ssh2john and john unable to brute-force password

[oub7hoyu]

Steps to reproduce

I created the following private key with the password 123.
id_rsa.txt

Converted it via ssh2john.py into a john-compatible format.
id_rsa_johnformat.txt

Tried to get the used password by using john, but it never found a valid solution. For example:

john --mask=?d?d?d id_rsa_johnformat.txt

System configuration

Attach details about your OS and about JtR, including:

• $ ./john --list=build-info.

Version: 1.9.0-jumbo-1
Build: linux-gnu 64-bit x86_64 AVX2 AC OMP
SIMD: AVX2, interleaving: MD4:3 MD5:3 SHA1:1 SHA256:1 SHA512:1
CPU tests: AVX2
$JOHN is ./run/
Format interface version: 14
Max. number of reported tunable costs: 4
Rec file version: REC4
Charset file version: CHR3
CHARSET_MIN: 1 (0x01)
CHARSET_MAX: 255 (0xff)
CHARSET_LENGTH: 24
SALT_HASH_SIZE: 1048576
SINGLE_IDX_MAX: 32768
SINGLE_BUF_MAX: 4294967295
Effective limit: Max. KPC 32768
Max. Markov mode level: 400
Max. Markov mode password length: 30
gcc version: 7.4.0
GNU libc version: 2.27 (loaded: 2.27)
Crypto library: OpenSSL
OpenSSL library version: 0100020ef
OpenSSL 1.0.2n  7 Dec 2017
File locking: fcntl()
fseek(): fseek
ftell(): ftell
fopen(): fopen
memmem(): System's

[magnumripper]

What version of OpenSSH did you use to create it, and with which options? Can you actually use it?

$ ssh-keygen -f id_rsa.txt -l
id_rsa.txt is not a key file.

[oub7hoyu]

This was generated by OpenSSH 7.9 and I simply ran ssh-keygen.
Here is the output of ssh-keygen -f id_rsa.txt -l:

2048 SHA256:3loacI7AOWRe1KH+wDTx5PsVr9yohus+l6VgdvtMtzE ...@... (RSA)

[magnumripper]

I need to test that. Ideally we'd have @kholia suffering a JtR relapse and create a couple of Good Stuff[tm] PR's a day for a (long) period again...

[deletehead]

See the following link. I tested it out using the Kali package install and also attempted building from source and got the same issues here: https://security.stackexchange.com/questions/224109/how-do-i-crack-an-id-rsa-encrypted-private-key-with-john-the-ripper

[magnumripper]

Confirmed, I can reproduce

[Sp3nge]

Confirmed, I can reproduce

When can we expect a bug fix?

[tuv7041]

Not sure if this'll help, but I came across this bug today, and running the command as:
john --wordlist=wordlist sshKey.hash
didin't work, I got the following output:

Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 8 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Crash recovery file is locked: /home/user/src/john/run/john.rec

But running the command as:
john sshKey.hash -wordlist=wordlist
worked perfectly:

Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 8 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
testpass          (sshKey)
1g 0:00:00:00 DONE (2020-01-16 10:06) 25.00g/s 150.0p/s 150.0c/s 150.0C/s testpass2..testpass5
Session completed

[magnumripper]

@tuv7041 thank you, yes, this is of help! However, the order of parameters is definitely not the issue so what really happened there, I'm sure, is JtR would sometimes crack it.

If you try deleting john.pot so it forgets the password, then just run john --wordlist=wordlist sshKey.hash a couple of times it should most probably succeed sooner or later. If you try that, please confirm.

[magnumripper]

Confirmed, I can reproduce

When can we expect a bug fix?

In short, you can't (unless you fix the bug). This is free (as in free beer), open source (as in you know what's in the beer) software, developed by volunteers. We are severely short of developers and I have SO many issues to take care of. That said, this particular issue is one that I will look into sooner or later unless someone else does and finds the culprit.

[solardiz]

However, the order of parameters is definitely not the issue so what really happened there, I'm sure, is JtR would sometimes crack it.

Of course, the order of parameters is not the issue, but the provided example suggests that the first time another instance of JtR was somehow still running, preventing the new session from being started - a local issue unrelated to ssh "hash" support. So I don't see this example helping us at all - it'd need to be repeated without triggering that unrelated issue.

Crash recovery file is locked: /home/user/src/john/run/john.rec

[magnumripper]

Right, I didn't spot that. Also, the OP hash is Bcrypt/AES with 16 iterations. I shouldn't assume that all people that post here know what they're doing 😢

[redd1ng]

Not sure if this'll help, but I came across this bug today, and running the command as:
john --wordlist=wordlist sshKey.hash
didin't work, I got the following output:

Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 8 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Crash recovery file is locked: /home/user/src/john/run/john.rec

But running the command as:
john sshKey.hash -wordlist=wordlist
worked perfectly:

Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 8 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
testpass          (sshKey)
1g 0:00:00:00 DONE (2020-01-16 10:06) 25.00g/s 150.0p/s 150.0c/s 150.0C/s testpass2..testpass5
Session completed

This worked for me, thanks!

[DavidRayner]

With 1.9.0-jumbo-1 I am unable to crack using --wordlist rockyou.txt but successfully could with -wordlist=rockyou.txt

[magnumripper]

When you say john hashes.txt --wordlist=rockyou.txt, you tell JtR to use the rockyou file as a wordlist.

When you say john hashes.txt --wordlist rockyou.txt, you're actually telling JtR that the rockyou file is an input file (just like hashes.txt) and to use the default wordlist (namely password.lst which resides in the run directory) since you didn't gave =FILE as parameter to the --wordlist option.

[Narthorn]

Some ssh keys encrypted by ssh-keygen are using aes-256-ctr, instead of the previous aes-256-cbc. Here's an example generated with openssh 8.2:

00000000: 6f70 656e 7373 682d 6b65 792d 7631 0000  openssh-key-v1..
00000010: 0000 0a61 6573 3235 362d 6374 7200 0000  ...aes256-ctr...
00000020: 0662 6372 7970 7400 0000 1800 0000 109c  .bcrypt.........
00000030: 21d7 a0d7 e401 0a97 f836 e901 706c 5e00  !........6..pl^.
00000040: 0000 1000 0000 0100 0000 3300 0000 0b73  ..........3....s
00000050: 7368 2d65 6432 3535 3139 0000 0020 9def  sh-ed25519... ..
00000060: d482 f0cd 8527 245a 82a7 b33d c6c6 56e1  .....'$Z...=..V.
00000070: deae 6523 dd0b fdc6 9d74 1649 c909 0000  ..e#.....t.I....
00000080: 00a0 98c6 2980 0a75 9cd6 ebe6 705f d061  ....)..u....p_.a
00000090: bddb 5604 3088 a0a8 711d e99a 30c2 4fba  ..V.0...q...0.O.
000000a0: 45c8 f34b a25f c87b 803e cf52 5228 56bb  E..K._.{.>.RR(V.
000000b0: 532e 12ac e58a 20d8 9b17 506f 9cc4 1805  S..... ...Po....
000000c0: 6a35 0c86 d9fe 44fe d3fc 2142 ae59 5c9f  j5....D...!B.Y\.
000000d0: 9cdb 0109 e218 c328 2f87 1ab3 ad3b 6c37  .......(/....;l7
000000e0: 8fd8 e67d 5232 1114 7364 bd7c eebd 8797  ...}R2..sd.|....
000000f0: c607 623b f538 0ce4 0cbd 018f 36d9 01ad  ..b;.8......6...
00000100: e1ab ed42 7b22 0600 e94d 3238 24df d0fe  ...B{"...M28$...
00000110: 2c29 4213 21f6 ee2f d6b0 84c5 efbb 128b  ,)B.!../........
00000120: 1679                                     .y

OP's key was also using aes256-ctr, but ssh2john and john both assume aes256-cbc.

I haven't thoroughly checked which versions of ssh-keygen encrypt keys with CTR, but on Arch Linux, it looks like the switch happened sometime between openssh 7.4 (2016-12) and 7.6 (2017-10).

[xirotech]

Some ssh keys encrypted by ssh-keygen are using aes-256-ctr, instead of the previous aes-256-cbc. Here's an example generated with openssh 8.2:

00000000: 6f70 656e 7373 682d 6b65 792d 7631 0000  openssh-key-v1..
00000010: 0000 0a61 6573 3235 362d 6374 7200 0000  ...aes256-ctr...
00000020: 0662 6372 7970 7400 0000 1800 0000 109c  .bcrypt.........
00000030: 21d7 a0d7 e401 0a97 f836 e901 706c 5e00  !........6..pl^.
00000040: 0000 1000 0000 0100 0000 3300 0000 0b73  ..........3....s
00000050: 7368 2d65 6432 3535 3139 0000 0020 9def  sh-ed25519... ..
00000060: d482 f0cd 8527 245a 82a7 b33d c6c6 56e1  .....'$Z...=..V.
00000070: deae 6523 dd0b fdc6 9d74 1649 c909 0000  ..e#.....t.I....
00000080: 00a0 98c6 2980 0a75 9cd6 ebe6 705f d061  ....)..u....p_.a
00000090: bddb 5604 3088 a0a8 711d e99a 30c2 4fba  ..V.0...q...0.O.
000000a0: 45c8 f34b a25f c87b 803e cf52 5228 56bb  E..K._.{.>.RR(V.
000000b0: 532e 12ac e58a 20d8 9b17 506f 9cc4 1805  S..... ...Po....
000000c0: 6a35 0c86 d9fe 44fe d3fc 2142 ae59 5c9f  j5....D...!B.Y\.
000000d0: 9cdb 0109 e218 c328 2f87 1ab3 ad3b 6c37  .......(/....;l7
000000e0: 8fd8 e67d 5232 1114 7364 bd7c eebd 8797  ...}R2..sd.|....
000000f0: c607 623b f538 0ce4 0cbd 018f 36d9 01ad  ..b;.8......6...
00000100: e1ab ed42 7b22 0600 e94d 3238 24df d0fe  ...B{"...M28$...
00000110: 2c29 4213 21f6 ee2f d6b0 84c5 efbb 128b  ,)B.!../........
00000120: 1679                                     .y

OP's key was also using aes256-ctr, but ssh2john and john both assume aes256-cbc.

I haven't thoroughly checked which versions of ssh-keygen encrypt keys with CTR, but on Arch Linux, it looks like the switch happened sometime between openssh 7.4 (2016-12) and 7.6 (2017-10).

Yes, This directly leads to "No password hashes loaded (see FAQ)" error.

[vkhromov]

I haven't thoroughly checked which versions of ssh-keygen encrypt keys with CTR, but on Arch Linux, it looks like the switch happened sometime between openssh 7.4 (2016-12) and 7.6 (2017-10).

The default cipher has been changed since 7.6: openssh/openssh-portable@0f34553

[binarytrails]

I must say it is still here on up to date linux OS.

Here are steps to reproduce:

mr test-lab $ ssh-keygen 
Generating public/private rsa key pair.
Enter file in which to save the key (/home/mr/.ssh/id_rsa): diesel
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in diesel
Your public key has been saved in diesel.pub
The key fingerprint is:
SHA256:BA4+iCB1nCq9BRzvjY/6xVbCYWK92vGOkgfwKjhe1Io mr@rabbit
The key's randomart image is:
+---[RSA 3072]----+
|ooooo..          |
|o.o=o+ .         |
|...o* = .        |
|. +ooB +         |
| . *o.* S        |
|  + +* =         |
|.E +oo* .        |
|+ o.oo.o         |
|.+...o. .        |
+----[SHA256]-----+
mr test-lab $ ls
diesel  diesel.pub  ssh2john.py
mr test-lab $ cat diesel
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABDJx+i3J7
tX10Kcg1MCWMYQAAAAEAAAAAEAAAGXAAAAB3NzaC1yc2EAAAADAQABAAABgQC2AhPSdVGI
PUGWwIE1GX+FVkYJ/vQ7Ee4oFG5kPUh8anuQ8WujmN0ulee3gQtEao6qj45aaAQDgroxz5
zjKxtGzJ/NWAllyTuU5lhI+gyIlYLyV2yXJIgpy67bwN5Syb9D37ehvg7N42ln/+wqy0cA
kFKARJbD2yUkyIoE0alOAelGw220NXV9Df0n6A18WMvDGoijol0hyGRmBSleR9bgeMdO+i
z+p7qR13LCqFmncu8rKXJ9ErQFCvHOuyoipNQPm97SYKGnI//RaxsdZsHSJc1Ggyf0T2uv
Vbm7wf3gtbrtVC2lz0TZJqfFwWID1F3nxm80G4649dQ+IU92t/i90MAFY0S0D41i2w/kiX
0JgSWxDTUY5HKoCNln7G6rOBGP29X3V6A9lsiRTDgwxgzwREBSljpC9o0fczc+CEePxvEl
iLLrZH/ULo+i/NhWgEiBKyLCM6E2KT5jRBCrzjy4X47ugCZSB6DxtcCw5wwt5bs/JTEY+Z
dTzowqaGKjdysAAAWAH63fosxsu01AnVXtozjBu1fqUDrqcV+hfMgC2/NrLHEPwd6P7P0v
EQ2577pQSN6SyX9iEJETJKgeiBTBckucaOeGo6uNjX7HBVhkyNegTlh13zWPK2nKyp1ZLW
mQ5KiasXMMMCmI7eCWxEhSg4AhHCNXL44GzaFTkYJTBXx26JRk+7wVW/7csulBuGewuTco
zWpj7R0vbYxDenSXrO6R4yjMbEVKwIMh3Ht389+RlcJAzz6B257jBiSaDeckionVpAaJ+z
djHbECp7FrJhQx8mUai6735Womjxr8m9iPY6HT2d1vKLZxBLFOcZRnVp11JRmemthfVCZ/
ViO6z//haidcEbDFVrt9ZEXxXhjY549ZL3V/DXFWTpEzqzMPp20cReQBOGb17VAnrC9O6l
z2DrMUpfrUZoWszSV4ecTTVEWTkk3uyUE3U3E45/35YUsyBqW+X9FPuEl6Pfyb3Db9Hy1R
ykfHARdz01IBSs5Z8T6IAvzXNqDcSBxIYLyl4jmqiAuUzWUz9JMQ5rmYsHa9H89kXsOzPr
5Ikx/lOxlIX7IOqNBvue5yg3LqWSTdFmZ2UsXxv/O1GbnJS2XQSOWywQoE27LDgF06U44/
hVicE2yH9ouawI2cheby7g1/qB3nZMaseSqXx5c/trZ+627cx6EZkmqPOTGs0fNdQBgWFL
7CwOvDHoO2nDAWvG6ieaQLC12YHbsACA2XlXMql8NAKYu5C5ETwT8ad4VDvGfgxRv/g+S7
fX3E3vKKir715LK3SzmONQKaJViQMw4lQtRTpvYCzNjkWjDJFRv3FYl0C/UMB+MOiUN0eL
6hpxetHz6+pIfv5wFuNeOe3vardpm/i0hZCvQVFJZ9wAsrT35wSnCa3XsoevJQOr6Jd1Zq
Lh5OggNDNY8HW44hq+VPTDw7sF3WKX93oiC6c1fPrLe6Dil2KWSCTOgUxc8jVrTmcIm6ru
er42cdACG0O9uKRrcsZbodOy2hOeyFaHcxkMaWiOISNzYdTQCpp4RXClvGS7j33nZQG4sL
8XJUBeJgtRJMPdm4eFHP3EQzVrC9k0n8mQdsXbPzzTT5/QS0c59wik+3KoBXu5tRtUAGrg
opfB+SDlynE4wE8XuLzaKU/I0/KcseJ4PngxcOf5cV4y5fwpmoCgzXIJFtMfE+WRDZD32I
Uc6HvEqzhNrpJtO+WywvttlzqNKsGuB0X2SGyDtafKTOQo8NinKpYXEwtsext3rA/AUeo0
subruUKlzJXw4N2Er1wpsQ0Vn42N9jHUgWWWZObFfSKhogNBmWYpCOPnF6M1mx+lHRK/+O
cb4Z0aQGXxrg4nnTDkAFAaHKANyTfrUmz2psY5wdyk5SkKDTg4Znz220fw+7vY7daJyAYa
ftnCInwWX8QR7mMmWS+wPyVIjxQEnNx7AribpxwuAQYlHdK5PP+qQ8/9CJMMCxYOK7AFr3
FI6ZF45X9iRnjWtMXbeyHrlkZAgFgn4XaYQaCx43MPI6/aDQ173ZMCexVLJfofNg2hZcQ7
4Nva8GkOzbWGBy1xieISapy4FPXm4GZo9Tdx3g7wN5K5Fy0syReFUO+J6BREJWFcX1y0u3
u+siiXSZqdRFrKMNlwhc/LhtN15/R9xyys7v3i5W6Ka9lUu1XpvYKPLp5viWAujb6scjO1
ZJ7t76ImxbHk+QzfI+avx83LEe/bG3N0hTbCGdIqkqy+Nd8VPVfIGtsH4MATLxzbE3tuxG
35/annCX5v7nJO2Rq99Oz3Rf+oVdGsUubcX95nmHh2DfzRQ6ClwFqK3gC3qECaKBPK051y
/bH3o8fgvcggY/FoOqiZwwIV7D4C1/8DLwv2q4nou3Yz2OezDEYbKMzm8boGyFZ/vKzvNB
FV+zTg==
-----END OPENSSH PRIVATE KEY-----
mr test-lab $ python2 ssh2john.py diesel > diesel.hash
mr test-lab $ john --wordlist=word.lst diesel.hash --fork=12
Warning: detected hash type "SSH", but the string is also recognized as "ssh-opencl"
Use the "--format=ssh-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 2 for all loaded hashes
Cost 2 (iteration count) is 16 for all loaded hashes
Warning: OpenMP was disabled due to --fork; a non-OpenMP build may be faster
Node numbers 1-12 of 12 (fork)
4 0g 0:00:00:00 DONE (2020-11-07 18:27) 0g/s 0p/s 0c/s 0C/s
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
12 0g 0:00:00:00 DONE (2020-11-07 18:27) 0g/s 0p/s 0c/s 0C/s
8 0g 0:00:00:00 DONE (2020-11-07 18:27) 0g/s 0p/s 0c/s 0C/s
6 0g 0:00:00:00 DONE (2020-11-07 18:27) 0g/s 0p/s 0c/s 0C/s
11 0g 0:00:00:00 DONE (2020-11-07 18:27) 0g/s 0p/s 0c/s 0C/s
3 0g 0:00:00:00 DONE (2020-11-07 18:27) 0g/s 0p/s 0c/s 0C/s
9 0g 0:00:00:00 DONE (2020-11-07 18:27) 0g/s 0p/s 0c/s 0C/s
5 0g 0:00:00:00 DONE (2020-11-07 18:27) 0g/s 0p/s 0c/s 0C/s
7 0g 0:00:00:00 DONE (2020-11-07 18:27) 0g/s 0p/s 0c/s 0C/s
Press 'q' or Ctrl-C to abort, almost any other key for status
10 0g 0:00:00:00 DONE (2020-11-07 18:27) 0g/s 0p/s 0c/s 0C/s
2 0g 0:00:00:00 DONE (2020-11-07 18:27) 0g/s 10.00p/s 10.00c/s 10.00C/s 12345
1 0g 0:00:00:00 DONE (2020-11-07 18:27) 0g/s 10.00p/s 10.00c/s 10.00C/s diesel
Waiting for 11 children to terminate
Session completed
mr test-lab $ cat word.lst 
diesel
12345

As seen nothing found... but when I force the cipher during a keygen as in the 51f7f3d , it works just fine:

$ ssh-keygen -t rsa -b 4096 -f id_rsa-aes256-cbc -Z aes256-cbc -N TestPassword
$ ssh-keygen -t rsa -b 4096 -f id_rsa-aes256-ctr -Z aes256-ctr -N TestPassword
$ echo TestPassword >passwords.lst
$ ./ssh2john.py id_rsa-aes256-cbc id_rsa-aes256-ctr >id_rsa.hash
$ ./john --wordlist=passwords.lst id_rsa.hash
...
TestPassword     (id_rsa-aes256-ctr)
TestPassword     (id_rsa-aes256-cbc)

It's not normal that John can't find the key with a default cipher of ssh-keygen.

[solardiz]

@binarytrails Are you using our latest code? It sounds like you're not, but are instead using a john that came with some kind of "up to date linux OS" distro. Anyhow, this is a reminder for us to make a new numbered release soon so that we'd give a clear message to distros to update to our newer code.

For your own use, of course just use our latest code from this repo - not whatever came with the distro. We almost always recommend that for best experience, even in absence of bugs.

[solardiz]

Confirmed that this sample is processed properly with our latest code:

$ ./john -w=password.lst pw-ssh
[ssh-opencl] cipher value of 6 is not yet supported with OpenCL!
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 2 for all loaded hashes
Cost 2 (iteration count) is 16 for all loaded hashes
Will run 32 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:03 16.73% (ETA: 15:31:30) 0g/s 68.63p/s 68.63c/s 68.63C/s frodo..crawford
0g 0:00:00:07 23.80% (ETA: 15:31:42) 0g/s 71.40p/s 71.40c/s 71.40C/s crystal..bigben
0g 0:00:00:10 30.96% (ETA: 15:31:45) 0g/s 72.38p/s 72.38c/s 72.38C/s bigdog..random
0g 0:00:00:14 38.10% (ETA: 15:31:49) 0g/s 72.88p/s 72.88c/s 72.88C/s rangers..burton
0g 0:00:00:17 45.30% (ETA: 15:31:50) 0g/s 73.22p/s 73.22c/s 73.22C/s butterfly..keeper
diesel           (ssh-4069)
1g 0:00:00:21 DONE (2020-11-08 15:31) 0.04712g/s 72.38p/s 72.38c/s 72.38C/s butterfly..keeper

BTW, we might want to add it to the john-samples repo - please feel free to send us a PR against that one.

[vkhromov]

@binarytrails, I believe your attempt failed because ssh-opencl doesn't support aes256-ctr yet.
Could you try to run john with --format=ssh?

$ python2 ssh2john.py diesel > diesel.hash

$ ./john --wordlist=word.lst --format=ssh diesel.hash --fork=12
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 2 for all loaded hashes
Cost 2 (iteration count) is 16 for all loaded hashes
Warning: OpenMP was disabled due to --fork; a non-OpenMP build may be faster
Node numbers 1-12 of 12 (fork)
Press 'q' or Ctrl-C to abort, almost any other key for status
6 0g 0:00:00:00 DONE (2020-11-08 14:28) 0g/s 0p/s 0c/s 0C/s
7 0g 0:00:00:00 DONE (2020-11-08 14:28) 0g/s 0p/s 0c/s 0C/s
3 0g 0:00:00:00 DONE (2020-11-08 14:28) 0g/s 0p/s 0c/s 0C/s
4 0g 0:00:00:00 DONE (2020-11-08 14:28) 0g/s 0p/s 0c/s 0C/s
8 0g 0:00:00:00 DONE (2020-11-08 14:28) 0g/s 0p/s 0c/s 0C/s
5 0g 0:00:00:00 DONE (2020-11-08 14:28) 0g/s 0p/s 0c/s 0C/s
10 0g 0:00:00:00 DONE (2020-11-08 14:28) 0g/s 0p/s 0c/s 0C/s
11 0g 0:00:00:00 DONE (2020-11-08 14:28) 0g/s 0p/s 0c/s 0C/s
12 0g 0:00:00:00 DONE (2020-11-08 14:28) 0g/s 0p/s 0c/s 0C/s
9 0g 0:00:00:00 DONE (2020-11-08 14:28) 0g/s 0p/s 0c/s 0C/s
2 0g 0:00:00:00 DONE (2020-11-08 14:28) 0g/s 11.11p/s 11.11c/s 11.11C/s 12345
diesel           (diesel)
1 1g 0:00:00:00 DONE (2020-11-08 14:28) 5.263g/s 5.263p/s 5.263c/s 5.263C/s diesel
Waiting for 11 children to terminate
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

[solardiz]

@vkhromov No, @binarytrails was using the CPU format. (There were messages merely suggesting options to use OpenCL.) Explicit --format=ssh won't make a difference, as that format was autodetected. I think it's merely a distro package using our code from prior to your contribution.

[binarytrails]

There were messages merely suggesting options to use OpenCL

@vkhromov yes, I tried running with --format=SSH same result as with the GPU but I run it with threads because my computer has 12 cores which is faster than GPU in my case.

Here my two OSs versions that I used with the same results are latest Arch Linux and latest Kal Linux in a VM:

$ pacman -Si john
Repository      : community
Name            : john
Version         : 1.9.0.jumbo1-5

$ apt-cache show john
Package: john
Version: 1.9.0-Jumbo-1-0kali3

For your own use, of course just use our latest code from this repo - not whatever came with the distro. We almost always recommend that for best experience, even in absence of bugs.

@solardiz You have a good point about the latest code. I will clone & compile your master here and report back.

BTW, we might want to add it to the john-samples repo - please feel free to send us a PR against that one.

Yes, I can make a PR after with my sample code using the default ssh-keygen key that currently fails. I saw you created the PR openwall/john-samples#1; Does it mean that the default ssh-keygen is using aes256-ctr?

Thank you for the quick replies! 🐙

[solardiz]

I can make a PR after with my sample code using the default ssh-keygen key that currently fails.

Please do. Thanks!

I saw you created the PR openwall/john-samples#1;

Not a PR yet, just an issue so that we don't forget.

Does it mean that the default ssh-keygen is using aes256-ctr?

That's my understanding per the comments above.

[binarytrails]

@solardiz I just compiled the master on arch and same results:

$ ./john diesel.hash --wordlist=word.lst
[ssh-opencl] cipher value of 2 is not yet supported with OpenCL!
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 2 for all loaded hashes
Cost 2 (iteration count) is 16 for all loaded hashes
Will run 12 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Warning: Only 2 candidates left, minimum 12 needed for performance.
0g 0:00:00:00 DONE (2020-11-08 13:15) 0g/s 15.38p/s 15.38c/s 15.38C/s diesel..12345
Session completed. 
mr run $ cat word.lst 
diesel
12345
mr run $ cat diesel.hash 
diesel:$sshng$2$16$c9c7e8b727bb57d7429c83530258c610$1894$6f70656e7373682d6b65792d7631000000000a6165733235362d637472000000066263727970740000001800000010c9c7e8b727bb57d7429c83530258c610000000100000000100000197000000077373682d727361000000030100010000018100b60213d27551883d4196c08135197f85564609fef43b11ee28146e643d487c6a7b90f16ba398dd2e95e7b7810b446a8eaa8f8e5a68040382ba31cf9ce32b1b46cc9fcd580965c93b94e65848fa0c889582f2576c97248829cbaedbc0de52c9bf43dfb7a1be0ecde36967ffec2acb47009052804496c3db2524c88a04d1a94e01e946c36db435757d0dfd27e80d7c58cbc31a88a3a25d21c8646605295e47d6e078c74efa2cfea7ba91d772c2a859a772ef2b29727d12b4050af1cebb2a22a4d40f9bded260a1a723ffd16b1b1d66c1d225cd468327f44f6baf55b9bbc1fde0b5baed542da5cf44d926a7c5c16203d45de7c66f341b8eb8f5d43e214f76b7f8bdd0c0056344b40f8d62db0fe4897d098125b10d3518e472a808d967ec6eab38118fdbd5f757a03d96c8914c3830c60cf0444052963a42f68d1f73373e08478fc6f12588b2eb647fd42e8fa2fcd8568048812b22c233a136293e634410abce3cb85f8eee80265207a0f1b5c0b0e70c2de5bb3f253118f99753ce8c2a6862a3772b000005801faddfa2cc6cbb4d409d55eda338c1bb57ea503aea715fa17cc802dbf36b2c710fc1de8fecfd2f110db9efba5048de92c97f6210911324a81e8814c1724b9c68e786a3ab8d8d7ec7055864c8d7a04e5875df358f2b69caca9d592d6990e4a89ab1730c302988ede096c448528380211c23572f8e06cda153918253057c76e89464fbbc155bfedcb2e941b867b0b93728cd6a63ed1d2f6d8c437a7497acee91e328cc6c454ac08321dc7b77f3df9195c240cf3e81db9ee306249a0de7248a89d5a40689fb37631db102a7b16b261431f2651a8baef7e56a268f1afc9bd88f63a1d3d9dd6f28b67104b14e719467569d7525199e9ad85f54267f5623bacfffe16a275c11b0c556bb7d6445f15e18d8e78f592f757f0d71564e9133ab330fa76d1c45e4013866f5ed5027ac2f4eea5cf60eb314a5fad46685accd257879c4d3544593924deec94137537138e7fdf9614b3206a5be5fd14fb8497a3dfc9bdc36fd1f2d51ca47c7011773d352014ace59f13e8802fcd736a0dc481c4860bca5e239aa880b94cd6533f49310e6b998b076bd1fcf645ec3b33ebe48931fe53b19485fb20ea8d06fb9ee728372ea5924dd16667652c5f1bff3b519b9c94b65d048e5b2c10a04dbb2c3805d3a538e3f85589c136c87f68b9ac08d9c85e6f2ee0d7fa81de764c6ac792a97c7973fb6b67eeb6edcc7a119926a8f3931acd1f35d40181614bec2c0ebc31e83b69c3016bc6ea279a40b0b5d981dbb00080d9795732a97c340298bb90b9113c13f1a778543bc67e0c51bff83e4bb7d7dc4def28a8abef5e4b2b74b398e35029a255890330e2542d453a6f602ccd8e45a30c9151bf71589740bf50c07e30e89437478bea1a717ad1f3ebea487efe7016e35e39edef6ab7699bf8b48590af41514967dc00b2b4f7e704a709add7b287af2503abe8977566a2e1e4e820343358f075b8e21abe54f4c3c3bb05dd6297f77a220ba7357cfacb7ba0e29762964824ce814c5cf2356b4e67089baaee7abe3671d0021b43bdb8a46b72c65ba1d3b2da139ec8568773190c69688e21237361d4d00a9a784570a5bc64bb8f7de76501b8b0bf1725405e260b5124c3dd9b87851cfdc443356b0bd9349fc99076c5db3f3cd34f9fd04b4739f708a4fb72a8057bb9b51b54006ae0a297c1f920e5ca7138c04f17b8bcda294fc8d3f29cb1e2783e783170e7f9715e32e5fc299a80a0cd720916d31f13e5910d90f7d8851ce87bc4ab384dae926d3be5b2c2fb6d973a8d2ac1ae0745f6486c83b5a7ca4ce428f0d8a72a9617130b6c7b1b77ac0fc051ea34b2e6ebb942a5cc95f0e0dd84af5c29b10d159f8d8df631d481659664e6c57d22a1a2034199662908e3e717a3359b1fa51d12bff8e71be19d1a4065f1ae0e279d30e400501a1ca00dc937eb526cf6a6c639c1dca4e5290a0d3838667cf6db47f0fbbbd8edd689c8061a7ed9c2227c165fc411ee6326592fb03f25488f14049cdc7b02b89ba71c2e0106251dd2b93cffaa43cffd08930c0b160e2bb005af7148e99178e57f624678d6b4c5db7b21eb964640805827e1769841a0b1e3730f23afda0d0d7bdd93027b154b25fa1f360da165c43be0dbdaf0690ecdb586072d7189e2126a9cb814f5e6e06668f53771de0ef03792b9172d2cc9178550ef89e8144425615c5f5cb4bb7bbeb22897499a9d445aca30d97085cfcb86d375e7f47dc72caceefde2e56e8a6bd954bb55e9bd828f2e9e6f89602e8dbeac7233b5649eedefa226c5b1e4f90cdf23e6afc7cdcb11efdb1b73748536c219d22a92acbe35df153d57c81adb07e0c0132f1cdb137b6ec46df9fda9e7097e6fee724ed91abdf4ecf745ffa855d1ac52e6dc5fde679878760dfcd143a0a5c05a8ade00b7a8409a2813cad39d72fdb1f7a3c7e0bdc82063f1683aa899c30215ec3e02d7ff032f0bf6ab89e8bb7633d8e7b30c461b28cce6f1ba06c8567fbcacef341155fb34e$16$486
$ git log -1
commit 265489558a4e19a19a0c7057a394c2a024035103 (HEAD -> bleeding-jumbo, origin/bleeding-jumbo, origin/HEAD)
Author: Udi Schneider <[email protected]>
Date:   Sun Nov 8 14:27:44 2020 +0200

    Support Blockhain Android-Wallet-2-App format (#4440)
    
    * Update blockchain_common_plug.c
    
    support alternative wallet format
    
    * add test wallet for android format
    
    * Cleanup
    
    * fix for opencl
    
    * fix indentation

[solardiz]

@binarytrails Did you also use our latest ssh2john.py? In my testing, I was getting:

[ssh-opencl] cipher value of 6 is not yet supported with OpenCL!

you're getting:

[ssh-opencl] cipher value of 2 is not yet supported with OpenCL!

This 6 vs. 2 difference suggests your input file to john isn't the same as what I obtained for your SSH key.

[binarytrails]

@solardiz great spotting! you're right. I did use the old ssh2john output so the problem was not in john but this script!

$ python2 ssh2john.py diesel > diesel.hash
$ ./john diesel.hash --wordlist=word.lst
[ssh-opencl] cipher value of 6 is not yet supported with OpenCL!
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 2 for all loaded hashes
Cost 2 (iteration count) is 16 for all loaded hashes
Will run 12 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Warning: Only 2 candidates left, minimum 12 needed for performance.
diesel           (diesel)
1g 0:00:00:00 DONE (2020-11-08 14:22) 3.571g/s 7.142p/s 7.142c/s 7.142C/s diesel..12345
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

Thank you! It makes my day. I will do the PR with this example later on. Cheers