Date: Wed, 2 Jul 2014 07:43:07 -0800 From: Royce Williams <royce@...ho.org> To: john-users@...ts.openwall.com Subject: Re: ssh known_hosts support? On Wed, Jul 2, 2014 at 7:02 AM, Royce Williams <royce@...ho.org> wrote: > On Wed, Jul 2, 2014 at 1:05 AM, Dhiru Kholia <dhiru.kholia@...il.com> wrote: >> On Mon, 23 Jun 2014, Royce Williams wrote: >> >>> The 'HashKnownHosts' ssh config option enables hashing of IPs and >>> hostnames in the ~/.known_hosts file. ... >>> >>> What would be the best path to using john for this purpose? >> >> Hi, >> >> The latest "bleeding-jumbo" version (from the following repository) now >> supports cracking such hashes. >> >> https://github.com/magnumripper/JohnTheRipper >> >> $ cat hashes >> $known_hosts$|1|pgjIzNM77FYsBHLfKvvG9aWpKAA=|XbHqTCXG1JAV6fb2h2HT8MT7kGU= >> $known_hosts$|1|vAQX51f9EfXY33/j3upxFIlI1ds=|q+CzSLaa1EaSsAQzP/XRM/gaFQ4= >> >> $ ../run/john hashes --mask="192.30.252.?d?d?d" >> Loaded 2 password hashes with 2 different salts (known_hosts, ...) >> .... >> 22.214.171.124 (?) >> 126.96.36.199 (?) >> >> $ ../run/john --format=known_hosts --test # i7-4750HQ CPU >> Benchmarking: known_hosts, HashKnownHosts HMAC-SHA1 [SHA1 32/64]... DONE >> Raw: 1836K c/s real, 1836K c/s virtual >> >> Later on, we might be able to use an existing format (or the dynamic >> format) for cracking such hashes. > > Dhiru - > > Most excellent - works like a charm! > > A couple of notes for future researchers doing similar work. > > For IP address wordlists, it may be convenient to use nmap's 'list' > option to generate IP addresses from multiple or large CIDR blocks, as > in: > > nmap -sL -Pn -n 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 >ips.list Too glib -- I forgot to note that this output alone is not clean enough to generate a valid wordlist of IPs. The initial nmap output is actually of the form: [...] Nmap scan report for 192.168.186.204 Nmap scan report for 192.168.186.205 Nmap scan report for 192.168.186.206 [...] (It says 'scan report' even though no actual scanning is happening.) So a bit more pre-processing is in order: nmap -sL -Pn -n 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 | grep '^Nmap scan report for' | cut -d\ -f5 >ips.list I've drifted off-topic a bit, so we now return you to your regularly scheduled john-users discussion. :-) Though I'd be interested in discussion of native JtR ways to efficiently generate IP addresses (and bare and fully-qualified hostnames, for that matter). Royce
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.