Re: Memory Forensics of OpenSSH

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Hello Cal,

Thanks for sharing these great links. These articles use a characteristic of RSA/DSA structure, and search the structure in process memory to extract the private key. 
It verifies the structure by using the RSA/DSA algorithm. 

However, my goal is to find the session key (in the struct session_state), and the techniques from the articles won't work because we cannot validate the session_state (or the related) structures (i.e., no validating algorithm). 

So I am wondering if there is any SSH data structure with a fixed offset from somewhere (e.g., 0xdead from text_base).  Or if there is any data structure with a characteristic that I can search? 

Thanks,
Fengwei

On May 4, 2014, at 4:49 PM, Cal Leeming [Simplicity Media Ltd] <cal.leeming@xxxxxxxxxxxxxxxxxxxxxxxx> wrote:

> Although I cannot speak with any authority on the data structures of SSH, I can at least point you in the right direction on tools already available.
> 
> Looks like someone also wrote a tool already to do SSH key extraction from memory;
> https://github.com/kholia/passe-partout
> 
> Have a look at volatility framework;
> https://code.google.com/p/volatility/wiki/VolatilityIntroduction?tm=6
> http://www.forensicswiki.org/wiki/Volatility_Framework
> http://www.forensicswiki.org/wiki/List_of_Volatility_Plugins
> 
> Also these;
> http://sneakygcr.tumblr.com/post/52514790216/how-to-extract-the-private-key-from-a-running-ssh
> http://c0decstuff.blogspot.co.uk/2011/01/in-memory-extraction-of-ssl-private.html
> http://www.vnsecurity.net/2009/10/how-to-recover-rsa-private-key-in-a-coredump-of-ssh-agent-sapheads-hackjam-2009-challenge-6/
> 
> Hope this helps
> 
> Cal
> 
> 
> 
> On Sun, May 4, 2014 at 9:37 PM, Fengwei Zhang <namedylan@xxxxxxxxx> wrote:
> Hello List,
> 
> One of my project needs memory forensics of OpenSSH. Here is a brief description of the problem:
> 
> I have a raw memory dump, and all of the kernel data structures (e.g., task_struct, mm_struct) have been figured out. Now, I want to retrieve the data structures (e.g., struct session_state) of an SSH process instance. Finding a session key (active_state->newkeys) could be an example.  In order to find these information, I think I need a starting point (i.e., memory address) of the OpenSSH data structures.
> 
> Does anyone know how to tackle this problem? Any comments and suggestions are much appreciated.
> 
> Thanks,
> Fengwei
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@xxxxxxxxxxx
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> 

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux