ssh私钥口令使用John的暴力破解

1、地址导航

John官网：https://www.openwall.com/john/
John官方项目地址（JtR地址）：https://github.com/openwall/john
John更新地址：https://raw.githubusercontent.com/openwall/john/bleeding-jumbo/run/ssh2john.py

由于Kali系统自带的版本以及官网提供的版本都可能不是最新的，需要进行编译安装github上的John。虽然这是渗透最基础的工具使用，由于系统自带的John版本问题存在很大的坑，还是需要注意一下的。

2、依赖环境：必须要libssl-dev

┌──(root㉿kali)-[~]
└─# apt search libssl-dev 
Sorting... Done
Full Text Search... Done
libssl-dev/kali-rolling,now 3.0.10-1 amd64 [installed]
  Secure Sockets Layer toolkit - development files
┌──(root㉿kali)-[~]
└─# apt install libssl-dev

3、将源代码git下来，非国内环境去掉https://ghproxy.com/加速链接

┌──(root㉿kali)-[~]
└─# git clone https://ghproxy.com/https://github.com/openwall/john.git

4、编译安装John

┌──(root㉿kali)-[~]
└─# cd john/src 
┌──(root㉿kali)-[~/john/src]
└─# ./configure

5、创建程序：

┌──(root㉿kali)-[~/john/src]
└─# make -s clean && make -sj4
/usr/bin/ar: creating aes.a
/usr/bin/ar: creating poly1305-donna.a
/usr/bin/ar: creating ed25519-donna.a
/usr/bin/ar: creating secp256k1.a
******
Make process completed.

6、将id_rsa私钥文件转换为John可使用的文件，非国内环境去掉https://ghproxy.com/加速链接

┌──(root㉿kali)-[~]
└─# wget https://ghproxy.com/https://raw.githubusercontent.com/openwall/john/bleeding-jumbo/run/ssh2john.py
┌──(root㉿kali)-[~]
└─# python3 ssh2john.py /root/.ssh/id_rsa > /root/.ssh/id_john

7、开始跑字典破解口令

┌──(root㉿kali)-[~]
└─# ./john/run/john /root/.ssh/id_john --wordlist=/usr/share/wordlists/rockyou.txt.gz --format=SSH
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 2 for all loaded hashes
Cost 2 (iteration count) is 24 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, 'h' for help, almost any other key for status

然后按任意键查看进度。

8、查看结果，如果成功将会有结果

┌──(root㉿kali)-[~]
└─# ./john/run/john /root/.ssh/id_john --show
0 password hashes cracked, 1 left

xylogs / tp

ssh私钥口令使用John的暴力破解 #2