API tools faq
paste
Advertisement
TVT618

[Linux] CryKex (Raw)

TVT618
Dec 14th, 2017
373
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 3.11 KB | None | 0 0
raw download clone embed print report
  1. [Linux]
  2. CryKeX - Linux Memory Cryptographic Keys Extractor
  3.  
  4. Properties:
  5. * Cross-platform
  6. * Minimalism
  7. * Simplicity
  8. * Interactivity
  9. * Compatibility/Portability
  10. * Application Independable
  11. * Process Wrapping
  12. * Process Injection
  13.  
  14. Dependencies:
  15. * Unix - should work on any Unix-based OS
  16. + BASH - the whole script
  17. + root privileges (optional)
  18.  
  19. Limitations:
  20. * AES and RSA keys only
  21. * Fails most of the time for Firefox browser
  22. * Won't work for disk encryption (LUKS) and PGP/GPG
  23. * Needs proper user privileges and memory authorizations
  24.  
  25. How it works
  26. Some work has been already published regarding the subject of cryptograhic keys security within DRAM. Basically, we need to find something that looks like a key (entropic and specific length) and then confirm its nature by analyzing the memory structure around it (C data types).
  27.  
  28. The idea is to dump live memory of a process and use those techniques in order to find probable keys since, memory mapping doesn't change. Thanks-fully, tools exist for that purpose.
  29.  
  30. The script is not only capable of injecting into already running processes, but also wrapping new ones, by launching them separately and injecting shortly afterwards. This makes it capable of dumping keys from almost any process/binary on the system.
  31.  
  32. Of course, accessing a memory is limited by kernel, which means that you will still require privileges for a process.
  33.  
  34. Linux disk ecnryption (LUKS) uses anti-forensic technique in order to mitigate such issue, however, extracting keys from a whole memory is still possible.
  35.  
  36. Firefox browser uses somehow similar memory management, thus seems not to be affected.
  37.  
  38. Same goes for PGP/GPG.
  39.  
  40. HowTo
  41. Installing dependencies: sudo apt install gdb aeskeyfind rsakeyfind || echo 'have you heard about source compiling?'
  42. An interactive example for OpenSSL AES keys: openssl aes-128-ecb -nosalt -out testAES.enc
  43. Enter a password twice, then some text and before terminating: CryKeX.sh openssl
  44.  
  45. Finally, press Ctrl+D 3 times and check the result.
  46.  
  47. OpenSSL RSA keys: openssl genrsa -des3 -out testRSA.pem 2048
  48. When prompted for passphrase: CryKeX.sh openssl
  49. Verify: openssl rsa -noout -text -in testRSA.pem
  50. Let's extract keys from SSH:
  51. echo 'Ciphers aes256-gcm@openssh.com' >> /etc/ssh/sshd_config
  52. ssh user@server
  53. CryKeX.sh ssh
  54. From OpenVPN:
  55. echo 'cipher AES-256-CBC' >> /etc/openvpn/server.conf
  56. openvpn yourConf.ovpn
  57. sudo CryKeX.sh openvpn
  58. TrueCrypt/VeraCrypt is also affected: Select "veracrypt" file in VeraCrypt, mount with password "pass" and: sudo CryKeX.sh veracrypt
  59. Chromium-based browsers (thanks Google):
  60. CryKeX.sh chromium
  61. CryKeX.sh google-chrome
  62. Despite Firefox not being explicitly affected, Tor Browser Bundle is still susceptible due to tunneling: CryKeX.sh tor
  63. As said, you can also wrap processes:
  64. apt install libssl-dev
  65. gcc -lcrypto cipher.c -o cipher
  66. CryKeX.sh cipher
  67. wrap
  68. cipher
  69.  
  70. Notes
  71. Feel free to contribute and test other applications.
  72. "They key of persistence opens all door closed by resistence"
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!