Sign in Subscribe

Cracking Ansible Vault Secrets with Hashcat

Crack Ansible Vault secrets with hashcat. Step-by-step instructions and examples for extracting and converting vault entries, preparing for hashcat, and launching the cracking process. Unlock hidden secrets and enhance security assessment skills.

Cracking Ansible Vault Secrets with Hashcat
Photo by Christian Wiediger / Unsplash

Ansible Vault is a feature of Ansible that allows you to encrypt sensitive data within playbooks and inventory files. It provides an added layer of security by encrypting secrets such as passwords, API keys, or SSH private keys. However, there may be situations where you need to crack the encrypted Ansible Vault secrets such as CTFs. In this blog post, we will explore how to use Hashcat, a popular password cracking tool, to crack Ansible Vault secrets.

Step 1: Extracting the Vault Blob

Ansible Vault secrets are stored as encrypted blobs within the playbooks or inventory files. To crack these secrets, the first step is to extract the Vault blob from the rest of the playbook or inventory file. This is necessary because tools like Hashcat require the Vault blob to be separated out for cracking.

For example, let's assume you have a playbook with an Ansible Vault blob like this:

$ANSIBLE_VAULT;1.1;AES256 34636161353335616463376461313737393232393034386565626261636238393565663339373963 3238343236336536633630326231376633306630356162360a396666336236623631353435373966 33353332666335383437313839643237613635313837313636663665333536613336376462343638 3039613965323366320a333138383766303664326231636331363030643733383065353464666631 33323133363139373365643963373936646133653534613566303563393132656634313965393164 3834623432666630363336326466663930643136393964626337

To extract the Vault blob, copy the encrypted blob and save it into a separate file called credentials.vault. This file will be used for further processing.

Step 2: Converting to Hashcat Format

Hashcat is a powerful password cracking tool that supports various hash formats and algorithms. To crack the Ansible Vault secrets, we need to convert the Vault blob into a format compatible with Hashcat.

To accomplish this, we can use the ansible2john tool, which is part of the John the Ripper password cracker suite. Run the following command:

ansible2john credentials.vault > credentials.hash

This command converts the Ansible Vault blob into a format recognized by Hashcat and saves it in the credentials.hash file.

The contents of the credentials.hash file will look similar to this:

credentials.yml:$ansible$0*0*4caa535adc7da1779229048eebbacb895ef3979c284263e6c602b17f30f05ab6*31887f06d2b1cc1600d7380e54dff1321361973ed9c796da3e54a5f05c912ef419e91d84b42ff06362dff90d1699dbc7*9ff3b6b6154579f3532fc5847189d27a65187166f6e356a367db46809a9e23f2

Step 3: Cracking with Hashcat

Now that we have the Vault blob in Hashcat-compatible format, we can proceed to crack the Ansible Vault secret using Hashcat. Here's the command to run:

hashcat -m 16900 -O -a 0 -w 4 credentials.hash /usr/share/wordlists/rockyou.txt

Let's break down the command:

  • -m 16900: Specifies the hash mode for Ansible Vault.
  • -O: Enables hashcat's optimized kernel.
  • -a 0: Sets the attack mode to straight (brute-force).
  • -w 4: Sets the workload profile to high.
  • credentials.hash: Path to the hash file containing the Vault blob.
  • /usr/share/wordlists/rockyou.txt: Path to the wordlist file for password cracking.

After executing the command, Hashcat will start the cracking process, attempting to recover the Ansible Vault secret. The progress and status will be displayed in the console.

Once Hashcat successfully cracks the password, it will display the cracked secret. For example:

$ansible$0*0*4caa535adc7da1779229048eebbacb895ef3979c284263e6c602b17f30f05ab6*31887f06d2b1cc1600d7380e54dff1321361973ed9c796da3e54a5f05c912ef419e91d84b42ff06362dff90d1699dbc7*9ff3b6b6154579f3532fc5847189d27a65187166f6e356a367db46809a9e23f2:!@#$%^&*
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 16900 (Ansible Vault)
Hash.Target......: $ansible$0*0*4caa535adc7da1779229048eebbacb895ef397...9e23f2
Time.Started.....: Mon Jul 17 16:13:52 2023 (1 sec)
Time.Estimated...: Mon Jul 17 16:13:53 2023 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:    39067 H/s (40.50ms) @ Accel:1024 Loops:1024 Thr:1 Vec:16
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 49152/14344385 (0.34%)
Rejected.........: 0/49152 (0.00%)
Restore.Point....: 32768/14344385 (0.23%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:9216-9999
Candidate.Engine.: Device Generator
Candidates.#1....: dyesebel -> trudy
Hardware.Mon.#1..: Util: 92%

The cracked secret is displayed as !@#$%^&* at the end of the first line but can also be shown by repeating the command with --show at thte end. However, it's important to note that this password is used for encrypting the Vault content, not the Vault content itself.

Step 4: Decrypting the Vault Content

To access the actual Vault content, you need to use the ansible-vault command with the cracked password. Assuming the cracked password is !@#$%^&*, run the following command:

ansible-vault view credentials.yml
Vault password: !@#$%^&*
this_is_the_super_secret_password

Replace credentials.yml with the path to your playbook or inventory file containing the encrypted Vault content.

When prompted, enter the password cracked password, in this case !@#$%^&*, and Ansible Vault will decrypt the Vault content and display the secrets contained within. In our example, it will show:

this_is_the_super_secret_password

And there you have it! You have successfully cracked the Ansible Vault secret and decrypted the Vault content.

Conclusion

Cracking Ansible Vault secrets can be useful in certain scenarios where access to the original secrets is required. In this blog post, we demonstrated how to extract the Vault blob, convert it to a format compatible with Hashcat, and use Hashcat to crack the password. Finally, we showed how to decrypt the Vault content using the cracked password.

It's important to remember that cracking encrypted secrets is a sensitive operation and should only be performed for legal and authorized purposes. Always ensure you have the necessary permissions and follow ethical guidelines when working with encrypted data.

Happy cracking!