Dec 31, 2020
How To crack an RSA Key for SSH ?
If you’re a Security Practitioner,CTF Player or Pentester there’s a high probability that you’re familiar with RSA Key. It looks likes this :
-----BEGIN RSA PRIVATE KEY-----Proc-Type: 4,ENCRYPTEDDEK-Info: AES-128-CBC,25737CC2C70BFABADB1B4598BD8AB9E9uTo43HGophPo5awKC8hfnnz4KseENpgHDLxe5UX+amx8YrWvZCvsYRh4/jhdxijYx...-----END RSA PRIVATE KEY-----
If you don’t know about RSA so RSA stands for “Rivest, Shamir, Adleman” and RSA Key is “ A private key based on RSA algorithm. Private Key is used for authentication and a symmetric key exchange during the establishment of an SSL/TLS session.”
Now let’s talk about SSH which is stands for “Secure Shell” which is a ‘Cryptographic Network Protocol’.
Basic Terminology
Before jump directly inside the method of cracking an RSA Key for SSH, we have to first understand some basic terminology:
a) wget: is a free utility for non-interactive download of files from the web. It supports HTTP, HTTPS, and FTP protocols, as well as retrieval through HTTP proxies.
b) John the Ripper: John the Ripper is a free password cracking software tool. Originally developed for the Unix operating system. This tool will help us to crack the hash file.
c) wordlist: The wordlist is nothing but a list of some user passwords which contain only words. In our case, we will use the ‘rockyou.txt’ wordlist for cracking the hash file.
d) chmod: chmod is the command and system call that is used to change the access permissions of file system objects.
Methodology
Now we have a basic understanding of some of the basic terms so we can start our steps for cracking an RSA key:
Step 1: Save an RSA key as id_rsa (or any name you want)
In this step, we will save our RSA key in the id_rsa file using nano (You can also use vim).
Step 2: Download ssh2john.py using wget
To brute-force using john (John The Ripper), we have to convert our file into a suitable format. For this, we can use ssh2john.py.
Then with the help of python2, we will run the ssh2john.py script on the id_rsa file and save its result into id_rsa.hash which is a suitable format for john.
Step 3: Cracking password using John The Ripper:
In this step, with the help of john and rockyou.txt wordlist, we will try to crack the password of our RSA key.
Step 4: Check the cracked Password:
After completion of Step 3, we will find a cracked hash format text file. You can read this file using the command:
john --show id_rsa.hash
Step 5: Change file permissions and connect to SSH:
In our last step, we will change the permissions of the id_rsa file to 400 which gives the user read permission and removes all other permission.
Then we will connect to ssh using the command:
ssh -i id_rsa "username"@"ip_address"
After completing all the steps we will securely connect with an ssh shell.
So, these are some basic steps for Cracking an RSA Key for SSH.
We will meet in our next article.
