF or by hacking into a vulnerable machine. Let's see how to crack an SSH private key using John the Ripper and one of John's modules, ssh2john. 

SSH key-based authentication 

The usual way to connect to a machine via SSH is to use password-based authentication. This has the advantage of being easier to install but compromises security by being vulnerable to brute force and password guessing.  Key-based authentication, on the other hand, uses encryption to ensure secure connections. A key pair consisting of a public key and a private key is generated. The private key must be kept secret and is used to connect to machines that have the corresponding public key. 

The public key is used to encrypt communications that can only be decrypted with the associated private key. This makes it nearly impossible for hackers to compromise SSH sessions without access to the private key.

Widely used Password-Cracking tool

For those new to the world of ethical hacking, there is one tool worth checking out. It is a widely used password-cracking tool. Although it was originally made for Unix-based operating systems, today it can be used on fifteen different platforms. It was released in 1996 and gradually became a widely used tool that is still relevant today. This is a tool you will definitely use in your career as an ethical hacker or bug bounty hunter. If you're interested in solving CTFs and hacking vulnerable applications, John is a tool you need to use often. John the Ripper recognizes different types of password hashes, such as Kerberos, LM, and MD4-based hashes from LDAP or MySQL services. John has many modules that can be used for dictionaries or brute-force attacks against different targets. One of the modules discussed in this post is called ssh2john. 

How to crack a private SSH key with John the Ripper 

It all starts with getting the user's private SSH key. If you have the private key of the user of the compromised machines locally, half the job is done. Well, almost. If the SSH private key password is complex enough, brute-forcing may take some time. But if you're doing it to solve a CTF, passwords usually aren't complicated. Before John the Ripper and I brute force passwords, we need to change the contents of the private key file. And to convert it to the necessary "john" format, ssh2john comes to the rescue. This module comes with a default installation of John. This creates a hash that we only use in the following steps. For this tutorial. Suppose we generated a new private key with a simple password. ssh-keygen 

Note that Kali Linux ssh-keygen uses OpenSSH, so this example is not accurate with the private key generated in Kali.

But there is no problem with private keys from other distributions. The word "monkey" was used as a slogan. The next step would be to run the ssh2john script and write its results to a file. 

A new file should be created. The contents of the file don't look very good, but don't worry, this file is for John. Now we can use John to crack the private SSH key. 

Because the password was one of the first words in the rockyou.txt file, BINGO! With John's help, we got the password for the private SSH key. 

NOTE: If you are running a fresh install of Kali Linux, you may need to extract the archive using the Rockyou dictionary to use it. Ssh2john: command not found.

Spending time fixing a tool instead of doing an actual penetration test can be disastrous. But sometimes it happens - the tools don't work as expected. You can run some John The Ripper modules by simply specifying a name in the terminal. If you run the ssh2john command from the current directory, you get the Ssh2john: Command Not Found error. 

The script should start. Now all you have to do is "type in" the private key there. The entire procedure is presented in the previous subsection of this article. 

Save the article:

NOTE: This module is written in old Python 2, so it will not work as a Python 3 script. If you plan to crack your SSH private key with ssh2john in the future, you may want to create an alias. 

For the purpose of this tutorial. We enlisted all the commands step-wise:

• OpenSSH is used by the ssh-keygen of the Kali Linux

ssh-keygen

• We will use the rockyou.txt dictionary for this task:

john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt

• you can find Ssh2john on Kali Linux:

/usr/share/john/ssh2john.py

• If you are using TryHackMe attacker box

/opt/john/ssh2john.py

• Moving on, change the directory

python ssh2john.py

• If you are planning to crack SSH private key with ssh2john

sudo nano ~/.bash_aliases

• add the following alias to the file:

alias ssh2john="python /usr/share/john/ssh2john.py"

• Now reload the file:

source ~/.bash_aliases

Full review | Apple WWDC23 released the AR device Vision Pro, priced at $3499