Is it possible to find out the hosts in the known_hosts file?

You've got HashKnownHosts set to "yes" in your ssh_config file, so the hostnames aren't available in plaintext.

If you know the hostname you're looking for ahead of time, you can search for it with:

ssh-keygen -H -F hostname
# Or, if SSH runs on port other than 22
ssh-keygen -H -F '[hostname]:2222'

Here's the relevant section from the ssh-keygen(1) man page:

 -F hostname
         Search for the specified hostname in a known_hosts file, listing
         any occurrences found.  This option is useful to find hashed host
         names or addresses and may also be used in conjunction with the
         -H option to print found keys in a hashed format.

For future searchers, this article (non-disclaimer: I'm not affilated) has a relatively simple Perl script to brute-force hashed IPs and hostnames in known_hosts.

http://blog.rootshell.be/2010/11/03/bruteforcing-ssh-known_hosts-files/

It allows starting from a particular IP address. It could also easily be modified to use a dictionary.

Also, in June 2014, the John the Ripper project added support for known_hosts cracking, which can take advantage of multiple CPU cores, GPUs, dictionary mangling, etc.

Overall, it's an exercise similar to password cracking, with a somewhat more predictable (or at least constrained) target space.

For private IPs, you can use this nmap snippet to generate a dictionary of all RFC1918 IP addresses to use as a dictionary:

nmap -sL -Pn -n 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 |\
    grep '^Nmap scan report for' | cut -d\  -f5 >ips.list

If public IPs are included, it may be more efficient to use rules. This hashcat ruleset may need additional work to adapt to work with JtR, but does most of the heavy lifting and should give you a starting point.

Hostnames are more idiosyncratic to the user and environment, but there are trends in host naming. Fully qualified hostnames can be correlated in DNS, /etc/hosts, shell history, etc. with any discovered IP addresses. Since destination systems can be entirely unrelated to the host system, public dumps of common domains and hostnames can be acquired from the DNS data from various Internet-wide scanning efforts (such as Censys).

Using John the Ripper is likely to be more efficient and scale better than the native SSH solution in the accepted answer for all but the most simple cases.


Does ssh-keygen -l -f ~/.ssh/known_hosts help? It shows the fingerprints for each host in that file. (Using -vyou also get nice little treasure maps, e.g.

+--[ RSA 2048]----+
|        .        |
|       + .       |
|      . B .      |
|     o * +       |
|    X * S        |
|   + O o . .     |
|    .   E . o    |
|       . . o     |
|        . .      |
+-----------------+

Tags:

Ssh

Recent Posts