1 /*
2 * Fast cracker for SSH RSA / DSA key files. Hacked together during October
3 * of 2012 by Dhiru Kholia <dhiru.kholia at gmail.com>.
4 *
5 * Support for cracking new openssh key format (bcrypt pbkdf) was added by
6 * m3g9tr0n (Spiros Fraganastasis) and Dhiru Kholia in September of 2014. This
7 * is dedicated to Raquel :-)
8 *
9 * Ideas borrowed from SSH2 protocol library, http://pypi.python.org/pypi/ssh
10 * Copyright (C) 2011 Jeff Forcier <jeff@bitprophet.org>
11 *
12 * This software is Copyright (c) 2012, Dhiru Kholia <dhiru.kholia at gmail.com>,
13 * and it is hereby released to the general public under the following terms:
14 * Redistribution and use in source and binary forms, with or without modification,
15 * are permitted.
16 */
17
18 #if FMT_EXTERNS_H
19 extern struct fmt_main fmt_ssh;
20 #elif FMT_REGISTERS_H
21 john_register_one(&fmt_ssh);
22 #else
23
24 #include <string.h>
25 #include <stdint.h>
26 #include <openssl/des.h>
27
28 #ifdef _OPENMP
29 #include <omp.h>
30 #endif
31
32 #include "arch.h"
33 #include "aes.h"
34 #include "jumbo.h"
35 #include "common.h"
36 #include "formats.h"
37 #include "params.h"
38 #include "options.h"
39 #include "md5.h"
40 #include "bcrypt_pbkdf.h"
41 #include "asn1.h"
42 #define CPU_FORMAT 1
43 #include "ssh_common.h"
44 #include "ssh_variable_code.h"
45
46 #define FORMAT_LABEL "SSH"
47 #define FORMAT_NAME ""
48 #define FORMAT_TAG "$sshng$"
49 #define FORMAT_TAG_LEN (sizeof(FORMAT_TAG)-1)
50 #define ALGORITHM_NAME "RSA/DSA/EC/OPENSSH (SSH private keys) 32/" ARCH_BITS_STR
51 #define BENCHMARK_COMMENT ""
52 #define BENCHMARK_LENGTH 0x107
53 #define PLAINTEXT_LENGTH 32 // XXX
54 #define BINARY_SIZE 0
55 #define SALT_SIZE sizeof(struct custom_salt)
56 #define BINARY_ALIGN 1
57 #define SALT_ALIGN sizeof(int)
58 #define MIN_KEYS_PER_CRYPT 1
59 #define MAX_KEYS_PER_CRYPT 8
60
61 /*
62 * For cost 1 using core i7, MKPC=8 and OMP_SCALE 128 works fine but that
63 * is far too slow for cost 2, which needs them at 1/1. Let's always auto-tune.
64 */
65 #ifndef OMP_SCALE
66 #define OMP_SCALE 0
67 #endif
68
69 // openssl asn1parse -in test_dsa.key; openssl asn1parse -in test_rsa.key
70 #define SAFETY_FACTOR 16 // enough to verify the initial ASN.1 structure (SEQUENCE, INTEGER, Big INTEGER) of RSA, and DSA keys?
71
72 static char (*saved_key)[PLAINTEXT_LENGTH + 1];
73 static int *cracked;
74
75 static struct custom_salt *cur_salt;
76
init(struct fmt_main * self)77 static void init(struct fmt_main *self)
78 {
79 omp_autotune(self, OMP_SCALE);
80
81 saved_key = mem_calloc(self->params.max_keys_per_crypt,
82 sizeof(*saved_key));
83 cracked = mem_calloc(self->params.max_keys_per_crypt,
84 sizeof(*cracked));
85 }
86
done(void)87 static void done(void)
88 {
89 MEM_FREE(cracked);
90 MEM_FREE(saved_key);
91 }
92
split(char * ciphertext,int index,struct fmt_main * self)93 static char *split(char *ciphertext, int index, struct fmt_main *self)
94 {
95 static char buf[sizeof(struct custom_salt)+100];
96
97 if (strstr(ciphertext, "$SOURCE_HASH$"))
98 return ciphertext;
99
100 strnzcpy(buf, ciphertext, sizeof(buf));
101 strlwr(buf);
102 return buf;
103 }
104
set_salt(void * salt)105 static void set_salt(void *salt)
106 {
107 cur_salt = (struct custom_salt *)salt;
108 }
109
generate_key_bytes(int nbytes,unsigned char * password,unsigned char * key)110 inline static void generate_key_bytes(int nbytes, unsigned char *password, unsigned char *key)
111 {
112 unsigned char digest[16];
113 int len = strlen((const char*)password);
114 int keyidx = 0;
115 int digest_inited = 0;
116
117 while (nbytes > 0) {
118 MD5_CTX ctx;
119 int i, size;
120
121 MD5_Init(&ctx);
122 if (digest_inited) {
123 MD5_Update(&ctx, digest, 16);
124 }
125 MD5_Update(&ctx, password, len);
126 /* use first 8 bytes of salt */
127 MD5_Update(&ctx, cur_salt->salt, 8);
128 MD5_Final(digest, &ctx);
129 digest_inited = 1;
130 if (nbytes > 16)
131 size = 16;
132 else
133 size = nbytes;
134 /* copy part of digest to keydata */
135 for (i = 0; i < size; i++)
136 key[keyidx++] = digest[i];
137 nbytes -= size;
138 }
139 }
140
check_structure_bcrypt(unsigned char * out,int length)141 inline static int check_structure_bcrypt(unsigned char *out, int length)
142 {
143 return memcmp(out, out + 4, 4);
144 }
145
check_padding_and_structure_EC(unsigned char * out,int length,int strict_mode)146 inline static int check_padding_and_structure_EC(unsigned char *out, int length, int strict_mode)
147 {
148 struct asn1_hdr hdr;
149 const uint8_t *pos, *end;
150
151 // First check padding
152 if (check_pkcs_pad(out, length, 16) < 0)
153 return -1;
154
155 /* check BER decoding, EC private key file contains:
156 *
157 * SEQUENCE, INTEGER (length 1), OCTET STRING, cont, OBJECT, cont, BIT STRING
158 *
159 * $ ssh-keygen -t ecdsa -f unencrypted_ecdsa_sample.key # don't use a password for testing
160 * $ openssl asn1parse -in unencrypted_ecdsa_sample.key # see the underlying structure
161 */
162
163 // SEQUENCE
164 if (asn1_get_next(out, length, &hdr) < 0 ||
165 hdr.class != ASN1_CLASS_UNIVERSAL ||
166 hdr.tag != ASN1_TAG_SEQUENCE) {
167 goto bad;
168 }
169 pos = hdr.payload;
170 end = pos + hdr.length;
171
172 // version Version (Version ::= INTEGER)
173 if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
174 hdr.class != ASN1_CLASS_UNIVERSAL ||
175 hdr.tag != ASN1_TAG_INTEGER) {
176 goto bad;
177 }
178 pos = hdr.payload + hdr.length;
179 if (hdr.length != 1)
180 goto bad;
181
182 // OCTET STRING
183 if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
184 hdr.class != ASN1_CLASS_UNIVERSAL ||
185 hdr.tag != ASN1_TAG_OCTETSTRING) {
186 goto bad;
187 }
188 pos = hdr.payload + hdr.length;
189 if (hdr.length < 8) // "secp112r1" curve uses 112 bit prime field, rest are bigger
190 goto bad;
191
192 // XXX add more structure checks!
193
194 return 0;
195 bad:
196 return -1;
197 }
198
check_padding_and_structure(unsigned char * out,int length,int strict_mode,int blocksize)199 inline static int check_padding_and_structure(unsigned char *out, int length, int strict_mode, int blocksize)
200 {
201 struct asn1_hdr hdr;
202 const uint8_t *pos, *end;
203
204 // First check padding
205 if (check_pkcs_pad(out, length, blocksize) < 0)
206 return -1;
207
208 /* check BER decoding, private key file contains:
209 *
210 * RSAPrivateKey = { version = 0, n, e, d, p, q, d mod p-1, d mod q-1, q**-1 mod p }
211 * DSAPrivateKey = { version = 0, p, q, g, y, x }
212 *
213 * openssl asn1parse -in test_rsa.key # this shows the structure nicely!
214 */
215
216 // SEQUENCE
217 if (asn1_get_next(out, length, &hdr) < 0 ||
218 hdr.class != ASN1_CLASS_UNIVERSAL ||
219 hdr.tag != ASN1_TAG_SEQUENCE) {
220 goto bad;
221 }
222 pos = hdr.payload;
223 end = pos + hdr.length;
224
225 // version Version (Version ::= INTEGER)
226 if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
227 hdr.class != ASN1_CLASS_UNIVERSAL ||
228 hdr.tag != ASN1_TAG_INTEGER) {
229 goto bad;
230 }
231 pos = hdr.payload + hdr.length;
232
233 // INTEGER (big one)
234 if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
235 hdr.class != ASN1_CLASS_UNIVERSAL ||
236 hdr.tag != ASN1_TAG_INTEGER) {
237 goto bad;
238 }
239 pos = hdr.payload + hdr.length;
240 /* NOTE: now this integer has to be big, is this always true?
241 * RSA (as used in ssh) uses big prime numbers, so this check should be OK
242 */
243 if (hdr.length < 64) {
244 goto bad;
245 }
246
247 if (strict_mode) {
248 // INTEGER (small one)
249 if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
250 hdr.class != ASN1_CLASS_UNIVERSAL ||
251 hdr.tag != ASN1_TAG_INTEGER) {
252 goto bad;
253 }
254 pos = hdr.payload + hdr.length;
255
256 // INTEGER (big one again)
257 if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
258 hdr.class != ASN1_CLASS_UNIVERSAL ||
259 hdr.tag != ASN1_TAG_INTEGER) {
260 goto bad;
261 }
262 pos = hdr.payload + hdr.length;
263 if (hdr.length < 32) {
264 goto bad;
265 }
266 }
267
268 return 0;
269 bad:
270 return -1;
271 }
272
common_crypt_code(char * password,unsigned char * out,int full_decrypt)273 static void common_crypt_code(char *password, unsigned char *out, int full_decrypt)
274 {
275 if (cur_salt->cipher == 0) {
276 unsigned char key[24];
277 DES_cblock key1, key2, key3;
278 DES_cblock iv;
279 DES_key_schedule ks1, ks2, ks3;
280
281 memcpy(iv, cur_salt->salt, 8);
282 generate_key_bytes(24, (unsigned char*)password, key);
283 memcpy(key1, key, 8);
284 memcpy(key2, key + 8, 8);
285 memcpy(key3, key + 16, 8);
286 DES_set_key((DES_cblock *) key1, &ks1);
287 DES_set_key((DES_cblock *) key2, &ks2);
288 DES_set_key((DES_cblock *) key3, &ks3);
289 if (full_decrypt) {
290 DES_ede3_cbc_encrypt(cur_salt->ct, out, cur_salt->ctl, &ks1, &ks2, &ks3, &iv, DES_DECRYPT);
291 } else {
292 DES_ede3_cbc_encrypt(cur_salt->ct, out, SAFETY_FACTOR, &ks1, &ks2, &ks3, &iv, DES_DECRYPT);
293 memcpy(iv, cur_salt->ct + cur_salt->ctl - 16, 8);
294 DES_ede3_cbc_encrypt(cur_salt->ct + cur_salt->ctl - 8, out + cur_salt->ctl - 8, 8, &ks1, &ks2, &ks3, &iv, DES_DECRYPT);
295 }
296 } else if (cur_salt->cipher == 1) {
297 unsigned char key[16];
298 AES_KEY akey;
299 unsigned char iv[16];
300
301 memcpy(iv, cur_salt->salt, 16);
302 generate_key_bytes(16, (unsigned char*)password, key);
303 AES_set_decrypt_key(key, 128, &akey);
304 if (full_decrypt) {
305 AES_cbc_encrypt(cur_salt->ct, out, cur_salt->ctl, &akey, iv, AES_DECRYPT);
306 } else {
307 // are starting SAFETY_FACTOR bytes enough?
308 AES_cbc_encrypt(cur_salt->ct, out, SAFETY_FACTOR, &akey, iv, AES_DECRYPT);
309 memcpy(iv, cur_salt->ct + cur_salt->ctl - 32, 16);
310 AES_cbc_encrypt(cur_salt->ct + cur_salt->ctl - 16, out + cur_salt->ctl - 16, 16, &akey, iv, AES_DECRYPT);
311 }
312 } else if (cur_salt->cipher == 2) { /* new ssh key format handling */
313 unsigned char key[32 + 16];
314 AES_KEY akey;
315 unsigned char iv[16];
316
317 // derive (key length + iv length) bytes
318 bcrypt_pbkdf(password, strlen((const char*)password), cur_salt->salt, 16, key, 32 + 16, cur_salt->rounds);
319 AES_set_decrypt_key(key, 256, &akey);
320 memcpy(iv, key + 32, 16);
321 // decrypt one block for "check bytes" check
322 AES_cbc_encrypt(cur_salt->ct + cur_salt->ciphertext_begin_offset, out, 16, &akey, iv, AES_DECRYPT);
323 // Padding check is unreliable for this type
324 // memcpy(iv, cur_salt->ct + cur_salt->ctl - 32, 16);
325 // AES_cbc_encrypt(cur_salt->ct + cur_salt->ctl - 16, out + cur_salt->ctl - 16, 16, &akey, iv, AES_DECRYPT);
326 } else if (cur_salt->cipher == 3) { // EC keys with AES-128
327 unsigned char key[16];
328 AES_KEY akey;
329 unsigned char iv[16];
330
331 memcpy(iv, cur_salt->salt, 16);
332 generate_key_bytes(16, (unsigned char*)password, key);
333 AES_set_decrypt_key(key, 128, &akey);
334 // full decrypt
335 AES_cbc_encrypt(cur_salt->ct, out, cur_salt->ctl, &akey, iv, AES_DECRYPT);
336 } else if (cur_salt->cipher == 4) { // RSA/DSA keys with AES-192
337 unsigned char key[24];
338 AES_KEY akey;
339 unsigned char iv[16];
340
341 memcpy(iv, cur_salt->salt, 16);
342 generate_key_bytes(24, (unsigned char*)password, key);
343 AES_set_decrypt_key(key, 192, &akey);
344 if (full_decrypt) {
345 AES_cbc_encrypt(cur_salt->ct, out, cur_salt->ctl, &akey, iv, AES_DECRYPT);
346 } else {
347 // are starting SAFETY_FACTOR bytes enough?
348 AES_cbc_encrypt(cur_salt->ct, out, SAFETY_FACTOR, &akey, iv, AES_DECRYPT);
349 memcpy(iv, cur_salt->ct + cur_salt->ctl - 32, 16);
350 AES_cbc_encrypt(cur_salt->ct + cur_salt->ctl - 16, out + cur_salt->ctl - 16, 16, &akey, iv, AES_DECRYPT);
351 }
352 } else if (cur_salt->cipher == 5) { // RSA/DSA keys with AES-256
353 unsigned char key[32];
354 AES_KEY akey;
355 unsigned char iv[16];
356
357 memcpy(iv, cur_salt->salt, 16);
358 generate_key_bytes(32, (unsigned char*)password, key);
359 AES_set_decrypt_key(key, 256, &akey);
360 if (full_decrypt) {
361 AES_cbc_encrypt(cur_salt->ct, out, cur_salt->ctl, &akey, iv, AES_DECRYPT);
362 } else {
363 // are starting SAFETY_FACTOR bytes enough?
364 AES_cbc_encrypt(cur_salt->ct, out, SAFETY_FACTOR, &akey, iv, AES_DECRYPT);
365 memcpy(iv, cur_salt->ct + cur_salt->ctl - 32, 16);
366 AES_cbc_encrypt(cur_salt->ct + cur_salt->ctl - 16, out + cur_salt->ctl - 16, 16, &akey, iv, AES_DECRYPT);
367 }
368 }
369 }
370
crypt_all(int * pcount,struct db_salt * salt)371 static int crypt_all(int *pcount, struct db_salt *salt)
372 {
373 const int count = *pcount;
374 int index;
375
376 #ifdef _OPENMP
377 #pragma omp parallel for
378 #endif
379 for (index = 0; index < count; index++) {
380 unsigned char out[N];
381
382 // don't do full decryption (except for EC keys)
383 common_crypt_code(saved_key[index], out, 0);
384
385 if (cur_salt->cipher == 0) { // 3DES
386 cracked[index] =
387 !check_padding_and_structure(out, cur_salt->ctl, 0, 8);
388 } else if (cur_salt->cipher == 1) {
389 cracked[index] =
390 !check_padding_and_structure(out, cur_salt->ctl, 0, 16);
391 } else if (cur_salt->cipher == 2) { // new ssh key format handling
392 cracked[index] =
393 !check_structure_bcrypt(out, cur_salt->ctl);
394 } else if (cur_salt->cipher == 3) { // EC keys
395 cracked[index] =
396 !check_padding_and_structure_EC(out, cur_salt->ctl, 0);
397 } else if (cur_salt->cipher == 4) { // AES-192
398 cracked[index] =
399 !check_padding_and_structure(out, cur_salt->ctl, 0, 16);
400 } else if (cur_salt->cipher == 5) { // AES-256
401 cracked[index] =
402 !check_padding_and_structure(out, cur_salt->ctl, 0, 16);
403 }
404
405 }
406
407 return count;
408 }
409
cmp_all(void * binary,int count)410 static int cmp_all(void *binary, int count)
411 {
412 int index;
413
414 for (index = 0; index < count; index++)
415 if (cracked[index])
416 return 1;
417 return 0;
418 }
419
cmp_one(void * binary,int index)420 static int cmp_one(void *binary, int index)
421 {
422 return cracked[index];
423 }
424
cmp_exact(char * source,int index)425 static int cmp_exact(char *source, int index)
426 {
427 unsigned char out[N];
428
429 common_crypt_code(saved_key[index], out, 1); // do full decryption!
430
431 if (cur_salt->cipher == 0) { // 3DES
432 return !check_padding_and_structure(out, cur_salt->ctl, 1, 8);
433 } else if (cur_salt->cipher == 1) {
434 return !check_padding_and_structure(out, cur_salt->ctl, 1, 16);
435 } else if (cur_salt->cipher == 2) { /* new ssh key format handling */
436 return 1; // XXX add more checks!
437 } else if (cur_salt->cipher == 3) { // EC keys
438 return 1;
439 } else if (cur_salt->cipher == 4) {
440 return !check_padding_and_structure(out, cur_salt->ctl, 1, 16);
441 } else if (cur_salt->cipher == 5) {
442 return !check_padding_and_structure(out, cur_salt->ctl, 1, 16);
443 }
444
445 return 0;
446 }
447
448 #undef set_key /* OpenSSL DES clash */
set_key(char * key,int index)449 static void set_key(char *key, int index)
450 {
451 strnzcpyn(saved_key[index], key, sizeof(*saved_key));
452 }
453
get_key(int index)454 static char *get_key(int index)
455 {
456 return saved_key[index];
457 }
458
459 struct fmt_main fmt_ssh = {
460 {
461 FORMAT_LABEL,
462 FORMAT_NAME,
463 ALGORITHM_NAME,
464 BENCHMARK_COMMENT,
465 BENCHMARK_LENGTH,
466 0,
467 PLAINTEXT_LENGTH,
468 BINARY_SIZE,
469 BINARY_ALIGN,
470 SALT_SIZE,
471 SALT_ALIGN,
472 MIN_KEYS_PER_CRYPT,
473 MAX_KEYS_PER_CRYPT,
474 FMT_CASE | FMT_8_BIT | FMT_OMP | FMT_NOT_EXACT | FMT_SPLIT_UNIFIES_CASE | FMT_HUGE_INPUT,
475 {
476 "KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]",
477 "iteration count",
478 },
479 { FORMAT_TAG },
480 ssh_tests
481 }, {
482 init,
483 done,
484 fmt_default_reset,
485 fmt_default_prepare,
486 ssh_valid,
487 split,
488 fmt_default_binary,
489 ssh_get_salt,
490 {
491 ssh_kdf,
492 ssh_iteration_count,
493 },
494 fmt_default_source,
495 {
496 fmt_default_binary_hash
497 },
498 fmt_default_salt_hash,
499 NULL,
500 set_salt,
501 set_key,
502 get_key,
503 fmt_default_clear_keys,
504 crypt_all,
505 {
506 fmt_default_get_hash
507 },
508 cmp_all,
509 cmp_one,
510 cmp_exact
511 }
512 };
513
514 #endif /* plugin stanza */
515