... a known_hosts file with only one line where I knew the correct hostname beforehand. Unfortunately your program couldn’t find anything...
In searchHash() you return 0, if the $host doesn’t match any of the lines and the line number(*) if it does. Unfortunately the first line is line number 0 and the code therefore won’t show any matches for the first (and maybe only) entry in known_hosts, no matter how long you’ll let it run.
Quick fix: Change searchHash() to return $i+1; on success and remove the “+ 1”-part from the various printf(“ Found host: %s (line %d) \n”, $tmpHostShort, $line + 1); lines.
(*) It’s not really the line number, since you only increment $idx if ($hostHash =~ m/|1|/). Maybe store the real line numbers too and use those for the output? ($. might be useful.)
#
# Generate SHA1 hashes of a hostname/IP and compare it to the available hashes
# Returns the line index of the initial known_hosts file
#
sub searchHash() {
$host = shift;
($host) || return 0;
# Process the list containing our hashes
# For each one, generate a new hash and compare it
for ($i = 0; $i < scalar(@saltStr); $i++) {
$decoded = decode_base64($saltStr[$i]);
$hmac = Digest::HMAC_SHA1->new($decoded);
$hmac->add($host);
$digest = $hmac->b64digest;
$digest .= "="; # Quick fix ;-)
if ($digest eq $base64Str[$i]) {
return $i;
}
}
return 0;
}
Povl Ole Haarlev Olsen commented on the original blog on 25 Apr 2015 (https://blog.rootshell.be/2010/11/03/bruteforcing-ssh-known_hosts-files/) stating:
Here is the original
searchHash()from https://blog.rootshell.be/wp-content/uploads/2010/11/known_hosts_bruteforcer.pl.txt that is referenced in the comment: