Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 2 Jul 2014 07:43:07 -0800
From: Royce Williams <>
Subject: Re: ssh known_hosts support?

On Wed, Jul 2, 2014 at 7:02 AM, Royce Williams <> wrote:
> On Wed, Jul 2, 2014 at 1:05 AM, Dhiru Kholia <> wrote:
>> On Mon, 23 Jun 2014, Royce Williams wrote:
>>> The 'HashKnownHosts' ssh config option enables hashing of IPs and
>>> hostnames in the ~/.known_hosts file. ...
>>> What would be the best path to using john for this purpose?
>> Hi,
>> The latest "bleeding-jumbo" version (from the following repository) now
>> supports cracking such hashes.
>> $ cat hashes
>> $known_hosts$|1|pgjIzNM77FYsBHLfKvvG9aWpKAA=|XbHqTCXG1JAV6fb2h2HT8MT7kGU=
>> $known_hosts$|1|vAQX51f9EfXY33/j3upxFIlI1ds=|q+CzSLaa1EaSsAQzP/XRM/gaFQ4=
>> $ ../run/john hashes --mask="192.30.252.?d?d?d"
>> Loaded 2 password hashes with 2 different salts (known_hosts, ...)
>> ....
>>   (?)
>>   (?)
>> $ ../run/john --format=known_hosts --test  # i7-4750HQ CPU
>> Benchmarking: known_hosts, HashKnownHosts HMAC-SHA1 [SHA1 32/64]... DONE
>> Raw:    1836K c/s real, 1836K c/s virtual
>> Later on, we might be able to use an existing format (or the dynamic
>> format) for cracking such hashes.
> Dhiru -
> Most excellent - works like a charm!
> A couple of notes for future researchers doing similar work.
> For IP address wordlists, it may be convenient to use nmap's 'list'
> option to generate IP addresses from multiple or large CIDR blocks, as
> in:
> nmap -sL -Pn -n >ips.list

Too glib -- I forgot to note that this output alone is not clean
enough to generate a valid wordlist of IPs. The initial nmap output is
actually of the form:

Nmap scan report for
Nmap scan report for
Nmap scan report for

(It says 'scan report' even though no actual scanning is happening.)
So a bit more pre-processing is in order:

nmap -sL -Pn -n | grep '^Nmap
scan report for' | cut -d\  -f5 >ips.list

I've drifted off-topic a bit, so we now return you to your regularly
scheduled john-users discussion. :-)

Though I'd be interested in discussion of native JtR ways to
efficiently generate IP addresses (and bare and fully-qualified
hostnames, for that matter).


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.