03-16-2018, 10:46 AM
Im interested in brute-forcing known_hosts files for SSH, these look like this:
|[int]|[base64 SALT]|[base64 TARGET] ssh-rsa [base64]
These are SHA1_HMACs of the IP address or hostname where the Text (not the salt or key) is the password. (The Int at the beginning of the string defines the type of SHA hash e.g. 1, 256, 512).
e.g. if hmac.new(SALT, GUESS, sha1).digest() == TARGET then you have a match.
Hashcat has the modes 150 and 160 but nothing for unknown Text. Would it be hard to add support for this? I think it has some valuable uses when identifying hosts to move laterally within networks.
|[int]|[base64 SALT]|[base64 TARGET] ssh-rsa [base64]
These are SHA1_HMACs of the IP address or hostname where the Text (not the salt or key) is the password. (The Int at the beginning of the string defines the type of SHA hash e.g. 1, 256, 512).
e.g. if hmac.new(SALT, GUESS, sha1).digest() == TARGET then you have a match.
Hashcat has the modes 150 and 160 but nothing for unknown Text. Would it be hard to add support for this? I think it has some valuable uses when identifying hosts to move laterally within networks.