3

I found a private key which seems to be in the putty private key format.

The key has the following header:

---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----
Subject: <sensitive>
Comment: <sensitive>
P2/56wAAA/MAAAA3a...
...Yhp
---- END SSH2 ENCRYPTED PRIVATE KEY ----

When opened in the putty keygen tool it prompts for a password which it does not do for other files so I assume some sort of validation is done on the PPK file. The same behavior with a PPK file that I generated using putty keygen.

I tried the PHRASENDRESCHER tool to guess private key passwords but this tool gives no output in case of an invalid/unknown file format. I tried generating my own PPK with a weak password and it did not crack that private key. So I assume the tool does not understand this type of private key.

Since putty keygen has no CLI, it is not possible to guess the password automatically. Does anyone have cracking tool that is able to guess the password (brute-force and/or word list) for PPK files?

forest
  • 64,616
  • 20
  • 206
  • 257
Silver
  • 1,824
  • 11
  • 23
  • I'm half-inclined to mark this as off-topic because it is a request to break the security of a specific system. But as to your point about puttygen having no CLI, that's not entirely true. I've used it from POSIX machines to convert keys for Windows users on occasion. https://packages.debian.org/stretch/putty-tools – nbering Aug 06 '18 at 14:59
  • LVH had words related to this topic (but focused on OpenSSH) recently here: https://latacora.singles/2018/08/03/the-default-openssh.html And a longer time ago someone picked apart the Putty source to see about their specific key encryption. TL;DR it's crackable with some work: https://security.stackexchange.com/questions/71341/how-does-putty-derive-the-encryption-key-in-its-ppk-format – Abraham Ingersoll Aug 06 '18 at 20:12
  • That is NOT Putty's own format (PPK) although it is one of several puttygen can import and export. In addition to the Unix port of puttygen being commandliney, the source is very easily available. – dave_thompson_085 Aug 07 '18 at 00:57

1 Answers1

3

Based on the comment from nbering, I created a script that uses puttygen on Kali:

apt install putty-tools

The script is very basic but tries all words from a wordlist specified as the first argument. If the correct passphrase is found, it will prompt for user input, asking for a new passphrase to use to encrypt the private key.

#!/bin/bash

echo "Wordlist: $1"
echo "PPK file: $2"
echo "New PPK file: $3"
while read -r line
do 
    echo $line > old_pass.txt
    error=$((puttygen $2 -P -o $3 --old-passphrase old_pass.txt ) 2>&1)

    if [[ ! $error = *"wrong passphrase"* ]]; then
        echo "Passphrase: $line $error"
    fi
done < $1

Hope this is helpful to someone. As always, only use with approval of the target.

Silver
  • 1,824
  • 11
  • 23