Friday, 15 December 2017
One comments

CryKeX Linux Memory Cryptographic Keys Extractor

CryKeX Linux Memory Cryptographic Keys Extractor

CryKeX Linux Memory Cryptographic Keys Extractor


Properties:

  • Cross-platform
  • Minimalism
  • Simplicity
  • Interactivity
  • Compatibility/Portability
  • Application Independable
  • Process Wrapping
  • Process Injection


Dependencies:

  • Unix - should work on any Unix-based OS
  • BASH - the whole script
  • root privileges (optional)


Limitations:

  • AES and RSA keys only
  • Fails most of the time for Firefox browser
  • Won't work for disk encryption (LUKS) and PGP/GPG
  • Needs proper user privileges and memory authorizations


How it works

Some work has been already published regarding the subject of cryptograhic keys security within DRAM. Basically, we need to find something that looks like a key (entropic and specific length) and then confirm its nature by analyzing the memory structure around it (C data types).

The idea is to dump live memory of a process and use those techniques in order to find probable keys since, memory mapping doesn't change. Thanks-fully, tools exist for that purpose.

The script is not only capable of injecting into already running processes, but also wrapping new ones, by launching them separately and injecting shortly afterwards. This makes it capable of dumping keys from almost any process/binary on the system.

Of course, accessing a memory is limited by kernel, which means that you will still require privileges for a process.

Linux disk ecnryption (LUKS) uses anti-forensic technique in order to mitigate such issue, however, extracting keys from a whole memory is still possible.

Firefox browser uses somehow similar memory management, thus seems not to be affected.

Same goes for PGP/GPG.

HowTo

Installing dependencies:

sudo apt install gdb aeskeyfind rsakeyfind || echo 'have you heard about source compiling?'

An interactive example for OpenSSL AES keys:

openssl aes-128-ecb -nosalt -out testAES.enc

Enter a password twice, then some text and before terminating:

CryKeX.sh openssl

Finally, press Ctrl+D 3 times and check the result.

OpenSSL RSA keys:

openssl genrsa -des3 -out testRSA.pem 2048

When prompted for passphrase:

CryKeX.sh openssl

Verify:

openssl rsa -noout -text -in testRSA.pem

Let's extract keys from SSH:

echo 'Ciphers aes2[email protected]' >> /etc/ssh/sshd_config
ssh [email protected]
CryKeX.sh ssh

From OpenVPN:

echo 'cipher AES-256-CBC' >> /etc/openvpn/server.conf
openvpn yourConf.ovpn
sudo CryKeX.sh openvpn

TrueCrypt/VeraCrypt is also affected: Select "veracrypt" file in VeraCrypt, mount with password "pass" and:

sudo CryKeX.sh veracrypt

Chromium-based browsers (thanks Google):

CryKeX.sh chromium
CryKeX.sh google-chrome

Despite Firefox not being explicitly affected, Tor Browser Bundle is still susceptible due to tunneling:

CryKeX.sh tor

As said, you can also wrap processes:

apt install libssl-dev
gcc -lcrypto cipher.c -o cipher
CryKeX.sh cipher
wrap
cipher

Download

1 comments:


  1. hello guys,have you ever wondered what your spouse is doing behind you?i was able to get proof that my ex husband was cheating on me through the help of a good samaritan which was referred to me by Mrs Jane.i messaged him and to my greatest suprise he's real and he got me result in less minutes,he's a great professional ,applause for him always as i told him i will let the world know him,do you have any problem spying on someone,track a cheating spouse,hack into text messages and phone calls,bank statement hacks and criminal records erased also you can boost your school grade,hack into whats' app,facebook,viber,emails,gmail and whatsoever related to hacking or your trying to get into a phone without the owner's consent,he's an expert and won't ever fail you. contact hackdigg at g mail dot com or text his number +15186284630 ,also you can text him on whats app or call him with this number on what's app +15185049376 and let him know i referred you.for sure he will help you.
    Email:hackdigg at gmail com
    Text num:+15186284630
    what's app num:+15185049376
    tell him Roseline referred you.

    ReplyDelete

 
Toggle Footer
Top