Tool for Cracking Passphrases on Encrypted SSH Keys

Phrasen|drescher is a tool for those pentests when you’re having trouble owning those last few *nix boxes.  It was released in 2007 but I hadn’t had cause to try it out until recently.

If you’ve already gained access to a few *nix boxes, but can’t get into the rest you’ll naturally start trying to enumerate the trusts between the hosts.  Trusts could be configured for the Berkley R-Services (i.e. .rhosts, hosts.equiv) or they could be SSH host-based trusts, shared passwords or trusts based on the unencrypted SSH keys left in user’s home directories.

If you’re really unlucky the users may have actually encrypted their SSH keys with a passphrase.  This is the problem that Nico Leidecker’s Phrasen|drescher addresses.

It can run at around 17 000 guesses per second (on my ~2GHz PC at least).  It supports  dictionary-based guessing, permutations of dictionary words (e.g. l33t) and pure brute force.  I’d include an example of it running, but the documentation on the home page is pretty good too, so you may as well read that instead .

 

Tags: , ,

Posted in Blog