Skip to content

marksee/sshkey-grab

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
 
 
 
 
 
 

Repository files navigation

sshkey-grab

This script uses a bug in ssh-agent that allows it to pull the last key added to the agent. This may allow the ability to recover a key that has been removed from ssh-agent via ssh-add -t, -d, or -D, provided that the ssh-agent was not terminated and a new key has not been added since the previous one was removed. This bug has been reported and may be fixed in newer versions of OpenSSH, which will cause this tool to break.

Requirements

  • grabagentmem.sh requries root access and gdb on the target machine to work properly
  • parse_mem.py requires the pyasn1 python module to be installed

Usage

  1. Copy grabagentmem.sh to the target machine.
  2. Run grabagentmem.sh on the target machine as root. This will create a memory dump of the stack for each ssh-agent process running on this box. They will be named /tmp/SSHagent-$PID.stack by default.
  3. Copy the stack traces to the machine that has parse_mem.py installed
  4. run parse_mem.py [stack file] [key output] (Example: ./parse_mem.py /tmp/SSHagent-17019.stack /tmp/key)
  5. Test to see if extracted key file works by using ssh -i [key file] [user]@[machine]

Part of the RSA key creation code is from Thialfihar's Fancy SSH Key Generator: https://github.com/thialfihar/semantic-ssh-key/blob/master/generate_fancy_ssh_key.py

About

Grab ssh keys from ssh-agent

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published