Please disable your adblock and script blockers to view this page

Extracting SSH Private Keys From Windows 10 ssh-agent


Windows
Putty
PPK
MSDN

SSH
PowerShell
DPAPI
HKCU
RSA
Ubuntu
Registry
Microsoft
Data Protection
the Registry
StackOverflow
ASCII
Powershell
Linux
Python
GitHub
JSON
Modified


registryThe

RepoThe
extractPrivateKeys.py
PoC.
Hugo

No matching tags


Kali

No matching tags


TCP
parse_mem_python.py

No matching tags

Positivity     44.00%   
   Negativity   56.00%
The New York Times
SOURCE: https://blog.ropnop.com/extracting-ssh-private-keys-from-windows-10-ssh-agent/
Write a review: Hacker News
Summary

I released some PoC code here to extract and reconstruct the RSA private key from the registryThe first thing I tested was using the OpenSSH utilities normally to generate a few key-pairs and adding them to the ssh-agent.First, I generated some password protected test key-pairs using ssh-keygen.exe: To figure out how the SSH Agent was storing and reading my private keys, I poked around a little and started by statically examining ssh-agent.exe. I knew I had some sort of binary representation of a key, but I could not figure out the format or how to use it.I messed around generating various RSA keys with openssl, puttygen and ssh-keygen, but never got anything close to resembling the binary I had.Finally after much Googling, I found an awesome blogpost from NetSPI about pulling out OpenSSH private keys from memory dumps of ssh-agent on Linux: https://blog.netspi.com/stealing-unencrypted-ssh-agent-keys-from-memory/Could it be that the binary format is the same? All credit due to him for the awesome Python tool and blogpost.After I had proved to myself it was possible to extract a private key from the registry, I put it all together in two scripts.GitHub RepoThe first is a Powershell script (extract_ssh_keys.ps1) which queries the Registry for any saved keys in ssh-agent.

As said here by ropnop